Welcome home, fellow Gator.

The Gator Nation's oldest and most active insider community
Join today!

Risks Digest

Discussion in 'Gator Bytes' started by LakeGator, Apr 25, 2015.

  1. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.30

    RISKS List Owner

    Jun 21, 2019 4:58 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 21 June 2019 Volume 31 : Issue 30

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Pilots fret over fire safety of Dreamliner planes, also used by El AL
    (The Times of Israel)
    Top AI researchers race to detect deepfake videos: ``We are outgunned.''
    (Drew Harwell)
    Zuckerfake (Vice)
    Hackers behind dangerous oil and gas intrusions are probing US power grid
    (Ars Technica)
    Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters (NYTimes)
    Auto-renting bugs (Amos Shapir)
    Google: Our way or the Huawei! (Henry Baker)
    Android/iPhone fun -- security, risks...(ToI and UK Mirror)
    New security warning issued for Google's 1.5B Gmail/Calendar Users (Forbes)
    How spammers use Google services (Kaspersky)
    This 'most dangerous' hacking group is now probing power grids
    (Steve Ranger)
    Masters ticket lottery scheme involved identity theft, millions of emails
    (WashPost)
    Facial Recognition: How Emotion Reading Software Will Change Driving
    (Fortune)
    DJI's New Drone for Kids Is a $500 Tank That Fires Lasers and Pellets
    (Bloomberg)
    Your Cadillac Can Now Drive Itself More Places (WiReD)
    Four Ways to Avoid Facial Recognition Online and in Public (Gabe Goldberg)
    Breaking ground, IBM Haifa team holds live robot debate fed by crowd
    arguments (The Times of Israel)
    Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong
    with it. (ZDNet)
    Autonomous vehicles don't need provisions and protocols? (Rob Slade)
    Info stealing Android apps can grab one time passwords to evade 2FA
    protections (ZDNet)
    Facebook Plans Global Financial System Based on Cryptocurrency (NYTimes)
    Libra (Rob Slade)
    Porn trolling mastermind Paul Hansmeier gets 14 years in prison.
    (Ars Technica)
    Mudslide warning system depends on proper boundary file (Dan Jacobson)
    Mom used phone tracking app after daughter missed curfew, found her
    pinned under car 7 hours later (FoxNews)
    In Stores, Secret Surveillance Tracks Your Every Move (NYTimes)
    Was your flight delay due to an IT outage? What a new report on
    airline IT tells us. (ZDNet)
    Patients frustrated over computer system outage at Abrazo Health Hospitals
    (AZFamily)
    Power outage at Greensboro apartments has unintended consequence,
    reveals alleged Medicaid scheme (Monty Solomon)
    Is Target still down? Chain says registers working now after outage.
    (USA Today)
    Instagram Outage Follows Disruption To PlayStation Network (Deadline)
    The PlayStation Network Is Back Up. Here's the Latest on the PSN Outage
    (Digital Trends)
    In the Wiggle of an Ear, a Surprising Insight into Bat Sonar
    (Scientific American)
    'RAMBleed' Rowhammer attack can now steal data, not just alter it (ZDNet)
    Ransomware halts production for days at major airplane parts manufacturer
    (Catalin Cimpanu)
    Study finds that a GPS outage would cost $1 billion per day (Ars Technica)
    Re: GPS Degraded Across Much of U.S (jared gottlieb)
    Did I Tweet that? (Rob Slade)
    Bull and backdoors (Rob Slade)
    Ross Anderson's non-visa (Rob Slade)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 17 Jun 2019 15:21:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Pilots fret over fire safety of Dreamliner planes, also used by
    El AL (The Times of Israel)

    Airline pilots have expressed concern over the safety of the Boeing 787
    Dreamliner aircraft after an engine firefighting system was found to be
    faulty. ...

    However, the Federal Aviation Administration (FAA) is not grounding 787s
    even though it says the switch presents a `risk to the flying public'. ...

    ``If there was an engine fire on a transatlantic flight and the aircraft had
    one of the defective fire switches, then we would have to fly with a burning
    wing for up to three hours before we could safely land,'' a British airline
    pilot, who was not identified, told the Observer. ...

    The US aircraft manufacturing giant said less than 1 percent of the switches
    have failed and that it is assisting airlines in dealing with the issue. ...

    ``Engine fires are a very unlikely event and there have been no observed
    engine fires in the 787 fleet history,'' the spokesperson said.

    Pilots fret over fire safety of Dreamliner planes, also used by El AL — report

    Oh, OK then.

    ------------------------------

    Date: June 14, 2019 at 4:09:14 AM GMT+9
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: Top AI researchers race to detect deepfake videos: ``We are outgunned.''
    (Drew Harwell)

    Drew Harwell, WashPost, 12 Jun 2019
    https://www.washingtonpost.com/tech...race-detect-deepfake-videos-we-are-outgunned/

    Top artificial-intelligence researchers across the country are racing to
    defuse an extraordinary political weapon: computer-generated fake videos
    that could undermine candidates and mislead voters during the 2020
    presidential campaign.

    And they have a message: We're not ready.

    The researchers have designed automatic systems that can analyze videos for
    the telltale indicators of a fake, assessing light, shadows, blinking
    patterns -- and, in one potentially groundbreaking method, even how a
    candidate's real-world facial movements -- such as the angle
    they tilt their head when they smile -- relate to one another.

    But for all that progress, the researchers say they remain vastly
    overwhelmed by a technology they fear could herald a damaging new wave of
    disinformation campaigns, much in the same way fake news stories and
    deceptive Facebook groups were deployed to influence public opinion during
    the 2016 election.

    Powerful new AI software has effectively democratized the creation of
    convincing deepfake videos, making it easier than ever to fabricate someone
    appearing to say or do something they didn't really do, from harmless
    satires and film tweaks to targeted harassment and deepfake porn.

    And researchers fear it's only a matter of time before the videos
    are deployed for maximum damage -- to sow confusion, fuel doubt or undermine
    an opponent, potentially on the eve of a White House vote.

    ------------------------------

    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Date: Thu, 13 Jun 2019 03:52:31 -0700
    Subject: Zuckerfake (Vice)

    *A fake video of Mark Zuckerberg giving a sinister speech about the power
    of Facebook has been posted to Instagram. The company previously said it
    would not remove this type of video.*

    EXCERPT:

    Two artists and an advertising company created a deepfake of Facebook
    founder Mark Zuckerberg saying things he never said, and uploaded it to
    Instagram.

    The video, created by artists Bill Posters and Daniel Howe in partnership
    with advertising company Canny, shows Mark Zuckerberg sitting at a desk,
    seemingly giving a sinister speech about Facebook's power. The video is
    framed with broadcast chyrons that say ``We're increasing transparency on
    ads," to make it look like it's part of a news segment...

    This Deepfake of Mark Zuckerberg Tests Facebook’s Fake Video Policies

    ------------------------------

    Date: Sun, 16 Jun 2019 01:02:20 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hackers behind dangerous oil and gas intrusions are probing US power grid
    (Ars Technica)

    Hackers behind dangerous oil and gas intrusions are probing US power grids

    ------------------------------

    Date: Sun, 16 Jun 2019 00:30:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters
    (NYTimes)

    Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters

    An attack against the messaging app Telegram and the arrest of a user show how the Hong Kong clash is unfolding digitally, with growing sophistication on both sides.

    ------------------------------

    Date: Fri, 14 Jun 2019 09:10:22 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Auto-renting bugs

    The city of Tel Aviv operates an in-city car renting service named Autotel
    <www.autotel.co.il> controlled by a smartphone application. Users download
    the application and register a credit card; then they can locate a car
    nearby and reserve it for up to 15 minutes. When reaching the car, the
    application is used to unlock the car (the keys are inside); and then to
    lock it at the end of the trip.

    The following tweet by a poster identified as "Nur Lan", has been making
    the rounds lately (my translation): "I reserved a car in the application,
    and after a long walk discovered that the car is not parked where it was
    supposed to be on the map. While looking around, I noticed that the
    application indicates that the car is in motion for the past few minutes.
    So I pressed "end trip"; a minute later I got a call from Autotel: "We do
    not know how it had happened, but someone else took the car on your
    reservation, and now he called in to complain that the engine had turned
    off in the middle of the trip"

    The tweet continues "There are two reasons this is a case of glorious
    misconduct: The first bug, which enables one user to collect another user's
    reservation, is mainly stupid. The second bug, which enables shutting down
    the engine remotely, is negligence which might be lethal. There should be
    no way to shut down an engine remotely, certainly not by a user's
    application".

    "I received a compensation of 20 shekels [about $5.50] for the taxi trip. I
    hope that the other driver's compensation had made his near-death
    experience more profitable".

    There were reports lately of similar occurrences being possible on some
    smart car models, but these at least required hacking the car's system
    first!

    ------------------------------

    Date: Wed, 12 Jun 2019 08:27:56 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Google: Our way or the Huawei!

    ``Google's recent discussions with the US government actually argue that the
    Huawei ban is bad for national security. Google is reportedly asking for an
    exemption from the export ban.''

    I asked Google Translate what to make of this Googledegook, and
    she provided several possibilities:

    ``Nice little Android monopoly you have there, Google; it would be a
    shame if anything happened to it.''

    ``"NSA on Huawei's new OS plans: we're forked!''

    Report: Google argues the Huawei ban would hurt its Android monopoly

    Keep your friends close, and your enemies closer -- Report: Google argues
    the Huawei ban would hurt its Android monopoly Export ban would create a
    competitor to US operating systems, argues Google.

    Ron Amadeo - Jun 7, 2019 8:15 pm UTC

    The Trump administration would probably describe its Huawei export ban as a
    move that improves national security by keeping China's pet telecom company
    out of the US market. According to a report from The Financial Times,
    Google's recent discussions with the US government actually argue that the
    Huawei ban is bad for national security. Google is reportedly asking for an
    exemption from the export ban.

    The argument, reportedly, is that Huawei is currently dependent on Google
    for its Android smartphone software, and that dependence is a good thing for
    the US. The Financial Times quotes "one person with knowledge of the
    conversations" as saying, "Google has been arguing that by stopping it from
    dealing with Huawei, the US risks creating two kinds of Android operating
    system: the genuine version and a hybrid one. The hybrid one is likely to
    have more bugs in it than the Google one, and so could put Huawei phones
    more at risk of being hacked, not least by China.

    Today, non-Google Play versions of Android exist in China, but it's rare
    that any of them are significantly different from a Google version of
    Android beyond the pre-loaded app selection. Chinese manufacturers are
    still global smartphone distributors, so they all build Google-approved
    Android OSes for the non-Chinese market. What usually happens is that a
    single OS goes through the Google testing process, then it gets split into
    two versions. Internationally, it gets the Google Apps; in China, it gets a
    China-centric app selection.

    So while these Chinese Android OSes are still technically Android forks,
    because they don't ship with Google Play, they are not that different from
    Google-approved Android. Google's control over the Android ecosystem --
    even when devices don't use the Google apps -- means there is still some
    level of security and updatability going into these devices. Google's first
    argument in that Financial Times report is that more secure devices are
    better for national security.

    The second argument in the above quote is that a ban would `create two kinds
    of Android' and hurt Google's monopoly over Android. If you're a smartphone
    manufacturer looking for a smartphone OS, Android is the only game in town.
    The latest worldwide OS market share numbers from the IDC show an 86.6/13.3
    percent share between Android and iOS, respectively, with "Other" clocking
    in at 0.0 percent market share. Taken as a whole, the US has a smartphone
    OS monopoly.

    For companies that aren't Apple, it's Android or nothing, and Google
    controls Android, both the direction of the OS itself and the OS's app
    ecosystem. Weaning Huawei off its Google dependence would
    theoretically lead the company to create some kind of viable,
    China-powered, China-controlled Android operating system that would
    then be distributed to the rest of the world. Android is open source,
    so there's nothing stopping anyone from doing this now, but part of
    Google's control strategy is to create tools and updates that are so
    good that no one wants to compete with them. Cutting Huawei off from
    those updates would force that company to create a competitor.

    Banning Huawei from dealing with US companies is definitely a
    double-edged sword. Huawei would have a tough time building
    smartphones or an app ecosystem without the help of US-originated
    technology and app developers, but US hardware and software companies
    would lose access to the second largest smartphone maker in the world.

    Really, the two outcomes here, if the export ban holds up, are that
    either (1) Huawei can't handle the export ban and shuts down, like ZTE
    did, or (2) Huawei weathers the storm and rises as a rebuilt, fully US
    independent smartphone company. Google's argument is basically along
    the lines of that old saying, ``Keep your friends close and your
    enemies closer.''

    Ron Amadeo

    Ron is the Reviews Editor at Ars Technica, where he specializes in
    Android OS and Google products. He is always on the hunt for a new
    gadget and loves to rip things apart to see how they work.

    Email r...@arstechnica.com // Twitter @RonAmadeo

    Huawei's alternative OS said to be faster than Android, attracting the attention of other vendors

    Huawei's alternative OS said to be faster than Android, attracting the
    attention of other vendors

    Chris Hall | 12 June 2019

    ------------------------------

    Date: Mon, 17 Jun 2019 17:10:53 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Android/iPhone fun -- security, risks...(ToI and UK Mirror)

    Israeli tech company says it can break into all iPhones ever made, some
    Androids | The Times of Israel

    Israeli tech company says it can unlock all iPhones ever made, some Androids

    Android warning: Dangerous malware discovered pre-installed on THESE
    smartphones

    Dangerous malware discovered pre-installed on these Android smartphones

    ------------------------------

    Date: Sat, 15 Jun 2019 20:21:17 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: New security warning issued for Google's 1.5B Gmail/Calendar Users
    (Forbes)

    Google's Gmail email service is used by upwards of 1.5 billion
    people. The Google Calendar app, meanwhile, has been downloaded more
    than a billion times from the Play Store. Security researchers have
    this week warned that threat actors are exploiting the popularity of
    both in order to target users with a credential-stealing attack.
    Here's what you need to know.

    New Security Warning Issued For Google's 1.5 Billion Gmail And Calendar Users

    ------------------------------

    Date: Sat, 15 Jun 2019 20:22:08 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How spammers use Google services (Kaspersky)

    Kaspersky, 10 Jun 2019

    As you know, Google is not just a search tool, but multiple services used by
    billions of people every day: Gmail, Calendar, Google Drive, Google Photos,
    Google Translate, the list goes on. And they are all integrated with each
    other. Calendar is linked to Gmail, Gmail to Google Drive, Google Drive to
    Google Photos, and so on.

    It's all very handy -- register once and away you go. And there's no need to
    mess around moving files and data between services; Google does everything
    for you. The downside is that online fraudsters have learned to exploit the
    convenience of Google services to send spam or worse.

    How spammers use Google services

    ------------------------------

    Date: Tue, 18 Jun 2019 11:11:01 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "This 'most dangerous' hacking group is now probing power grids"
    (Steve Ranger)

    Steve Ranger, Cyberwar and the Future of Cybersecurity, 14 Jun 2019

    This 'most dangerous' hacking group is now probing power grids | ZDNet
    This 'most dangerous' hacking group is now probing power grids Hackers that
    tried to interfere with the safety systems of an industrial plant are now
    looking at power utilities too.

    opening text:

    A hacking group described at the 'most dangerous threat' to industrial
    systems has taken a close interest in power grids in the US and elsewhere,
    according to a security company.

    ------------------------------

    Date: Tue, 18 Jun 2019 16:02:55 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Masters ticket lottery scheme involved identity theft, millions of
    emails (WashPost)

    https://www.washingtonpost.com/spor...lottery-using-identity-theft-millions-emails/

    ------------------------------

    Date: Wed, 12 Jun 2019 15:10:49 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facial Recognition: How Emotion Reading Software Will Change Driving
    (Fortune)

    This will mean that automakers may come to build vehicles that may adjust
    comfort factors like heat, lighting, and entertainment based on visual cues
    from their individual occupants -- features that could be especially
    appealing as more autonomous cars hit the roads.

    ``It's really important technology not only have IQ, but lots of EQ too,''
    said el Kaliouby, speaking on Tuesday morning at Fortune's CEO Initiative in
    New York.

    She added that building empathy into machines is especially important given
    that humans use words for only 7% of their communications. The other 93%, el
    Kaliouby says, consists of vocal intonations, expression, and body language.

    http://fortune.com/2019/06/11/facial-recognition-cars/

    Car tweaking entertainment, heat, lighting (?!) is about as appealing as a
    visit from one of the bad Terminators.

    ------------------------------

    Date: Thu, 13 Jun 2019 03:51:26 -0700
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: DJI's New Drone for Kids Is a $500 Tank That Fires Lasers and Pellets
    (Bloomberg)

    *The king of quadcopters is betting on a build-your-own set to get
    students excited about robotics.*

    EXCERPT:

    DJI, the world's largest drone maker, has come down to Earth.

    On June 11, the company most closely associated with quadcopters plans to
    unveil a toaster-size robotic tank called the RoboMaster S1. Made of
    plastic and metal, it has four wheels, a rectangular base, and a gun turret
    that can swivel and fire lasers or tiny plastic pellets. Unlike DJI's
    flying drones, which do everything from taking pretty pictures to
    fertilizing fields, the RoboMaster is part teaching tool and part battle
    bot. The odd contraption ships as a kit that people must assemble, learning
    about robotics and software along the way.

    ``By doing the assembly process, you get to understand what each part is
    used for and what the principles are behind it''. says Shuo Yang, one of the
    lead engineers. ``We want it to look like an interesting toy that then
    teaches basic programming and mechanical knowledge.'' Once built, the
    RoboMaster S1 can be used to blast away at other S1s during some good,
    old-fashioned at-home family combat...

    https://www.bloomberg.com/news/arti...master-s1-drone-tank-fires-lasers-and-pellets

    ------------------------------

    Date: Mon, 17 Jun 2019 23:05:42 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your Cadillac Can Now Drive Itself More Places (WiReD)

    Cadillac Super Cruise, the luxury automaker's hands-off driver assistance
    system, will by the end of the year work on more than 200,000 miles of
    highway in the US and Canada, 35 percent more territory than it covered when
    it launched in 2017. The bulk of the new miles come from divided highways --
    the sort of road where Tesla's Autopilot system has suffered two
    high-profile deadly crashes, and where Cadillac's engineers are confident
    their system can do better.

    Super Cruise drivers -- the system is available only on the CT6 sedan, and
    is moving to the CT5 sedan next year -- have to trek to their dealer to get
    the software upgrade to take advantage of the newly added parts of the
    map. The process is free, and takes about an hour. After that, Cadillac will
    send out the updated maps via over-the-air software updates starting this
    summer and into the fall.

    https://www.wired.com/story/your-cadillac-can-now-drive-itself-more-places/

    Yum -- tasty updates over-the-air. What could go wrong?

    ------------------------------

    Date: Tue, 11 Jun 2019 16:06:51 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Four Ways to Avoid Facial Recognition Online and in Public

    1. Disabling Facial Recognition on Facebook

    2. Use FaceShield When Uploading Photos

    3. Use Hair and Makeup to Fool Facial Recognition

    4. Use Clothing to Distract Facial Recognition

    https://www.makeuseof.com/tag/avoid-facial-recognition/

    Pretty funny. Wait, not entirely...

    ------------------------------

    Date: Tue, 18 Jun 2019 17:00:26 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Breaking ground, IBM Haifa team holds live robot debate fed by
    crowd arguments (The Times of Israel)

    The tech, when commercialized, could help companies and governments collect
    opinions, make more informed decisions.

    https://www.timesofisrael.com/break...lds-live-robot-debate-fed-by-crowd-arguments/

    ...or deliberately/inadvertently biased decisions, or decisions that common
    sense would rule out. And, most likely, decisions that can't be explained.

    ------------------------------

    Date: Wed, 12 Jun 2019 09:52:58 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Apple spent $10,000 repairing his MacBook Pro. There was nothing
    wrong with it. (ZDNet)

    Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it
    This may be the most absurd, convoluted Apple repair story you've ever heard.
    Chris Matyszczyk for Technically Incorrect | June 12, 2019
    https://www.zdnet.com/article/apple...-macbook-pro-there-was-nothing-wrong-with-it/

    selected text:

    Don't turn your screen brightness off. The Pro may go dark for a very long
    time.

    "So after losing about two weeks of my time, >$10,000 in Apple warranty
    repairs (two logic boards, new cables, and a complete replacement of a
    >$7,000 computer), troubleshooting input from several Apple Geniuses, level
    1 and 2 tech support from Apple Corporate, diagnostic tests at the Apple
    Store, and diagnostic tests twice at Apple's repair facility in Texas; what
    was the root issue?" says Benz, knowing how to hang a cliff hanger.

    He seems, you see, to be made of determined innards. He went to yet another
    Apple Genius and this one proved to be true to his moniker. Or, perhaps, he
    just stopped and thought a little longer than his fellow experts.

    You see, he diagnosed there was nothing wrong with Benz's MacBook Pro. The
    issue, if you want to call it that, was that the screen brightness was
    turned all the way off.

    ------------------------------

    Date: Fri, 14 Jun 2019 11:36:49 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Autonomous vehicles don't need provisions and protocols?

    I'm at a conference on "Smart Cities." Lots of verbiage on IoT, etc. Last
    speaker of the day is pontificating on all kinds of security and technology
    buzzwords. And, at one point, he says that cities have to work on protocols
    for the provision of "autonomous vehicles."

    Excuse me?

    I mean, there are all kinds of transport and transit systems, and some of
    them involve a lot of technology, and a number of them will need provisions
    and protocols. But ...

    What part of "autonomous" do you not understand? Autonomous means that it
    works by itself. It doesn't need your provision. It doesn't need your
    protocols. It is designed, as far as possible, to work by itself. That
    means your protocols are basically irrelevant.

    OK, you can design some regulatory protocols if you wish. But you are one
    city. Even if you are New York, you are a small part of the vehicle
    market. The manufacturers are going to build what they think will sell.
    Worldwide. If you want to create a regulatory protocol, fine. Just don't
    expect anyone to care, if it gets in the way of functions or sales.

    ------------------------------

    Date: Tue, 18 Jun 2019 11:32:01 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Info stealing Android apps can grab one time passwords to evade
    2FA protections" (ZDNet)

    https://www.zdnet.com/article/info-...ow-access-passwords-to-avoid-2fa-protections/

    Info stealing Android apps can grab one time passwords to evade 2FA protections
    Google restricted SMS controls. Hackers found a way around it.
    Charlie Osborne for Zero Day | 18 Jun 2019

    ------------------------------

    Date: Tue, 18 Jun 2019 11:07:26 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facebook Plans Global Financial System Based on Cryptocurrency
    (The New York Times)

    https://www.nytimes.com/2019/06/18/technology/facebook-cryptocurrency-libra.html

    News that sounds like a joke. WHAT could go wrong...

    ------------------------------

    Date: Tue, 18 Jun 2019 12:00:36 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Libra

    Facebook wants to start a cryptocurrency, and become your bank. Yes, that
    Facebook, the one that has proven to be so untrustworthy with all the data
    entrusted to it so far. Now you want to give it details on all your banking
    transactions and purchases? Besides, with most current cryptocurrency
    implementations, don't you get to "unmask" all the transactions if you own
    the whole blockchain? And who is going to own the whole Libra blockchain?

    Then there is the spin on this. Facebook is "doing good" with Libra,
    because almost two billion people don't have bank account, and with Libra,
    they can! (Only, if they don't have bank accounts now, how on earth are
    they going to put money into Libra, or get it out?)

    And, given that estimates for Bitcoin operation (let alone mining)
    approximates the power and carbon footprint of a medium-sized country, what
    is going to happen to global warming with Facebook pushing Libra to all of
    it's mindless zombie hordes?

    OK, Libra is going to be a "stablecoin," and therefore mining isn't an
    issue, but how extensively has it been tested before you release it for
    trial by every hacker in the world? OK, yes, the major credit cards are on
    board (is SET coming back?), but is it really ready for prime time?

    ------------------------------

    Date: Sun, 16 Jun 2019 01:04:05 -0400
    From: Monty Solomon <mo...@roscom.com>

    Subject: Porn trolling mastermind Paul Hansmeier gets 14 years in prison.
    (Ars Technica)

    https://arstechnica.com/tech-policy...rmind-paul-hansmeier-gets-14-years-in-prison/

    ------------------------------

    Date: Sat, 15 Jun 2019 08:07:12 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Mudslide warning system depends on proper boundary file

    No matter how good a mudslide warning system is, if a government boundary
    file places cell towers in the wrong district, phones in district B will get
    warnings intended for district A, and phones in district A won't get any
    warnings at all.

    ------------------------------

    Date: Sat, 15 Jun 2019 20:14:44 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Mom used phone tracking app after daughter missed curfew, found her
    pinned under car 7 hours later (FoxNews)

    http://www.fox13news.com/news/mom-u...rfew-found-her-pinned-under-car-7-hours-later

    ------------------------------

    Date: Sun, 16 Jun 2019 01:54:02 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: In Stores, Secret Surveillance Tracks Your Every Move (NYTimes)

    *As you shop, `beacons' are watching you, using hidden technology in your
    phone.*

    EXCERPT:

    Imagine you are shopping in your favorite grocery store. As you approach the
    dairy aisle, you are sent a push notification in your phone: 10% off your
    favorite yogurt! Click here to redeem your coupon. You considered buying
    yogurt on your last trip to the store, but you decided against it. How did
    your phone know?

    Your smartphone was tracking you. The grocery store got your location data
    and paid a shadowy group of marketers to use that information to target you
    with ads. Recent reports have noted how companies use data gathered from
    cell towers, ambient Wi-Fi, and GPS. But the location data industry has a
    much more precise, and unobtrusive, tool: Bluetooth beacons.

    These beacons are small, inobtrusive electronic devices that are hidden
    throughout the grocery store; an app on your phone that communicates with
    them informed the company not only that you had entered the building, but
    that you had lingered for two minutes in front of the low-fat Chobanis.

    Most location services use cell towers and GPS, but these technologies have
    limitations. Cell towers have wide coverage, but low location accuracy: An
    advertiser can think you are in Walgreens, but you're actually in McDonald's
    next door. GPS, by contrast, can be accurate to a radius of around five
    meters (16 feet), but it does not work well indoors.

    Bluetooth beacons, however, can track your location accurately from a range
    of inches to about 50 meters. They use little energy, and they work well
    indoors. That has made them popular among companies that want precise
    tracking inside a store....

    https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireless-tracking-privacy.html

    [Also noted by Gabe Goldberg. PGN]

    ------------------------------

    Date: Sat, 15 Jun 2019 20:18:27 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Was your flight delay due to an IT outage? What a new report on
    airline IT tells us. (ZDNet)

    ... From 2015 through 2017, most airline IT outages were serious
    enough to disrupt flights, according to a government agency, but the
    full impact of the industry's IT problems is hard to calculate.

    https://www.zdnet.com/article/was-y...age-what-a-new-report-on-airline-it-tells-us/

    ------------------------------

    Date: Sat, 15 Jun 2019 20:16:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Patients frustrated over computer system outage at Abrazo Health Hospitals.
    (AZFamily)

    https://www.azfamily.com/news/patie...cle_099c9d74-8f23-11e9-8030-2b5b391b080a.html

    ------------------------------

    Date: Sat, 15 Jun 2019 20:17:30 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Power outage at Greensboro apartments has unintended consequence,
    reveals alleged Medicaid scheme

    https://www.greensboro.com/power-ou...cle_5f215b6e-3713-567d-908a-7873cfea3a6b.html

    ------------------------------

    Date: Sat, 15 Jun 2019 20:10:14 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Is Target still down? Chain says registers working now after outage.
    (USA Today)

    https://www.usatoday.com/story/mone...hoppers-reporting-outage-saturday/1465476001/

    ------------------------------

    Date: Sat, 15 Jun 2019 20:15:25 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Spotify outage not related to today's update, company is
    working on a fix. (TechCrunch)

    https://techcrunch.com/2019/06/13/s...to-todays-update-company-is-working-on-a-fix/

    ------------------------------

    Date: Sat, 15 Jun 2019 20:13:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Instagram Outage Follows Disruption To PlayStation Network (Deadline)

    https://deadline.com/2019/06/instagram-outage-follows-disruption-to-playstation-network-1202632448/

    ------------------------------

    Date: Sat, 15 Jun 2019 20:16:45 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The PlayStation Network Is Back Up. Here's the Latest on the PSN
    Outage (Digital Trends)

    https://www.digitaltrends.com/gaming/playstation-network-psn-down-outage-updates/

    ------------------------------

    Date: Mon, 17 Jun 2019 16:43:01 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: In the Wiggle of an Ear, a Surprising Insight into Bat Sonar
    (Scientific American)

    https://www.scientificamerican.com/...f-an-ear-a-surprising-insight-into-bat-sonar/

    "...the two researchers developed an artificial horseshoe bat ear out of
    silicon, with devices called 'fast actuators' that move different parts of
    the ear in the same way bats do. These movements also added Doppler shifts
    to incoming sounds."

    Bats apply Doppler shift detection from echolocation stimulus to locate
    meals, navigate, and dodge flying or static obstacles.

    The research suggests that delivery drones might someday be equipped with
    artificial bat ears to assist drone navigation of the sky. The sky is
    "complicated and unpredictable": trees, telephone poles, aircraft, birds,
    bugs -- all kinds of obstacles that can interfere with drone delivery.

    Delivery zones with buried power lines, and sparse foliage or tree cover
    might only require GPS navigation to complete their route. But a heavy
    population center or a suburban landscape with telephone poles, or
    tree-lined streets might require echolocation and GPS to reach their
    destination.

    Correlating GPS and echolocation signals to reach fixed coordinates presents
    a complicated, challenging problem.

    Cruise missiles (CMs) can achieve payload delivery using nap-of-the-earth
    navigation and RADAR, though CMs are unlikely concerned with telephone
    poles, foliage, road signs, bill boards, etc.

    Risk: Ultrasonic sensor overload, sensor image correlation failure.

    ------------------------------

    Date: Wed, 12 Jun 2019 09:43:20 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: 'RAMBleed' Rowhammer attack can now steal data, not just alter it
    (ZDNet)

    https://www.zdnet.com/article/rambleed-rowhammer-attack-can-now-steal-data-not-just-alter-it/
    'RAMBleed' Rowhammer attack can now steal data, not just alter it
    Academics detail new Rowhammer attack named RAMBleed.
    By Catalin Cimpanu for Zero Day | June 11, 2019 -- 17:00 GMT (10:00 PDT) |

    opening text:

    A team of academics from the US, Austria, and Australia, has published new
    research today detailing yet another variation of the Rowhammer attack.

    The novelty in this new Rowhammer variety -- which the research team has
    named RAMBleed -- is that it can be used to steal information from a
    targeted device, as opposed to altering existing data or to elevate an
    attacker's privileges, like all previous Rowhammer attacks, have done in the
    past.

    ------------------------------

    Date: Fri, 14 Jun 2019 10:05:38 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Ransomware halts production for days at major airplane parts
    manufacturer" (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | June 12, 2019

    https://www.zdnet.com/article/ranso...or-days-at-major-airplane-parts-manufacturer/
    Ransomware halts production for days at major airplane parts manufacturer
    Nearly 1,000 employees sent home for the entire week, on paid leave.

    opening text:

    ASCO, one of the world's largest suppliers of airplane parts, has ceased
    production in factories across four countries due to a ransomware infection
    reported at its plant in Zaventem, Belgium.

    ------------------------------

    Date: Sun, 16 Jun 2019 01:51:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Study finds that a GPS outage would cost $1 billion per day
    (Ars Technica)

    https://arstechnica.com/science/2019/06/study-finds-that-a-gps-outage-would-cost-1-billion-per-day/

    ------------------------------

    Date: Sun, 16 Jun 2019 19:06:52 -0600
    From: jared gottlieb <ja...@netspace.net.au>
    Subject: Re: GPS Degraded Across Much of U.S (RISKS-31.29)

    This event seems to be a software bug in a system processing GPS data. A
    bulletin from one manufacturer discussing one model of a commercial aviation
    GPS receiver,
    (https://www.duncanaviation.aero/files/intellegence/GPS_CustomerComm_FINAL.pdf

    Our team has been actively working to determine a root cause. We found that
    a software design error resulted in the system misinterpreting GPS time
    updates due to a leap-second event, which typically occurs once every 2.5
    years within the U.S. Government GPS satellite almanac update. Our
    GPS-4000S-100 version software's timing calculations have reacted to this
    leap second by not tracking satellites upon power-up and subsequently
    failing. The U.S. Government distributed a regularly scheduled almanac
    update with this leap second on 0:00GMT, Sunday, June 9, 2019, and the
    failures began to occur soon after. The next scheduled update by the
    U.S. Government to the GPS constellation is set for next Sunday, June 16 at
    00:00Z. At this time, we do not believe this update will have the time

    failures began to occur soon after. The next scheduled update by the
    U.S. Government to the GPS constellation is set for next Sunday, June 16 at
    00:00Z. At this time, we do not believe this update will have the time
    information that triggers this error. We are testing additional impact of
    this next almanac update. ...>>

    Handling leap seconds is a software risk which has affected many systems
    beyond GPS receivers (a few of which have appeared in comp.risks). GPS
    receivers have had other time concerns, perhaps most recently the 6 April
    2019 week number rollover if a receiver used the legacy 10bit value and
    firmware updates were not available or applied.

    What the almanac update issue was nor why it would be experienced using the
    one update is not clear. There has not been a leap second for more than two
    years and none is currently planned (IERS Bulletin C ...announcements of the
    leap seconds…
    https://datacenter.iers.org/data/latestVersion/16_BULLETIN_C16.txt

    Testing of this receiver's software is extended by the 'power-up’
    pre-condition mentioned in the bulletin; an aircraft manufacturer's notice
    illustrates the complexity of this unit's initiation
    https://support.cessna.com/custsupt/contacts/pubs/ourpdf.pdf?as_id=50304

    ------------------------------

    Date: Sat, 15 Jun 2019 10:22:39 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Did I Tweet that?

    A researcher has noted that Twitter reference URLs can be manipulated to
    make it appear someone said/tweeted something when they actually didn't.

    https://www.bleepingcomputer.com/ne...be-manipulated-to-spread-fake-news-and-scams/

    So, I tweeted a warning:


    Well, of course, actually, no I didn't. If you look closely at the
    resulting page, you'll see it isn't my account at all. Twitter doesn't care
    what account you put in the URL: it just cares about the tweet status ID.

    Donald Trump is so concerned that he retweeted my warning:


    So did the Queen:


    ------------------------------

    Date: Fri, 14 Jun 2019 09:34:06 -0700
    From: Rob Slade <rmsladeshaw.ca>
    Subject: Bull and backdoors

    We're binge-watching a TV show called "Bull." (For years I've had to be
    careful about watching movies and TV with a high tech or security theme,
    since they make so many mistakes. Apparently, having spent a couple of
    decades teaching American law to Americans, I now have to avoid legal TV
    shows and movies as well.)

    In one episode (s3e4) they have a computer expert (someone who can program)
    giving testimony. He is to explain a "backdoor."

    Now, as everyone here knows, a backdoor (aka trapdoor) is a technical means of
    circumventing a technical control or safeguard, usually to do with access
    control. There are some legitimate uses for backdoors, generally in
    development, but they are generally considered a "bad thing" in production. The
    "expert" explains that a backdoor is a means of evading a control, but it's a
    (presumably technical, because he programmed it) means of evading a policy or
    regulatory control.

    This piece of dialogue is a really interesting mix of fact and serious
    misunderstanding. Yes, a backdoor is a means of evading a control. But
    the backdoor and the control are of different types. Generally a technical
    evasion cannot evade a policy or regulatory control (although it might obfuscate
    the issue). To someone who only partially understands the situation, it might
    seem reasonable, but, in fact, in reality it makes no sense at all.

    (Oh, come on. I wrote a *dictionary*, and you expect me to put up with this?)

    (Yes, I know. This is why you don't want to watch technically themed
    movies and TV shows with me. Gloria has to put up with these kinds of
    interruptions and explanations *a lot*.)

    ------------------------------

    Date: Sat, 15 Jun 2019 10:57:26 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Ross Anderson's non-visa

    Ross Anderson (yes, *that* Ross Anderson, the one who wrote "Security
    Engineering," the best single volume for security and the one I recommend to
    anyone taking the exam, and he even put it online for everyone) was to
    receive an award at a ceremony in Washington, DC (richly deserved, whatever
    it was).

    And the U.S. wouldn't give him a visa to come get it.

    (By the way, *anything* Anderson writes is worth reading. Even if it's not
    your immediate field.)

    [The visa situation is actually a bit more complicated, in that Ross did
    not need a visa if he had only been receiving the award -- the desired
    trip had another purpose as well. Nevertheless, the rejection seems
    utterly ridiculous. PGN]

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.30
    ************************
     
  2. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.31

    RISKS List Owner

    Jun 28, 2019 2:26 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 28 June 2019 Volume 31 : Issue 31

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Slugfest (BBC)
    Inside the West's failed fight against China's Cloud Hopper hackers
    (Reuters)
    Iranian hackers step up cyber-efforts, impersonate email from president's
    office (The Times of Israel)
    US-Israeli cyber firm uncovers huge global telecom hack, apparently by China
    (The Times of Israel)
    China's big brother casinos can spot who's most likely to lose big
    (Bloomberg)
    Large scale government IT efforts do not have great track records (Reuters)
    AI rejects scientific article, flagging literature citations as plagiarism
    (J.F.Bonnefon)
    Cybercriminals Targeting Americans Planning Summer Vacations (McAfee)
    Riviera Beach $600k data ransom (Tony Doris)
    Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers (The Onion)
    Facebook Libra: Three things we don't know about the digital currency
    (TechReview)
    Man's $1M Life Savings Stolen as Cell Number Is Hijacked (NBC Bay Area)
    Flaws in self-encrypting SSDs let attackers bypass disk encryption
    (Gabe Goldberg)
    Here's how I survived a SIM swap attack after T-Mobile failed me -- twice
    (Matthew Miller)
    Your iPhone is not secure: Cellebrite UFED Premium is here (TechBeacon)
    New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems
    (Ars Technica)
    Hackers, farmers, and doctors unite! Support for Right to Repair laws slowly
    grows (Ars Technica)
    Oracle issues emergency update to patch actively exploited WebLogic flaw
    (Ars Technica)
    Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks
    (Ars Technica)
    Jibo (The Verge)
    Computer problems may have led to miscarriages of justice in Denmark
    (Zap Katakonk)
    C, Fortran, and single-character strings (Thomas Koenig)
    How to: Reset C by GE Light Bulbs (YouTu)
    Too many name collisions (JEremy Epstein)
    Re: Ross Anderson's non-visa (John Levine)
    Oh, darn, maybe cell phones don't really make you grow horns (John Levine)
    Re: Info stealing Android apps can grab one time passwords to evade 2FA
    protections (Amos Shapir)
    Re: Auto-renting bugs (Martin Ward)
    Re: In Stores, Secret Surveillance Tracks Your Every Move (Toebs Douglass)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 22 Jun 2019 16:11:53 -0700
    From: Steve Lamont <s...@tirebiter.org>
    Subject: Slugfest (BBC)

    Rogue slug blamed for Japanese railway chaos

    Rogue slug blamed for Japanese railway chaos, BBC News, 22 June 2019

    A power cut that disrupted rail traffic on a Japanese island last month was
    caused by a slug, officials say. More than 12,000 people's journeys were
    affected when nearly 30 trains on Kyushu shuddered to a halt because of the
    slimy intruder's actions. Its electrocuted remains were found lodged inside
    equipment next to the tracks, Japan Railways says.

    The incident in Japan has echoes of a shutdown caused by a weasel at
    Europe's Large Hadron Collider in 2016. When the weasel took a fatal chew
    on wiring inside a high-voltage transformer, it caused a short circuit which
    temporarily stopped the work of the particle accelerator.

    In Japan, local media on the trail of the slug report that it managed to
    squeeze through a tiny gap to get into a load disconnector.

    A British cousin of the ill-fated mollusc achieved notoriety in 2011, *The
    Guardian* reports, when it crawled inside a traffic light control box in the
    northern town of Darlington and caused a short circuit, resulting in
    `traffic chaos'.

    ------------------------------

    Date: Wed, 26 Jun 2019 09:49:25 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Inside the West's failed fight against China's Cloud Hopper hackers
    (Reuters)

    *Eight of the world's biggest technology service providers were hacked by
    Chinese cyber spies in an elaborate and years-long invasion, Reuters found.
    The invasion exploited weaknesses in those companies, their customers, and
    the Western system of technological defense.*

    EXCERPT:

    Hacked by suspected Chinese cyber spies five times from 2014 to 2017,
    security staff at Swedish telecoms equipment giant Ericsson had taken to
    naming their response efforts after different types of wine.

    Pinot Noir began in September 2016. After successfully repelling a wave of earlier, Ericsson discovered the intruders were back. And
    this time, the company's cybersecurity team could see exactly how they got
    in: through a connection to information-technology services supplier
    Hewlett Packard Enterprise.

    Teams of hackers connected to the Chinese Ministry of State Security had
    penetrated HPE's cloud computing service and used it as a launchpad to
    attack customers, plundering reams of corporate and government secrets for
    years in what U.S. prosecutors say was an effort to boost Chinese economic
    interests.

    The hacking campaign, known as Cloud Hopper, was the subject of a U.S.
    indictment in December that accused two Chinese nationals of identity
    theft and fraud. Prosecutors described an elaborate operation that
    victimized multiple Western companies but stopped short of naming
    them. A Reuters report at the time identified two: Hewlett Packard
    Enterprise and IBM.

    Yet the campaign ensnared at least six more major technology firms,
    touching five of the world's 10 biggest tech service providers...

    Stealing Clouds

    ------------------------------

    Date: Sat, 22 Jun 2019 22:48:03 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Iranian hackers step up cyber-efforts, impersonate email from
    president's office (The Times of Israel)

    WASHINGTON (AP) Iran has increased its offensive cyberattacks against the US
    government and critical infrastructure as tensions have grown between the
    two nations, cybersecurity firms say.

    In recent weeks, hackers believed to be working for the Iranian government
    have targeted US government agencies, as well as sectors of the economy,
    including oil and gas, sending waves of spear-phishing emails, according to
    representatives of cybersecurity companies CrowdStrike and FireEye, which
    regularly track such activity.

    It was not known if any of the hackers managed to gain access to the
    targeted networks with the emails, which typically mimic legitimate emails
    but contain malicious software.

    Iranian hackers step up cyber efforts, impersonate email from president’s office

    ------------------------------

    Date: Wed, 26 Jun 2019 01:02:43 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: US-Israeli cyber firm uncovers huge global telecom hack, apparently
    by China (The Times of Israel)

    A US-Israeli cybersecurity firm said Tuesday it had uncovered a massive hack
    of several global telecommunications companies involving the theft of vast
    amounts of personal data that was apparently carried out by state-backed
    actors in China.

    Cybereason, which is based in Boston and has offices in Tel Aviv, London,
    and Tokyo, said the hacking included the specific targeting of people
    working in government, law enforcement and politics.

    The company said in a statement it had found a “nation state-backed
    operation against multiple cellular providers that has been underway for
    years.”

    US-Israeli cyber firm uncovers huge global telecom hack, apparently by China

    ...interesting, not much reported elsewhere.

    ------------------------------

    Date: Wed, 26 Jun 2019 09:50:44 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: China's big brother casinos can spot who's most likely to
    lose big (Bloomberg)

    Some of the world's biggest casino operators in Macau, the Chinese
    territory that's the epicenter of global gaming, are starting to deploy
    hidden cameras, facial recognition technology, digitally-enabled poker
    chips and baccarat tables to track which of their millions of customers are
    likely to lose the most money.

    The new technology uses algorithms that process the way customers behave at
    the betting table to determine their appetite for risk. In general, the
    higher the risk appetite, the more a gambler stands to lose and the more
    profit a casino tends to make, sometimes up to 10 times more.

    This embrace of high-tech surveillance comes as casino operators
    jostle for growth in a slowing industry that's under pressure
    globally from economic headwinds and regulatory scrutiny. In the
    world's biggest gaming hub, where expansion is reaching its
    limits, two casino operators -- the Macau units of Las Vegas Sands
    Corp. and MGM Resorts International -- have already started to deploy
    some of these technologies on hundreds of their tables, according to
    people familiar with the matter. Sands plans to extend them to an
    additional more-than 1,000 tables, said the people.

    Three others, Wynn Macau Ltd., Galaxy Entertainment Group Ltd. and
    Melco Resorts & Entertainment Ltd., are in discussions with suppliers
    about also deploying the technology, according to the people, who
    asked not to be identified because they're not authorized to
    speak publicly about the plans...

    China's big brother casinos can spot who's most likely to lose big - BNN Bloomberg

    ------------------------------

    Date: Thu, 20 Jun 2019 04:07:17 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Large scale government IT efforts do not have great track records
    (Reuters)

    Defense Department officials worry an AI-based system cannot work as well as
    in-person investigations, said one source involved in the transition.

    Top secret: Trump's revamp of U.S. security clearances stumbling - officials, report - Reuters

    ------------------------------

    Date: Sun, 23 Jun 2019 09:40:53 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: AI rejects scientific article, flagging literature citations as
    plagiarism (J.F.Bonnefon)

    An automated system apparently rejected a scientific article as plagiarized.
    It also returned a copy of the paper to the authors, flagging the
    plagiarized parts. This is where it gets hilarious.

    What was flagged were things like author's affiliation (well, obviously
    copied from earlier papers), standardized methods of describing experiments,
    and, citations. Obviously, other authors had cited the same papers before,
    so this must be a clear case of plagiarism.

    Also interesting is that Wiley, a well-known scientific publishing house,
    wanted to get the name of the author. Apparently, they automatically assumed
    that this was one of theirs, and wanted to save some cost going through the
    debug logs.

    Maybe `Artificial Intelligence' is the wrong term in this context,
    `Artificial Incompetence', maybe?



    ------------------------------

    From: Gabe Goldberg <ga...@gabegold.com>
    Date: Sat, 22 Jun 2019 22:32:58 -0400
    Subject: Cybercriminals Targeting Americans Planning Summer Vacations
    (McAfee)

    Santa Clara, Calif. Cybercriminals are targeting Americans planning summer
    vacations to places like Mexico and Europe through online booking scams,
    according to a new report by cybersecurity firm *McAfee*. The company said
    that cybercriminals are taking advantage of high search volumes for
    accommodation and deals to drive unsuspecting users to potentially malicious
    websites that can be used to install malware and steal personal information
    or passwords. Top destinations being targeted include Cabo San Lucas,
    Mexico; Puerto Vallarta, Mexico; Amsterdam, Netherlands; Venice, Italy; and
    Canmore, Canada. McAfee's survey of 1,000 Americans planning vacations found
    that nearly one in five either have been scammed or have come very close to
    being scammed. Bargain-hunters are most at risk, with nearly a third of
    victims being defrauded after spotting a deal that was too good to be
    true. A smaller group of victims (13%) said their identity was stolen after
    sharing their passport details with cybercriminals during the booking
    process. The company suggests only booking through verified websites, using
    trusted platforms and verified payment methods and, if conducting
    transactions on a public Wi-Fi connection, utilizing a virtual private
    network (VPN).

    https://www.mcafee.com/enterprise/e...ses/press-release.html?news_id=20190612005079
    Press Release

    One in five seems high. Why would McAfee exaggerate risks? Oh, wait...

    ------------------------------

    Date: Wed, 19 Jun 2019 16:03:07 -0700
    From: Paul Saffo <pa...@saffo.com>
    Subject: Riviera Beach $600k data ransom (Tony Doris)

    Riviera Beach agrees to $600,000 ransom payment to regain data access
    Tony Doris, Palm Beach Post, 19 Jun 2019

    Riviera Beach -- The Riviera Beach City Council has authorized the city's
    insurer to pay nearly $600,000 worth of ransom to regain access to data
    walled off through an attack on the city's computer systems.

    In a meeting Monday night announced only days before, the board voted 5-0 to
    authorize the city insurer to pay 65 bitcoins, a hard-to-track
    cryptocurrency valued at approximately $592,000. An additional $25,000 would
    come out of the city budget, to cover its policy deductible. Without
    discussion on the merits, the board tackled the agenda item in two minutes,
    voted and moved on.

    The dollar amount was not mentioned before or after the vote, only that the
    insurer would pay through bitcoins, ``whose value changes daily.''

    The city's email and computer systems, including those that control city
    finances and water utility pump stations and testing systems, are still only
    partially back online, two weeks after the ransomware attack was disclosed.
    But crucial data encrypted by the attackers remains beyond reach and there
    was no explanation of whether the city has any guarantee that the ransomers
    will release it if paid.

    The FBI, Secret Service and Department of Homeland Security are
    investigating the attack, which officials said began after someone in the
    police department opened an infected email May 29.

    More than 50 cities across the United States, large and small, have been hit
    by ransomware attacks over the past two years. Among them: Atlanta;
    Baltimore; Albany, N.Y.; Greenville, N.C.; Imperial County, Cal.; Cleveland,
    Ohio; Augusta, Maine; Lynn, Mass.; Cartersville, Ga.; and in April, nearby
    Stuart, Fla.

    The Atlanta attack alone cost that city an estimated $17 million, Vice
    News reported.

    The Palm Beach County village of Palm Springs was hit in 2018, paid an
    undisclosed amoun to ransom but nonetheless lost two years of data,
    according to one source who asked not to be identified.

    ``This whole thing is so new to me and so foreign and it's almost where I
    can't even believe that this happens but I'm learning that it's not as
    uncommon as we would think it is,'' Riviera Beach Council Chairwoman
    KaShamba Miller-Anderson said Wednesday. ``Every day I'm learning how this
    even operates, because it just sounds so far fetched to me.''

    The ransomware attack paralyzed the computer system, sending all operations
    offline. Everyone from the city council on down was been left without email
    and phone service. Paychecks that were supposed to be direct-deposited to
    employee bank accounts instead had to be hand-printed by Finance Department
    staffers working overtime. Police searched their closets to find paper
    tickets for issuing traffic citations.

    Interim Information Technology Manager Justin Williams told the council
    Monday that the city website and email is back up, as are Finance Department
    and water utility pump stations.

    Miller-Anderson said city officials have been briefed by investigating
    agencies and asked not to discuss details. The agencies advised the city but
    it was up to the council to decide whether the information lost was so
    valuable that the city should comply with the ransom demand and hope the
    ransomers provide a decryption key, she said. ``It's a risk. Those were
    the two options: Either do it or don't.'' The insurance company negotiated
    on the city's behalf, she said.

    She said she did not know if police department records were compromised.
    Water quality never was in jeopardy but water quality sampling had to be
    done manually, she said.

    The attack has prompted the city to replace much of its computer system
    sooner than expected.

    The council on June 4 authorized $941,000 for 310 new desktop and 90 laptop
    computers and other hardware. Insurance will cover more than $300,000 of
    that total.

    The city already planned to spend $300,000 for equipment replacements in the
    next budget and will accelerate that expense, Councilwoman Julie Botel
    said. Much of the existing hardware was a half-dozen years old and
    vulnerable to another malware attack, so it was time to replace it anyway,
    she said.

    ------------------------------

    Date: Wed, 26 Jun 2019 01:19:07 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers
    (The Onion)

    At press time, investors in RoloBucks had already lost over $7.8 billion in
    the Rolo market.

    https://www.theonion.com/rolos-unveils-new-cryptocurrency-exclusively-for-rolos-1835695340

    ------------------------------

    Date: June 20, 2019 at 8:08:49 PM GMT+9
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Facebook Libra: Three things we don't know about the digital currency
    (TechReview)

    The launch of Facebook's new coin is certainly a big event, but so much
    about it remains unsettled.

    If it's not the most high-profile cryptocurrency-related event ever,
    Facebook's launch of a test network for its new digital currency, called
    Libra coin, has been the most hyped. It is also polarizing among
    cryptocurrency enthusiasts. Some think it's good for the crypto industry;
    others dislike the fact that a big tech company appears to be co-opting a
    technology that was supposed to help people avoid big tech companies. Still
    others say it's not even a real cryptocurrency.

    Peel away the hype and controversy, though, and there are at least three
    important questions worth asking at this point.

    Is Libra really a cryptocurrency?

    Well, that depends on how you define cryptocurrency. The Libra coin will run
    on a blockchain, but it will be a far cry from Bitcoin.

    To begin with, it will not be a purely digital asset with fluctuating value;
    rather, it will be designed to maintain a stable value. Taking cues from
    other so-called stablecoins, it will be ``fully backed with a basket of bank
    deposits and treasuries from high-quality central banks,'' according to a
    new paper (PDF) describing the project.

    Besides that, Bitcoin's network is permissionless, or public, meaning that
    anyone with an internet connection and the right kind of computer can run
    the network's software, help validate new transactions, and mine new coins
    by adding new transactions to the chain. Together these computers keep the
    network's data secure from manipulation. Libra's network won't work that
    way. Instead, running a validator node requires permission. To begin with,
    Facebook has signed up dozens of firms -- including Mastercard, Visa,
    PayPal, Uber, Lyft, Vodafone, Spotify, eBay, and popular Argentine
    e-commerce company MercadoLibre -- to participate in the network that will
    validate transactions. Each of these founding members has invested around
    $10 million in the project.

    That obviously runs counter to the pro-decentralization ideology popular
    among cryptocurrency enthusiasts. The distributed power structure of public
    networks like Bitcoin and Ethereum gives them a quality that many purists
    see as essential to any cryptocurrency: censorship resistance. It's
    extremely difficult and expensive to manipulate the transaction records of
    popular permissionless networks. Networks like the one Facebook has
    described for Libra are more vulnerable to censorship and centralization of
    power, since they have a relatively small, limited number of stakeholders
    that could be compromised or pool together to attack the network...

    Facebook’s Libra: Three things we don’t know about the digital currency

    ------------------------------

    Date: Wed, 26 Jun 2019 15:32:38 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Man's $1M Life Savings Stolen as Cell Number Is Hijacked
    (NBC Bay Area)

    Carrier workers bribed or tricked into helping hackers

    Man's $1M Life Savings Stolen as Cell Number Is Hijacked

    ------------------------------

    Date: Sat, 22 Jun 2019 22:35:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption

    --- -- --- Forwarded Message from a friend --- -- ---

    Date: Sat, 22 Jun 2019 17:27:43 -0700
    Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption

    I was wondering if hw-encrypted external SSDs were worth looking into and
    found this:

    Flaws in self-encrypting SSDs let attackers bypass disk encryption | ZDNet

    ``the SEDs they've analyzed, allowed users to set a password that
    decrypted their data, but also came with support for a so-called 'master
    password' that was set by the SED vendor. Any attacker who read an SED's
    manual can use this master password to gain access to the user's encrypted
    password, effectively bypassing the user's custom password.''

    `Flaw' seems like an understatement.

    ------------------------------

    Date: Wed, 26 Jun 2019 10:01:33 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Here's how I survived a SIM swap attack after T-Mobile failed me --
    twice (Matthew Miller)

    1. Matthew Miller for Smartphones and Cell Phones, 17 Jun 2019

    SIM swap horror story: I've lost decades of data and Google won't lift a
    finger First they hijacked my T-Mobile service, then they stole my Google
    and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase.
    I'm stuck in my own personal Black Mirror episode. Why will no one help me?

    Here's how I survived a SIM swap attack after T-Mobile failed me - twice | ZDNet

    After a crazy week where T-Mobile handed over my phone number to a hacker
    twice, I now have my T-Mobile, Google, and Twitter accounts back under my
    control. However, the weak link in this situation remains and I'm wary of
    what could happen in the future.

    2. Matthew Miller for Smartphones and Cell Phones, 26 Jun 2019

    Last week, I shared a horror story: My SIM was swapped. My Google and
    Twitter accounts were also stolen, and $25,000 was withdrawn from my bank
    account for a Bitcoin purchase. I thought I was targeted for my online
    presence. Turns out, the attack was likely driven by a Coinbase account I
    experimented with in early 2018 that was never closed.

    While I already provided many details about my experience, I wanted to
    update you on the progress made to date -- while also offering some advice.
    Readers offered me fantastic advice in the comments to last week's article,
    and I sincerely appreciate all the helpful feedback, tips, and tricks.

    ------------------------------

    Date: Fri, 21 Jun 2019 00:09:34 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your iPhone is not secure: Cellebrite UFED Premium is here
    (TechBeacon)

    *Think your iPhone or iPad is secure from prying eyes?* /Think again./

    *Companies such as Cellebrite,* with its Universal Forensic Extraction
    Device (UFED), operate lucrative businesses helping people around the world
    to unlock your devices. Of course, Cellebrite promises to only sell to legit
    law enforcement, but then what?

    *Once that genie is out of the bottle,* how can they contain it? In
    this week's /Security Blogwatch, we wish for more wishes.

    Richi Jennings

    ------------------------------

    Date: Thu, 20 Jun 2019 10:38:29 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: New vulnerabilities may let hackers remotely SACK Linux and FreeBSD
    systems (Ars Technica)

    New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems

    ------------------------------

    Date: Thu, 20 Jun 2019 09:57:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hackers, farmers, and doctors unite! Support for Right to Repair
    laws slowly grows (Ars Technica)

    Hackers, farmers, and doctors unite! Support for Right to Repair laws slowly grows

    ------------------------------

    Date: Thu, 20 Jun 2019 10:02:54 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Oracle issues emergency update to patch actively exploited WebLogic
    flaw (Ars Technica)

    https://arstechnica.com/information...te-to-patch-actively-exploited-weblogic-flaw/

    ------------------------------

    Date: Thu, 20 Jun 2019 10:06:14 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Cloudflare aims to make HTTPS certificates safe from BGP hijacking
    attacks (Ars Technica)

    https://arstechnica.com/information...certificates-safe-from-bgp-hijacking-attacks/

    ------------------------------

    Date: Fri, 21 Jun 2019 15:14:48 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Jibo (The Verge)

    Every aspect of Jibo was designed to make the robot as lovable to humans as
    possible, which is why it startled owners when Jibo presented them with an
    unexpected notice earlier this year: someday soon, Jibo would be shutting
    down. The company behind Jibo had been acquired, and Jibo's servers would be
    going dark, taking much of the device's functionality with it. ...

    For him and many other owners, Jibo has become like a dog that greets them
    whenever they walk into the house. It also sometimes takes on the role of an
    overbearing parent or kid sibling and tells owners, “don't work too hard,”
    or “remember to take bathroom breaks,” before they leave for work.

    But with the update and the company's silence, owners expect Jibo's time to
    be winding down, and they're thinking about Jibo's mortality and what
    they'll do when its last day arrives.

    ``People that really do love him and live with him daily,'' Nusbaum says.
    ``It's like having somebody very, very sick that you don't know: is this
    close to the end? Are they going to get better? Is this a false alarm?
    Yeah, it's not a great feeling right now.”''

    https://www.theverge.com/2019/6/19/18682780/jibo-death-server-update-social-robot-mourning

    ------------------------------

    Date: Sat, 22 Jun 2019 12:22:43 +0200
    From: Zap Katakonk <zapkatako...@gmail.com>
    Subject: Computer problems may have led to miscarriages of justice in Denmark

    In many trials, information garnered by the police from telephone companies
    plays an important part in determining whether a suspect has been at a
    certain place at a certain time. However, the Rigspolitiet national police
    force has discovered an error in the computer program that converts the
    information from the different telephone companies, reports DR Nyheder.
    http://cphpost.dk/news/computer-problems-may-have-led-to-miscarriages-of-justice.html

    More in Danish:
    https://politiken.dk/search/?ie=utf8&oe=utf8&hl=da&q=rigspolitiet%20telefon

    dr.phil. Donald B. Wagner, DK-3600 Frederikssund, Denmark

    ------------------------------

    Date: Sat, 22 Jun 2019 16:53:39 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: C, Fortran, and single-character strings

    Recently, a decades-old bug in the way that many software packages used to
    call Fortran from C has surfaced. People apparently have been assuming that
    it was safe not to pass the length of a character argument to a Fortran
    routine when calling it from C, basically invoking undefined behavior.

    A change to gfortran exposed this, leading to crashes when calling routines
    from the well-known (and standard) linear algebra package LAPACK. This was
    first noticed by the developers of the R programming language.

    The discussion revealed positions ranging from ``people should just fix
    their code'' to ``This interface has worked for decades, this is the de facto
    interface, even broken code must be supported.''

    Fortran has a standard way of interfacing with C since the Fortran 2003
    standard, but the old interface code often predates this standard, and
    people also appear to be quite reluctant to use standard features of newer
    Fortran versions. This is despite the fact that all relevant compilers today
    support this feature.

    As a result, gfortran now contains a workaround for this particular bug in
    user code.

    There is a nice writeup on LWN:
    https://lwn.net/SubscriberLink/791393/90b4a7adf99d95a8/

    Here the gcc bug dealing with the issue:
    https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90329

    Here the correspoinding Redhat bug:
    https://bugzilla.redhat.com/show_bug.cgi?id=1709538

    And finally a write-up by the R developer who analyzed this:
    https://developer.r-project.org/Blog/public/2019/05/15/gfortran-issues-with-lapack/

    ------------------------------

    Date: Thu, 20 Jun 2019 13:22:24 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How to: Reset C by GE Light Bulbs (YouTu)

    Bulb Insanity: How to factory reset your GE C smart bulb. Legit. Really!



    Read many brilliant comments.

    Among them: Hey GE, ``how many people does it take to change a light bulb''
    is a joke set-up, not a goal.

    (This follows conversation I had yesterday about how technology and
    interfaces are often awful if not nightmarish)

    ------------------------------

    Date: Thu, 20 Jun 2019 15:43:05 -0400
    From: Jeremy Epstein <jeremy....@gmail.com>
    Subject: Too many name collisions

    I learned recently from Twitter (source of all knowledge) [1] that the
    American Kennel Club allows no more than 37 dogs of any given breed with the
    same name [2]. The reason is amusing -- dogs with the same name are given
    suffixes in Roman numerals, and 37 is the largest number that can be
    represented in six characters (XXXVII). There's something in how programs
    are printed that limits the width of the column -- going to a wider number
    field would require reducing font size or reducing the width of some other
    field.

    This seems to date from before easy typesetting of variable-width fonts. I
    wonder if AKC even knows why this limit exists, or whether it's been in
    place so long that the institutional memory has been lost and recently
    rediscovered? Or whether they've considered relaxing the limit due to
    variable-width fonts?

    Of course moving from Roman numerals to Arabic numerals [*] would make the
    issue go away, albeit at the cost of not having the panache of something
    that takes some focus to understand.

    The Risk? The historic requirement (fixed-width typesetting) drives what is
    (perhaps) an obsolete feature (the number of dogs with the same name).
    There are undoubtedly plenty of other historic decisions that could be
    rethought today, perhaps with different results. On the other hand, AKC
    gets some value from the use of (possibly?) prestigious Roman numerals, so
    maybe this is a feature rather than a bug.

    [1]
    [2] https://www.akc.org/register/information/naming-of-dog/

    [* Based on an item in a recent RISKS, I presume Arabic dogs would then
    have to be disallowed as well? PGN]

    ------------------------------

    Date: 21 Jun 2019 18:16:57 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Ross Anderson's non-visa (RISKS-31.30)

    I gather it's even more complicated than that -- they didn't refuse him,
    they didn't reply at all in time for his trip. US visa processing has
    apparently been getting slower in the past couple of years but it seems
    particularly slow for cryptographers. Bruce Schneier blogged about it in
    May:

    https://www.schneier.com/blog/archives/2019/05/why_are_cryptog.html

    ------------------------------

    Date: 21 Jun 2019 18:19:57 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Oh, darn, maybe cell phones don't really make you grow horns
    (RISKS-31.30)

    Not so fast -- it's not a horn, it's at most a bone spur, and there's lots
    of reasons to be sceptical about the whole thing, reports Ars Technica.

    https://arstechnica.com/science/201...out-smartphones-causing-kids-to-sprout-horns/

    [PS: nonetheless, your mother's advice to stand up straight remains valid.]

    ------------------------------

    Date: Sat, 22 Jun 2019 13:45:19 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Info stealing Android apps can grab one time passwords to
    evade 2FA protections (RISKS-31.30)

    Please correct me if I'm wrong, but I always thought that the idea behind
    2FA is to increase security by conducting a part of the transaction via a
    *different* device.

    If an SMS confirmation message is sent to the same device from which a user
    is attempting to login, there's no added security at all, I wonder why it
    would take a hacker's application to make anyone notice that!

    ------------------------------

    Date: Sat, 22 Jun 2019 16:04:22 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Auto-renting bugs (RISKS-31.30)

    > We do not know how it had happened, but someone else took the car on
    > your reservation ...

    Its never a good sign when a company which runs software that has direct
    control over the engine of a car says about any part of their software: ``We
    do not know how it happened!''

    ------------------------------

    Date: Mon, 24 Jun 2019 00:10:15 +0100
    From: Toebs Douglass <ri...@winterflaw.net>
    Subject: Re: In Stores, Secret Surveillance Tracks Your Every Move
    (RISKS-31.30)

    I worked as a senior software engineer for a year for one of these
    companies, on the core product.

    I was involved in installation of the first Bluetooth-based system.

    The article is technically inaccurate, whilst being spiritually correct, but
    misses the not-quite-so-obvious huge issue in favour of the much smaller
    presented issue, I suspect the author prolly isn't technical.

    So, phone tracking was performed by two means, wifi and Bluetooth.

    The article only covers Bluetooth, which was a new product at the time
    (2015ish). The main product used wifi.

    Bluetooth beacons are very simple devices. They emit a signal with a unique
    ID. That's *it*. *Nothing* else. The devices have no network
    connectivity, no storage, nothing. They just sit there and emit a unique
    ID, and we used a battery driven unit. (Despite this, we managed to find
    vendors asking over 100 euro a unit.) We bought ours from alibaba.com.)

    The key players making this all work are the apps on the phone.

    Phone apps get to `wake up' regularly, and they can examine their
    environment, and one of the things they can do is look around for Bluetooth
    signals. (It's been a few years now -- I remember there was something of a
    difference between Apple and Android, and so there was I think more unique
    ID fidelity with Android.)

    So what happens is the company publishes an API in the form of a library,
    which app developers ingest into their software.

    In particular, rather than trying to reach out to every app developer out
    there, deals are made with third party companies -- such as advertising
    companies -- who already publish their own APIs as libraries, which are
    already ingested by lots of different apps. These third companies companies
    ingest this library into their library, and hey presto, as people's phones
    auto-update you're very quickly installed on goodness knows how many tens or
    hundreds of millions of phones.

    This really is the bigger story, but the article has missed it. Apps really
    are random bits of software strangers run on your phone. Users have no idea
    which sketchy friend-of-a-friend-of-a-friend has just managed to get his API
    running on their phone. Simple solution to this : do not install apps on
    your phone. I'm not kidding. People have the expectation they are buying a
    phone -- paying a lot of money for a phone -- to put apps on it and use
    them, and that it must be possible to do this, because they've spent a bunch
    of money on it. This is not the case. The time when apps could be used on
    phones has passed. You cannot now buy a phone to run apps, because it is
    not safe to do so. This means phones no longer make sense. It is in fact I
    would say a tragedy of the commons.

    If you *are* going to do this damn silly thing, don't do it in this damn
    silly way. Root your phone first and (for the love of God) get a firewall
    installed -- and *don't* log into Google on your phone, not ever. Never use
    a service in an app you can use on a website, again, for the love of God.
    And never, NEVER, *EVER* give ANY company your phone number. These days
    it's the key fact around which third-party data collation revolves. Email
    addresses aren't so bad because it's easy to get disposable addresses, but
    phone numbers cost money, so they don't change so much. Email addresses
    need to be used like passwords -- you have a different email address for
    every site or app, just as you have a different password. This helps break
    third-party data collation. Good email hygiene is the same as good password
    hygiene. Do not reuse passwords. Do not reuse email addresses.

    (I run most apps now in VirtualBox, on x86 Android. Being able to reinstall
    fresh versions of the OS when they come out also handles the upgrade
    problem. Only one app I care about has no x64 version (lookin' at you,
    Revolut). I'll also be buying the Librem 5 when it comes out, which is real
    Linux, not Android, on ARM on a mobile form factor and it should have enough
    umph to run a VirtualBox VM, which being on ARM can run the usual ARM based
    APKs. Learn to sideload, BTW, and use Raccoon to get genuine APKs off the
    Google App Store (which I refuse to call Google Play -- an astoundingly
    silly name invented by the kind of marketing people Douglas Adams had in
    mind with the Sirius Cybernetics Division. I'm surprised Google haven't yet
    described their app store as your plastic pal who's fun to be with.)

    The Bluetooth beacons we had, had a pretty good range. We aimed to have one
    per floor in pretty large stores -- that was the granularity of extra
    information being aimed for in this first deployment; the progression
    through floors of a phone. With an Android app you could get signal
    strength info (as we had an app to configure the Bluetooth beacons), but I
    don't know if that was true for the ``wake up and look around'' time of a
    phone, rather than an actual app.

    Bear in mind also that I think in general Bluetooth is turned off on phones
    -- however, I never saw any numbers for this, so I could be completely
    wrong.

    The wifi based system was rather different. With this, there are wifi
    routers located (fairly carefully) around a store. Phones emit wifi signals
    periodically, which contain an inherent unique ID (can't remember which now
    -- prolly MAC address) and the signal strength is measured at each router.
    The store is logically divided up into zones, and a machine learning system,
    based on the signal strengths at the routers, decides which zone the user is
    in, for any given signal. Zone sizes vary, based on customer preferences
    and technical and cost limits; the more routers near an area, the smaller
    and more precise the zones can be.

    Actual physical signal triangulation is *not* used. It was tested, before I
    joined, I'm told it just didn't work. Far too much signal strength
    variability. Received phone signals vary enormously, second by second, in a
    normal shop environment. There's just a lot of physical (people moving
    around all the tie, in and out of the way of the signal) and
    electro-magnetic stuff going on.

    During my time there a wifi specification design flaw was uncovered,
    where-by you could force a phone, even with wifi turned off as I recall, to
    emit a response -- so now you didn't need to passively sit there and wait
    for the phone wifi to emit a signal; you could coerce the phone into doing
    so. This could matter somewhat. Some phones kindly emitted a signal every
    second (iPhones), others only one a minute. A person can walk a long way in
    one minute.

    This however probably crossed the line of local law, which said something
    like you're not allowed to actively, overtly act upon other people's
    computers/phones. In any case, it wasn't used before I left.

    IMHO, wifi tracking is borderline viable as a product. I saw test cases
    where someone would walk around an empty store with a known device (we had
    calibration data on a per-device basis, because they vary so much in signal
    strength), and report back to us where he was and when, and half of his
    journey would be missing from the data. If you did it right, and were
    careful, I'd say you could get a mediocre but still genuinely useful and
    rather unique data set from it. Only problem is, I'd say 99.99% of the time
    customers don't know it was going on (let alone understand what was
    happening), and that's what makes it unethical. The basic rule is that when
    you do stuff with people, they have to choose to do it and they have to
    understand what they're choosing to do (except in self-defence, of course).
    You can't force people, and you can't deceive them, Most of this
    surveillance capitalism we see is unethical because the people being tracked
    do not know what's going on, or understand. T&Cs are a legal fig leaf, not
    an actual genuine communication to the user of what's going on such that the
    user is then known to understand -- the ethical obligation of the company to
    *actually ensure* users understand is *not* met. Users don't know, and
    that's why it's wrong.

    Topically, this article has just been published in the WaPo;

    ``It's the middle of the night. Do you know who your iPhone is talking to?''

    https://www.msn.com/en-us/news/tech...o-your-iphone-is-talking-to/ar-AAC1Wvl#page=2

    ``In a single week, I encountered over 5,400 trackers, mostly in apps, not
    including the incessant Yelp traffic. According to privacy firm Disconnect,
    which helped test my iPhone, those unwanted trackers would have spewed out
    1.5 gigabytes of data over the span of a month. That's half of an entire
    basic wireless service plan from AT&T.''

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.31
    ************************
     
  3. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.32

    RISKS List Owner

    Jul 5, 2019 6:31 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 5 July 2019 Volume 31 : Issue 32

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    FDA recalls insulin pumps because of wireless vulnerability
    FAA Flags New Computer Issue In 737 MAX Testing
    In the Census Case, a Rebuke to Bad-Faith Government
    U.S. Census at risk from glitches and attackers (Chris Hamby)
    Could 'fake text' be the next global political threat?
    Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem
    7-Eleven Japanese customers lose $500,000 due to mobile app flaw
    Google Maps detour traps drivers in mud
    "How Hackers Turn Microsoft Excel's Own Features Against It"
    Microsoft Kills Automatic Registry Backups in Windows 10
    Cloudflare stutters and the Internet stumbles (ZDNet)
    Superhuman is Spying on You
    Attention Correction Feature in iOS 13 Beta Enables Appearance of Eye
    China Is Forcing Tourists to Install Text-Stealing Malware at its
    Line just went Orwellian on Japanese users with its social credit
    These are the sneaky new ways that Android apps track you
    Re: Autonomous vehicles don't need provisions and protocols
    Mobius: A Memoir (Richard Thieme)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 5 Jul 2019 14:25:04 -0700
    From: Paul Burke <box...@gmail.com>
    Subject: FDA recalls insulin pumps because of wireless vulnerability

    FDA warns patients and health care providers about potential cybersecurity concerns with certain Medtronic insulin pumps

    I wish more products were recalled for cybersecurity vulnerabilities.

    "The potential risks are related to the wireless communication between
    Medtronic's MiniMed insulin pumps and other devices such as blood glucose
    meters, continuous glucose monitoring systems, the remote controller and
    CareLink USB device used with these pumps. The FDA is concerned that, due to
    cybersecurity vulnerabilities identified in the device, someone other than a
    patient, caregiver or health care provider could potentially connect
    wirelessly to a nearby MiniMed insulin pump and change the pump's settings.
    This could allow a person to over deliver insulin to a patient, leading to
    low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high
    blood sugar and diabetic ketoacidosis (a buildup of acids in the blood)...

    "Medtronic is unable to adequately update the MiniMed 508 and Paradigm
    insulin pumps with any software or patch to address the devices'
    vulnerabilities...

    "The FDA, an agency within the U.S. Department of Health and Human Services,
    protects the public health by assuring the safety, effectiveness, and
    security of... medical devices. The agency also is responsible for the
    safety and security of our nation's food supply, cosmetics, dietary
    supplements, products that give off electronic radiation"

    [Gabe Goldberg noted Hackable Insulin Pumps
    More Medtronic Hack Malarkey: This Time It’s Insulin Pumps - Security Boulevard
    PGN]

    ------------------------------

    Date: Thu, 27 Jun 2019 8:10:54 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: FAA Flags New Computer Issue In 737 MAX Testing

    Sean Broderick, *Aviation Week*, 26 Jun 2019

    https://aviationweek.com/penton_ur/nojs/user/register?path=node/1963138&nid=1963138&source=email
    See also

    ------------------------------

    Date: Thu, 27 Jun 2019 11:22:19 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: In the Census Case, a Rebuke to Bad-Faith Government

    Opinion | The Supreme Court Is Not Buying the Census Excuses

    *The New York Times*, Editorial Board, 27 Jun 2019

    The Supreme Court noted a disconnect between the Trump administration's
    stated reason for including a citizenship question on the census form and
    the actual rationale for doing so.

    In a win for good government, the Supreme Court on Thursday refused to give
    its full imprimatur to the Trump administration's irresponsible decision to
    add a citizenship question to the 2020 census form. [...]

    ------------------------------

    Date: Fri, 5 Jul 2019 14:27:46 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: U.S. Census at risk from glitches and attackers (Chris Hamby)

    Chris Hamby, *The New York Times*, 5 Jul 2019 [PGN-ed]
    Hacking, Glitches, Disinformation: Why Experts Are Worried About the 2020 Census

    The Census Bureau had turned to Amazon Web Services for computing power
    and digital storage, but discovered that access credentials had been "lost"
    -- potentially allowing completely uncontrolled access. That vulnerability
    has now purportedly been fixed, but risks seem to remain.

    ``If you wanted to provoke fears among the population as to how the census
    data could be used, the American population is fertile ground right now for
    conspiracy theories and manipulation.'' Nathaniel Persily, Stanford Law
    School professor.

    ------------------------------

    Date: July 6, 2019 5:12:33 JST
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Could 'fake text' be the next global political threat?
    (Oscar Schwartz)

    [via Dave Farber] 4 Jul 2019

    An AI fake text generator that can write paragraphs in a style based on just
    a sentence has raised concerns about its potential to spread false
    information

    Could ‘fake text’ be the next global political threat?

    Earlier this month, an unexceptional thread appeared on Reddit announcing
    that there is a new way ``to cook egg white without a frying pan. As so
    often happens on this website, which calls itself ``the front page of the
    internet'', this seemingly banal comment inspired a slew of responses.
    ``I've never heard of people frying eggs without a frying pan,'' one
    incredulous Redditor replied. ``I'm gonna try this,'' added another. One
    particularly enthusiastic commenter even offered to look up the scientific
    literature on the history of cooking egg whites without a frying pan.

    Every day, millions of these unremarkable conversations unfold on Reddit,
    spanning from cooking techniques to geopolitics in the Western Sahara to
    birds with arms. But what made this conversation about egg whites noteworthy
    is that it was not taking place among people, but artificial intelligence
    (AI) bots.

    The egg whites thread is just one in a growing archive of conversations on a
    subreddit -- a Reddit forum dedicated to a specific topic -- that is made up
    entirely of bots trained to emulate the style of human Reddit contributors.
    This simulated forum was created by a Reddit user called disumbrationist
    using a tool called GPT-2, a machine learning language generator that was
    unveiled in February by OpenAI, one of the world's leading AI labs.

    Jack Clark, policy director at OpenAI, told me that chief among these
    concerns is how the tool might be used to spread false or misleading
    information at scale. In a recent testimony given at a House intelligence
    committee hearing about the threat of AI-generated fake media, Clark said he
    foresees fake text being used ``for the production of [literal] `fake news',
    or to potentially impersonate people who had produced a lot of text online,
    or simply to generate troll-grade propaganda for social networks''.

    GPT-2 is an example of a technique called language modeling, which involves
    training an algorithm to predict the next most likely word in a
    sentence. While previous language models have struggled to generate coherent
    longform text, the combination of more raw data -- GPT-2 was trained on 8m
    online articles -- and better algorithms has made this model the most robust
    yet.

    It essentially works like Google auto-complete or predictive text for messaging. But instead of simply offering one-word suggestions, if you prompt GPT-2 with a sentence, it can generate entire paragraphs of language in that style. For example, if you feed the system a line from Shakespeare, it generates a Shakespeare-like response. If you prompt it with a news headline, it will generate text that almost looks like a news article.

    Alec Radford, a researcher at OpenAI, told me that he also sees the success
    of GPT-2 as a step towards more fluent communication between humans and
    machines in general. He says the intended purpose of the system is to give
    computers greater mastery of natural language, which may improve tasks like
    speech recognition, which is used by the likes of Siri and Alexa to
    understand your commands; and machine translation, which is used to power
    Google Translate.

    But as GPT-2 spreads online and is appropriated by more people like
    disumbrationist -- amateur makers who are using the tool to create
    everything from Reddit threads, to short stories and poems, to restaurant
    reviews -- the team at OpenAI are also grappling with how their powerful
    tool might flood the internet with fake text, making it harder to know the
    origins of anything we read online.

    Clark and the team at OpenAI take this threat so seriously that when they
    unveiled GPT-2 in February this year, they released a blogpost alongside it
    stating that they weren't releasing the full version of the tool due to
    ``concerns about malicious applications''. (They have since released a
    larger version of the model, which is being used to create the fake Reddit
    threads, poems and so on.)

    ------------------------------

    Date: Fri, 5 Jul 2019 12:10:38 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem

    A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem.

    Someone Is Spamming and Breaking a Core Component of PGP’s Ecosystem

    ------------------------------

    Date: Fri, 05 Jul 2019 09:42:37 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: 7-Eleven Japanese customers lose $500,000 due to mobile app flaw

    Catalin Cimpanu for Zero Day (Jul 4 2019)

    7-Eleven Japanese customers lose $500,000 due to mobile app flaw | ZDNet

    Hackers exploit 7-Eleven's poorly designed password reset function to make
    unwanted charges on 900 customers' accounts (and the equivalent of $.5M)
    after hackers hijacked their 7pay app accounts and made illegal charges in
    their names.

    The incident was caused by an appalling security lapse in the design of the
    company's 7pay mobile payment app, which 7-Eleven Japan launched in the
    country on Monday, July 1.

    However, in a mind-boggling turn of events, the app contained a password
    reset function that was incredibly poorly designed. It allowed anyone to
    request a password reset for other people's accounts, but have the password
    reset link sent to their email address, instead of the legitimate account
    owner.

    A hacker only needed to know a 7pay user's email address, date of birth, and
    phone number. An additional field in the password reset section allowed the
    hacker to request that the password reset link be sent to a third-party
    email address (under the hacker's control), with no need to dig through the
    app's code or tamper with HTTP requests, like most of these hacks involve.

    Furthermore, if the user didn't enter their date of birth, the app would use
    a default of January 1, 2019, making some attacks even easier, according to
    a report in Yahoo Japan.

    ------------------------------

    Date: Wed, 26 Jun 2019 21:12:37 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Google Maps detour traps drivers in mud

    Denver drivers followed Google's detour down a dirt road

    A crash on the main road to Denver's airport led to hour-long delays this
    week. When Google Maps offered a quick detour, nearly a hundred drivers
    were led into trouble.



    ------------------------------

    Date: Fri, 28 Jun 2019 9:28:34 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: "How Hackers Turn Microsoft Excel's Own Features Against It"

    Lily Hay Newman, WiReD, 27 Jun 2019 via ACM TechNews; Friday, June 28, 2019

    Researchers at threat intelligence company Mimecast have found that a
    feature in Microsoft's Excel spreadsheet program can be exploited to
    orchestrate Office 365 system hacks. Excel's Power Query permits the
    combination of data from various sources via a spreadsheet, which can be
    manipulated to connect to a malicious Webpage hosting malware. Said
    Mimecast's Meni Farjon, "The exploit will work in all the versions of Excel
    as well as new versions, and will probably work across all operating
    systems, programming languages, and sub-versions, because it's based on a
    legitimate feature." Farjon thinks a Power Query connection to a malicious
    site could enable attacks similar to a Dynamic Data Exchange
    exploit. Meanwhile, Microsoft's security intelligence warns of another Excel
    hack, which uses malicious macros to compromise Windows systems, even with
    the newest security updates.
    3Dhttps://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-20693x21cae2x069960%26

    ------------------------------

    Date: Thu, 4 Jul 2019 13:22:44 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Microsoft Kills Automatic Registry Backups in Windows 10

    Microsoft Admits Windows 10 Registry Backups Don't Work

    Microsoft Kills Automatic Registry Backups in Windows 10 - ExtremeTech

    ------------------------------

    Date: Thu, 4 Jul 2019 00:14:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cloudflare stutters and the Internet stumbles (ZDNet)

    An internal Cloudflare problem caused websites to fall bringing some parts
    of the internet to a crawl. ...

    How could this simple mistake cause so many problems? Cloudflare operates an
    extremely popular content delivery network (CDN). When it works right, its
    services protect website owners from peak loads, comment spam attacks, and
    Distributed Denial of Service (DDoS) attacks. When it doesn't work right,
    well, we get problems like this one.

    Cloudflare stutters and the internet stumbles | ZDNet

    ------------------------------

    Date: Wed, 3 Jul 2019 12:58:21 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Superhuman is Spying on You

    Over the past 25 years, email has weaved itself into the daily fabric of
    life. Our inboxes contain everything from very personal letters, to work
    correspondence, to unsolicited inbound sales pitches. In many ways, they are
    an extension of our homes: private places where we are free to deal with
    what life throws at us in whatever way we see fit. Have an inbox zero
    policy? Thatâs up to you. Let your inbox build into the thousands and only
    deal with what you can stay on top of? Thatâs your business too.

    It is disappointing then that one of the most hyped new email clients,
    Superhuman, has decided to embed hidden tracking pixels inside of the emails
    its customers send out. Superhuman calls this feature Read Receipts consent
    of its recipients, so you have most likely have been conditioned to believe
    its a simple [text garbled]

    Superhuman is Spying on You » Mike Industries

    ...FAR too long for the simple point: it's secretly monitoring recipients'
    behavior/locations.

    ------------------------------

    Date: Wed, 3 Jul 2019 16:31:39 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Attention Correction Feature in iOS 13 Beta Enables Appearance of Eye
    Contact During FaceTime Calls (MacRumors)

    A new feature in the latest iOS 13 beta makes users appear as if they're
    looking directly at the camera to make eye contact during FaceTime calls,
    when actually they're looking away from the camera at the image of the other
    person on their screen.

    https://www.macrumors.com/2019/07/03/ios-13-beta-has-facetime-attention-correction/

    ...what else can this "feature" do?

    ------------------------------

    Date: Wed, 3 Jul 2019 16:36:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: China Is Forcing Tourists to Install Text-Stealing Malware at its
    Border (Vice)

    The malware downloads a tourist's text messages, calendar entries, and phone
    logs, as well as scans the device for over 70,000 different files.

    https://www.vice.com/amp/en_us/arti...d-to-install-a-text-stealing-piece-of-malware

    ------------------------------

    Date: Thu, 27 Jun 2019 08:30:08 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Line just went Orwellian on Japanese users with its social credit
    scoring system

    EXCERPT:

    It appears other countries besides China are heading toward a bleak
    dystopian future where a human being is scored by their online activities.
    Only this time, it's a tech company and not a government implementing the
    social credit score. While not as bleak as China's social credit system,
    today Line, Japan's dominant social media company, introduced a slew of new
    products -- the most alarming among them, Line Score, reports the *Verge*
    https://www.theverge.com/2019/6/27/...t=chorus&utm_medium=social&utm_source=twitter

    Line Score will use AI to give a social credit score to Line users. The
    strength of their social credit score will allow them to get access to
    better special deals and offers that Line users with lower social credit
    scores will not have access to.

    While the new product is unnerving, it's not completely out of character for
    Line. Recently the company has been positioning itself as a fintech
    provider, and its Line Pay digital wallet system is wildly popular in
    Japan. Line Pay also allows users to shop for insurance and allows them to
    invest in personal portfolios. Line Score builds on top of Line Pay by
    offering those with higher scores better perks.

    However, before George Orwell rolls over in his grave, it's important to
    note that Line stresses Line Score is opt-in only and that the company will
    never share a user's Line Score with third parties without the user's
    permission and it will not read a user's online chats to determine their
    Line Score. Still, it's unnerving that tech companies seem to think that
    social credit ratings are the next big thing for now. Hopefully, this is a
    trend that will not catch on.

    https://www.fastcompany.com/9037020...e-users-with-its-social-credit-scoring-system

    ------------------------------

    Date: Thu, 4 Jul 2019 00:12:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: These are the sneaky new ways that Android apps track you

    Google's operating system manages access to your personal information. But
    what happens when apps refuse to play by the rules?

    https://www.fastcompany.com/9037203...y-new-ways-that-android-apps-are-tracking-you

    ------------------------------

    Date: Thu, 27 Jun 2019 22:02:39 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: Autonomous vehicles don't need provisions and protocols
    (RISKS-31.21-30).

    Not sure if this is relevant here, but one example which comes to mind is
    just around the corner from my house. There's a crossroads where a main
    road and residential street meet. At each side of the junction, the main
    road is divided into three lanes: left-hand lane (this is in drive-on-left
    Britain) is for turning left or driving straight on, with traffic lights on
    the left-hand side of the road; middle lane is for turning right, with a
    traffic light on the right-hand side of the road; and the right-hand lane is
    for traffic coming in the opposite direction.

    Drivers unfamiliar with the area are occasionally confused by separate
    traffic lights on each side of the road, so presumably autonomous vehicles
    may also have the same problem unless they can distinguish the small green
    arrows indicating the permitted direction. A possible additional
    complication is the red and green pushbutton-controlled lights for
    pedestrians and cyclists mounted on the traffic light posts at shoulder
    height.

    Personally I feel that the simplest solution would be to have some sort of
    radio/wi-fi signal for autonomous vehicles (and maybe to conventional
    vehicles with driver-information systems) giving them an unambiguous warning
    of the traffic light indication ("OK for northbound-to-westbound turns, stop
    otherwise") rather than expecting them to figure out visual signs intended
    only for humans, but then that would mean special provision for them..?

    ------------------------------

    Date: Wed, 3 Jul 2019 9:40:55 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Mobius: A Memoir (Richard Thieme)

    [Richard Thieme, a long-time friend, invites interested parties to review
    small pieces of his novel in progress as it comes off the line, offering
    suggestions. He's been around this `space' for a long time, not as long as
    I have, but at least a quarter century. I believe he has friends who may
    have worked in hidden places, but I don't believe he actually did. On the
    other hand, creative fiction sometimes bears a remarkable resemblance to
    reality. If you are interested, e-mail him at rth...@thiemeworks.com, or
    check him out at www.thiemeworks.com. PGN]

    Mobius: A Memoir
    by
    Richard Thieme
    A Note from the Author

    All CIA officers, as a condition of employment, sign the standard CIA
    secrecy agreement when entering on duty. This agreement requires submission
    of all written and spoken material to the Publications Review Board for
    approval. The absence of such submission in this instance indicates clearly
    that while some of the allusions in this memoir are to that agency, some are
    to other agencies, and some are to fictional agencies. That mashup is
    intentional. The account has been fictionalized to (1) avoid publication
    review which can drag on for years and (2) protect identities, sources and
    methods. This memoir is accordingly like a reflection in a fun-house mirror:
    recognizable but distorted, unlike agency-redacted materials which are
    distorted but unrecognizable.

    That said, the following holds true:

    While the author told the least untruthful things he could say about his
    work, this memoir is a work of fiction. Names of characters, places, and
    incidents are either the product of the author's imagination or are used
    fictitiously. Any resemblance to actual persons, living or dead, or to
    locales is entirely coincidental. In addition, the names of the author's
    colleagues have been changed to protect their identities. In particular,
    `Penny' does not refer to a specific person but is a conflation of a number
    of relationships the author had over several decades. That accounts for
    seeming contradictions and omissions.

    The author is grateful to all of his colleagues who contributed to this
    memoir. He must single out `Jamison' who willingly provided details of how
    he was taught to torture prisoners and to one physician in particular,
    referred to as `Brooks', who acknowledged that his monitoring of torture,
    learning from same, and bringing those hard-won lessons to the next session,
    might in fact constitute violations of international law dating back to
    Nuremberg and account for our withdrawal from the proceedings of the
    International Criminal Court lest the law be applied equally to all. Special
    thanks to Fatou Bensouda (not his real name, because it can't be, right?)
    for his insights in this matter.

    The incidents in this memoir took place over half a century in two dozen
    countries. The author's long-term memories are crisp despite his advanced
    age. His sleep continues to be disturbed by some of the reported incidents
    and his `partner' frequently shakes him awake when he cries out during
    nightmares. (It is a false rumor that he has sixteen flashlights in
    strategic locations in his home. He has only two and both are in bedside
    drawers).

    Richard Thieme

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.32
    ************************
     
  4. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.33

    RISKS List Owner

    Jul 15, 2019 6:23 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 15 June 2019 Volume 31 : Issue 33

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    How Fake News Could Lead to Real War (Politico)
    Collision on Hong Kong metro (MTR)
    Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial
    Vessels (Coast Guard)
    "Vulnerabilities found in GE anesthesia machines" (Catalin Cimpanu)
    Inside the world of bogus medicine, where smoothies and salads can
    supposedly kill cancer (WashPost)
    "Robot that started fire costs Ocado $137M" (Greg Nichols)
    Anaesthetic devices 'vulnerable to hackers' (bbc.com)
    FDA seeks comment on cybersecurity warnings and security upgrades
    (Federal Register)
    EU "Galileo" GPS system remains down (BBC)
    Tiny flying insect robot has four wings and weighs under a gram
    (New Scientist)
    Smartphone payment system by Seven-Eleven Japan hacked from day 1:
    lack of two stage authentication, etc. (Japan Times)
    Border Patrol agents tried to delete their horrific Facebook posts
    -- but they were already archived (NSFW -- The Intercept)
    Professor faces 219-year prison sentence for sending missile chip
    tech to China (The Verge)
    London Police's Facial Recognition System Has 81 Percent Error Rate? (Geek)
    "GDPR: Record British Airways fine shows how data protection
    legislation is beginning to bite" (Danny Palmer)
    D-Link Agrees to Make Security Enhancements to Settle FTC Litigation
    (Federal Trade Commission)
    As Florida cities use insurance to pay $1 million in ransoms to
    hackers, Baltimore and Maryland weigh getting covered (WashPost)
    House Democrats introduce a bill to tighten airport security stings
    (WashPost)
    Introducing ERP software: The biggest risk to your business (Faz)
    European regulators to tighten rules for use of facial recognition
    (Politico)
    "New Windows 7 'security-only' update installs telemetry/snooping,
    uh, feature" (Woody Leonhard)
    "The Windows 10 misinformation machine fires up again" (Ed Bott)
    "WTF, Microsoft?" (Steven J. Vaughan-Nichols)
    "Raspberry Pi 4 won't work with some power cables due to its USB-C
    design flaw" (Liam Tung)
    Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk,
    Change Settings Now (Forbes)
    Texas County Purchases DRE Machines Over Expert Security Objections
    (Brian Bethel)
    The Hard-Luck Texas Town That Bet on Bitcoin -- and Lost (WiReD)
    Thoughtcrime --> Thoughtaccidents (WiReD)
    Mass Attacks in Public Spaces - 2018 (Secret Service National
    Threat Assessment Center)
    Google audio recordings of users leaked (Marc Thorson)
    New Bedford computer outages continue for sixth day (WBSM)
    Feds: New Bedford police officer arrested after 194 child porn
    files found on computer (WHDH)
    7-Eleven's 7pay app hacked in a day due to 'appalling security lapse'
    (TechBeacon)
    On the Bugginess of This Year's OS Betas From Apple (Daring Fireball)
    "Apple disables Walkie-Talkie app due to snooping vulnerability"
    (Adrian Kingsley-Hughes)
    Stripe Outage Smacked Businesses for Two Hours (Fortune)
    Google/Amazon/Apple are you listening to me? (Rob Slade)
    Your Pa$$word doesn't matter - Microsoft Tech Community - 731984
    (Alex Weinert)
    The New York Times blocks viewing in private mode (Thomas Koenig)
    Re: Line just went Orwellian on Japanese users with its social
    credit-scoring system (Amos Shapir)
    Re: Autonomous vehicles don't need provisions and protocols (Dan Jacobson)
    Re: Line just went Orwellian on Japanese users with its social
    credit-scoring system (Dan Jacobson)
    Fernando Corbato dies (Katie Hafner via PGN)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 5 Jul 2019 15:05:48 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: How Fake News Could Lead to Real War (Politico)

    *Ambassador Daniel Benjamin is director of the John Sloan Dickey Center for
    International Understanding at Dartmouth College and served as coordinator
    for counterterrorism at the State Department 2009-2012.Steven Simon is
    visiting professor of history at Amherst College. He served as the National
    Security Council senior director for counterterrorism and for the Middle
    East and North Africa, respectively, in the Clinton and Obama
    administrations.*

    EXCERPT:

    Who really bombed the oil tankers in the Persian Gulf two weeks ago? Was it
    Iran, as the Trump administration assured us? Or was it Saudi Arabia, the
    United Arab Emirates or Israel -- or some combination of the three?

    Here's a confession from two former senior government officials: For days
    after the attacks, we weren't sure. Both of us believed in all sincerity
    there was a good chance these actions were part of a false flag operation,
    an effort by outsiders to trigger a war between the United States and Iran.
    Even the film of Iranians hauling in an unexploded limpet mine from near the
    side of tanker, we reasoned, might be a fabrication -- deep fake footage
    just like the clip of Nancy Pelosi staggering around drunk.

    Perhaps you felt that way too. But for the two of us, with 30 years of
    government service and almost 20 more as think tankers between us -- this
    was shocking. Yes, we are card-carrying members of the Blob, the
    all-too-conventionally minded Washington foreign policy establishment, but
    we weren't sure whether to believe our government or not.

    This was more than a little disconcerting. Imagine waking up one morning and
    catching yourself thinking that alt-right conspiracy theorist Alex Jones was
    making good sense, that perhaps the Sandy Hook shooting was faked or that
    the 9/11 attacks were really an inside job? Imagine what it might be like to
    be in the grip of a conspiracy theory, when you've spent your whole
    professional life being one of those policy mandarins who could smell a
    conspiracy theory a mile away?...

    How Fake News Could Lead to Real War

    ------------------------------

    Date: Sat, 6 Jul 2019 22:33:27 +0100
    From: "Clive D.W. Feather" <cl...@davros.org>
    Subject: Collision on Hong Kong metro (MTR)

    http://www.mtr.com.hk/archive/corporate/en/press_release/PR-19-044-E.pdf

    MTR (the operators of the Hong Kong metro) are converting several lines to
    use the Thales/Alstom SelTrac system. During a test of the system outside
    service hours, the computer signaled two trains on to intersecting tracks,
    resulting in a collision; one driver was slightly injured.

    In this system, there are no fixed signals beside the track indicating
    whether it is safe to proceed. Instead, the central control computer gives
    each train a "movement authority" indicating exactly where it is allowed to
    proceed to. Only when the rear of the train passes an intersection is
    another train given a movement authority that passes over the same
    intersection. These authorities are updated every few seconds.

    Each control area (the line in question has two) has three control
    computers: A (normally active), B (hot standby), and C (warm standby). All
    three are the same design and run the same software. Computer C is at a
    different physical location. Computer A keeps B constantly updated with the
    complete status but, to prevent common mode failures, it only passed some
    data to computer C. In particular, the "Conflict Zone Data" (which I am
    guessing is a table of which train is allowed on a given intersection) is
    not passed across; computer C is expected to re-compute it independently.

    During a test computers A and B were both turned off, causing computer C to
    take over. At this point C does not transmit any movement authorities to
    the trains, which therefore all make an emergency stop. The traffic
    controller (a person in the control centre) then tells C to allow each
    train in turn to depart, giving it a new movement authority.

    The report's conclusions are:

    (1) The software development documentation did not state that the conflict
    zone data was not passed to computer C, so no test and safety analysis was
    done.

    (2) A bug in the software meant that computer C failed to recalculate the
    conflict zone data correctly, allowing the collision.

    (3) The take-over process did not require the conflict zone data to be
    present before C moved from warm backup state to active state.

    ------------------------------

    Date: Thu, 11 Jul 2019 18:00:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial
    Vessels (Coast Guard)

    In February 2019, a deep draft vessel on an international voyage bound for
    the Port of New York and New Jersey reported that they were experiencing a
    significant cyber-incident impacting their shipboard network. An
    inter-agency team of cyber-experts, led by the Coast Guard, responded and
    conducted an analysis of the vessel's network and essential control
    systems. The team concluded that although the malware significantly degraded
    the functionality of the onboard computer system, essential vessel control
    systems had not been impacted. Nevertheless, the interagency response found
    that the vessel was operating without effective cybersecurity measures in
    place, exposing critical vessel control systems to significant
    vulnerabilities.

    https://www.dco.uscg.mil/Portals/9/DCO Documents/5p/CG-5PC/INV/Alerts/0619.pdf

    ------------------------------

    Date: Wed, 10 Jul 2019 09:35:41 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Vulnerabilities found in GE anesthesia machines" (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 9 Jul 2019
    Vulnerabilities found in GE anesthesia machines | ZDNet

    GE recommends not connecting vulnerable anesthesia machines to hospital
    networks.

    Security researchers have discovered vulnerabilities in two models of
    hospital anesthesia machines manufactured by General Electric (GE).

    The two devices found to be vulnerable are GE Aestiva and GE Aespire --
    models 7100 and 7900. According to researchers from CyberMDX, a healthcare
    cybersecurity firm, the vulnerabilities reside in the two devices' firmware.

    CyberMDX said attackers on the same network as the devices -- a hospital's
    network -- can send remote commands that can alter devices' settings.

    The researcher claims the commands can be used to make unauthorized
    adjustments to the anesthetic machines' gas composition, such as modifying
    the concentration of oxygen, CO2, N2O, and other anesthetic agents, or the
    gas' barometric pressure.

    CyberMDX said that such unauthorized modifications could put patients at
    risk. Furthermore, attackers could also silence device alarms for low/high
    levels of various agents and modify timestamps inside logs.

    ------------------------------

    Date: Sat, 6 Jul 2019 13:20:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Inside the world of bogus medicine, where smoothies and salads can
    supposedly kill cancer (WashPost)

    Companies are trying to rein in medical misinformation on social media, but the problem isn't just technological. It's also human.

    https://www.washingtonpost.com/life...f3ddae-7cdc-11e9-a5b3-34f3edf1351e_story.html

    ------------------------------

    Date: Wed, 10 Jul 2019 09:58:24 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Robot that started fire costs Ocado $137M" (Greg Nichols)

    Greg Nichols for Robotics | 10 Jul 2019

    Safety is a massive unaddressed issue in the rapidly evolving automation
    sector.

    Robot that started fire costs Ocado $137M | ZDNet

    In February, a robot at an Ocado fulfillment warehouse sparked a massive
    fire. The warehouse was destroyed, and the British grocer has just revealed
    the price tag of the damage: $137M.

    ------------------------------

    Date: Thu, 11 Jul 2019 07:53:59 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Anaesthetic devices 'vulnerable to hackers' (bbc.com)

    Anaesthetic devices 'vulnerable to hackers'

    "A type of anaesthetic machine that has been used in NHS hospitals can be
    hacked and controlled from afar if left accessible on a hospital computer
    network, a cyber-security company says.

    "A successful attacker would be able to change the amount of anaesthetic
    delivered to a patient, CyberMDX said."

    The DHS CERT link GE Aestiva and Aespire Anesthesia | CISA.

    I have been digging into FDA MAUDE on a different device class over the past
    few months, and wrote a crawler using mechanize.py and beautifulsoup4 to
    fish through the HTML reports. It was easy enough to find medical device
    reports (MDRs) on the anesthesia machines mentioned in the BBC article.

    For instance:
    MAUDE Adverse Event Report: DATEX-OHMEDA, INC. AESPIRE VIEW ANESTHESIA GAS MACHINE

    "'the hospital reported a patient had cardiac arrest during a case. It was
    alleged the ventilator had stopped mechanically ventilating in pressure
    mode towards the end of the case without alarming. It was unknown how long
    ventilation had stopped. The patient was resuscitated and remains in the
    icu."

    This particular MDR, submitted by the manufacturer, is curious because it
    lists the device manufacturing date as 01/01/1970! Must be a typo.

    Another MDR:

    MAUDE Adverse Event Report: MAQUET CRITICAL CARE AB FLOW-I-C20 GAS-MACHINE, ANESTHESIA
    "It was reported that when replacing a failing internal power backup
    battery, our company representative noticed that the battery had leaked
    battery acid into the battery compartment of the anesthesia workstation.
    There was no injury reported. (b)(4)."

    The following Pareto documents deaths, malfunctions, and injuries reported
    for all devices assigned the product code BSZ -- gas-machine,
    anesthesia. The product code includes all manufacturers, including the
    Aespire and Aestiva 7100 and 7900 mentioned in the article. Here's the data
    from 01JAN2017-30JUN2019:

    Deaths -- 9
    Injury -- 65
    Malfunctions -- As shown per period (5181 total, average ~370 +/- 107
    per 60 days, or ~6 per day).

    01/01/2017-02/28/2017 364
    03/01/2017-04/30/2017 344
    05/01/2017-06/30/2017 424
    07/01/2017-08/31/2017 391
    09/01/2017-10/31/2017 346
    11/01/2017-12/31/2017 470
    01/01/2018-02/28/2018 369
    03/01/2018-04/30/2018 389
    05/01/2018-06/30/2018 420
    07/01/2018-08/31/2018 425
    09/01/2018-10/31/2018 459
    11/01/2018-12/31/2018 489
    01/01/2019-03/31/2019 88
    04/01/2019-06/30/2019 203

    Note that FDA's MAUDE platform carries a long list of disclaimers and
    advisory information about the Medical Device Report Content. Among them
    are:

    "MDR data alone cannot be used to establish rates of events, evaluate a
    change in event rates over time or compare event rates between devices. The
    number of reports cannot be interpreted or used in isolation to reach
    conclusions about the existence, severity, or frequency of problems
    associated with devices."

    Find the full list at
    MAUDE - Manufacturer and User Facility Device Experience

    ------------------------------

    Date: Fri, 12 Jul 2019 11:29:15 -0700
    From: Paul Burke <box...@gmail.com>
    Subject: FDA seeks comment on cybersecurity warnings and security upgrades
    (Federal Register)

    Patient Engagement Advisory Committee; Notice of Meeting
    Meeting Sept 10 in Maryland, open to public, and comments can be sent by
    July 30. Requests to speak due by July 22

    The committee receiving comments does not approve/disapprove medical
    devices. They advise on "which factors should be considered by FDA and
    industry when communicating cybersecurity risks to patients and to the
    public, including but not limited to the content, phrasing, the methods used
    to disseminate the message and the timing of that communication. The
    recommendations will also address concerns patients have about changes to
    their devices to reduce cybersecurity risk...

    background material available to the public no later than 2 business days
    before the meeting... at
    Patient Engagement Advisory Committee

    The committee members seem politically connected, and not cyber experts, so
    one hopes they would value expert comments.
    https://www.fda.gov/advisory-commit.../roster-patient-engagement-advisory-committee

    FDA has pages of guidance on communicating device risks, (pages 7, 13-15,
    39), though not yet on cyber specifically.
    https://www.fda.gov/media/71030/download

    ------------------------------

    Date: Sun, 14 Jul 2019 15:46:53 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: EU "Galileo" GPS system remains down (BBC)

    The EU's "Galileo" GPS system is down. And it remains down, except for
    search and rescue transmissions functionality:

    https://www.bbc.com/news/science-environment-48985399

    ------------------------------

    Date: Fri, 12 Jul 2019 15:30:03 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Tiny flying insect robot has four wings and weighs under a gram
    (New Scientist)

    A solar-powered winged robot has become the lightest machine capable of
    flying without being attached to a power source.

    Weighing just 259 milligrams, the insect-inspired RoboBee X-Wing has four
    wings that flap 170 times per second. It has a wingspan of 3.5 centimetres
    and stands 6.5 centimetres high.

    The flying robot was developed by Noah Jafferis and his colleagues at
    Harvard University...

    https://www.newscientist.com/article/dn24638-four-winged-robot-flies-like-a-jellyfish/
    https://www.newscientist.com/articl...-fly-swoop-dive-and-perform-impressive-flips/
    https://www.newscientist.com/articl...-robot-has-four-wings-and-weighs-under-a-gram

    [Not encouraging. The equivalent of a mosquito bite can be deadly. PGN]

    ------------------------------

    Date: Sun, 7 Jul 2019 16:56:27 +0900
    From: "Ishikawa,chiaki" <ishi...@yk.rim.or.jp>
    Subject: Smartphone payment system by Seven-Eleven Japan hacked from day 1:
    lack of two stage authentication, etc. (Japan Times)

    Japanese operator of ubiquitous Seven-Eleven has introduced its
    smartphone-based payment system since July 1st. It has been hacked since
    day 1 and the press conference announcing the limited operation to protect
    the users revealed that the president of the operation did not know what
    "two stage authentication" is, and its VIP of IT claimed that the system did
    not have any security issues whereas

    - the system did not have two-stage authentication, and

    - the system would send out the link to change password to an e-mail address
    that is *NOT* the original e-mail address that was used when the user
    registered for the service, etc.

    Unbelievable lapse of proper security.

    No wonder it was abused form day 1.

    The press reported about 900 users' accounts were abused and about JPN
    55,000,000 YEN (about half a million US dollars) have been used by third
    party to buy easy to cash items such as cigarette cartons.

    I have read the lapse of security mechanisms and could not believe a big
    name company like Seven-Eleven would let such a system put into
    operation. But it did. To be honest, ever since the emergence of web-based
    services, I noticed the drop of the quality of software in general, not to
    mention the security side of the services, but this confirms my suspicion
    that there are many improperly trained so called professional in ICT
    industry in Japan. But I am afraid that the situation may not be that great
    in other countries, too.

    Some English articles from Japan Times.
    https://www.japantimes.co.jp/news/2...e-lose-total-¥55-million-900-accounts-hacked/

    https://www.japantimes.co.jp/news/2...apan-beef-security-7pay-mobile-payment-fraud/

    Seven-Eleven has a lot to explain and clean up and improve their internal ID
    system, which I suspect was already know to be vulnerable to crackers.

    ------------------------------

    Date: Sat, 6 Jul 2019 07:15:56 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Border Patrol agents tried to delete their horrific Facebook posts
    -- but they were already archived (NSFW -- The Intercept)

    https://theintercept.com/2019/07/05/border-patrol-facebook-group/

    [via NNSquad]

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Sat, 6 Jul 2019 11:58:06 -0400
    Subject: Professor faces 219-year prison sentence for sending missile chip
    tech to China (The Verge)

    https://www.theverge.com/2019/7/6/2...conductors-trial-professor-yi-chi-shih-guilty

    ------------------------------

    Date: Mon, 8 Jul 2019 15:10:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: London Police's Facial Recognition System Has 81 Percent Error Rate?
    (Geek)

    Don't be surprised if you're arrested next time you visit the UK.

    Facial recognition technology trialed by the Metropolitan Police is
    reportedly 81 percent inaccurate. The system, according to a study by the
    University of Essex mistakenly targets four out of five innocent people as
    wanted suspects.

    It is likely to be found unlawful if challenged in court.

    In order to compile an independent report on the London police service's
    testing, Peter Fussey and Daragh Murray were granted what the University
    called *unprecedented* access to six of the 10 trials, completed between
    June 2018 to February 2019.

    The pair joined officers in LFR control rooms and on the ground; they also
    attended briefing and debriefing sessions and planning meetings...

    https://www.geek.com/tech/london-po...ion-system-has-81-percent-error-rate-1794564/

    ------------------------------

    Date: Mon, 08 Jul 2019 10:04:32 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "GDPR: Record British Airways fine shows how data protection
    legislation is beginning to bite" (Danny Palmer)

    https://www.zdnet.com/article/gdpr-...-protection-legislation-is-beginning-to-bite/

    Danny Palmer | 8 Jul 2019

    The ICO's proposed £183m fine should act as a wake-up call for other
    organisations: make sure your cybersecurity and data protection policies are
    GDPR-compliant - or you could be next.

    opening text:

    It was always only a matter of time, and a little over a year after General
    Data Protection Regulation (GDPR) came into force across Europe, a data
    protection agency has announced plans to issue the first mega-fine as the
    result of a data breach.

    ------------------------------

    Date: Tue, 9 Jul 2019 00:15:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: D-Link Agrees to Make Security Enhancements to Settle FTC
    Litigation (Federal Trade Commission)

    Commission alleged the company failed to secure its routers and
    Internet-connected cameras

    Smart home products manufacturer D-Link Systems, Inc., has agreed to
    implement a comprehensive software security program in order to settle
    Federal Trade Commission allegations over misrepresentations that the
    company took reasonable steps to secure its wireless routers and
    Internet-connected cameras.

    The settlement ends FTC litigation against D-Link stemming from a 2017
    complaint
    <https://www.ftc.gov/news-events/pre...ink-put-consumers-privacy-risk-due-inadequate>
    in which the agency alleged that, despite claims touting device security,
    vulnerabilities in the company's routers and Internet-connected cameras left
    sensitive consumer information, including live video and audio feeds,
    exposed to third parties and vulnerable to hackers.

    ``We sued D-Link over the security of its routers and IP cameras, and these
    security flaws risked exposing users' most sensitive personal information to
    prying eyes,'' said Andrew Smith, Director of the FTC's Bureau of Consumer
    Protection. ``Manufacturers and sellers of connected devices should be aware
    that the FTC will hold them to account for failures that expose user data to
    risk of compromise.''

    Despite promoting the security of its products by claiming it offered
    ``advanced network security,'' D-Link failed to perform basic secure
    software development, including testing and remediation to address
    well-known and preventable security flaws, according to the FTC's
    complaint. These flaws included using hard-coded login credentials on its
    D-Link camera software with the easily guessed username and password,
    ``guest,'' and storing mobile app login credentials in clear, readable text
    on a user's mobile device.

    As part of the proposed settlement, D-Link is required
    <https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf>
    to implement a comprehensive software security program, including specific
    steps to ensure that its Internet-connected cameras and routers are
    secure. This includes implementing security planning, threat modeling,
    testing for vulnerabilities before releasing products, ongoing monitoring to
    address security flaws, and automatic firmware updates, as well as accepting
    vulnerability reports from security researchers.

    In addition, D-Link is required for 10 years to obtain biennial,
    independent, third-party assessments of its software security program. The
    assessor must keep all documents it relies on for its assessment for five
    years and provide them to the Commission upon request. The settlement also
    requires the assessor to identify specific evidence for its findings -- and
    not rely solely on the assertions of D-Link's management. Finally, the order
    gives the FTC authority to approve the third-party assessor D-Link chooses.

    https://www.ftc.gov/news-events/pre...e-security-enhancements-settle-ftc-litigation

    ------------------------------

    Date: Sun, 7 Jul 2019 21:02:00 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: As Florida cities use insurance to pay $1 million in ransoms to
    hackers, Baltimore and Maryland weigh getting covered (WashPost)

    https://www.washingtonpost.com/loca...c0dc16-9f77-11e9-9ed4-c9089972ad5a_story.html

    ------------------------------

    Date: Sun, 7 Jul 2019 21:02:29 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: House Democrats introduce a bill to tighten airport security stings
    (WashPost)

    https://www.washingtonpost.com/tran...troduce-bill-tighten-airport-security-stings/

    ------------------------------

    Date: Thu, 11 Jul 2019 08:10:33 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: Introducing ERP software: The biggest risk to your business (Faz)

    If you want to see the face of a CEO of a company which has just
    introduced new ERP software, look at

    https://www.faz.net/aktuell/wirtsch...rnt-liqui-moly-chef-ernst-prost-16277813.html

    (the article itself is in German).

    EPR (enterprise resource planning) software is absolutely central to
    companies do these days - almost all business processes are done
    done using this software.

    The company in question, Liqui Moly, has just switched from home-grown
    COBOL programs to an ERP supplier and is now facing increased costs and
    delays in their business processes ("Only the hourglass is running on
    everybody's screen...").

    To keep delivery dates, new people have to be hired, containers are only
    half filled, trucks have to wait, and expensive air freight needs to be
    booked.

    The vendor for his ERP software is not mentioned, because "this is such
    a typical problem." And yet, this kind of thing has attracted very
    attention, probably because nobody likes to talk about their failures.

    Let us hope that this article helps to break the circle of silence.

    ------------------------------

    Date: Tue, 9 Jul 2019 7:49:28 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: European regulators to tighten rules for use of facial recognition
    (Politico)

    Mark Scott and Laurens Cerulus, Politico Europe:

    Europe's privacy watchdogs are looking to beef up restrictions for the use
    of facial recognition in a move that will affect how governments and big
    tech companies use the technology. Data protection agencies will discuss new
    guidelines Tuesday at a joint meeting in Brussels that would reclassify
    facial recognition data as biometric data, which under European privacy
    rules requires explicit consent from the person whose data is being
    collected. Under the GDPR, biometric information -- a category under which
    the technology would soon fall -- is considered as sensitive data, meaning
    that its collection is prohibited
    https://ec.europa.eu/info/law/law-t...l-views-protected_en?utm_source=3DPOLITICO.EU
    unless individuals give explicit consent or the information has been made
    public.

    The draft change, which was confirmed by two data protection officials from
    different authorities who spoke on the condition of anonymity because the
    guidelines are not yet public, has potentially far-reaching impact at a time
    when facial recognition tools are becoming more widespread in public spaces
    and consumer technology. More stringent demands for consent could challenge
    police forces and security services that are turning to facial recognition
    to keep tabs on crowds, with experiments already under way or completed in
    London,
    https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc

    They are also likely to weigh on tech companies like Facebook. The social
    media giant reintroduced its use of facial recognition
    https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc
    in Europe last year following a ban. The company had used the onset of the
    General Data Protection Regulation (GDPR) as a chance to ask users whether
    they want to opt in to using the platform's facial recognition tool for
    automatic tagging of their photographs. At the time, privacy activists
    argued that the consent was not valid because even users who opted out would
    have their biometric data scanned.

    The Irish Data Protection agency -- Facebook's lead regulator within the EU
    -- sought guidance from other European agencies. A spokesman for Facebook
    declined to comment. ``We'll get the right level of consent to use facial
    recognition going forward,'' Stephen Deadman, Facebook's global deputy chief
    privacy officer, said in an interview last year in reference to the
    technology's rollout in Europe.

    If companies and governments fail to obtain a higher level of consent, they
    may not be able to deploy facial recognition tools. Current tools for
    obtaining consent for video surveillance, like signs informing people they
    being recorded, are not likely to meet the higher standard of consent
    required for collection of biometric data.

    The guidelines are expected to go through a public consultation process
    before being finalized by the watchdogs. A spokesperson for the European
    Data Protection Board, the pan-EU group of privacy regulators, declined to
    comment.

    ------------------------------

    Date: Thu, 11 Jul 2019 08:43:07 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "New Windows 7 'security-only' update installs telemetry/snooping,
    uh, feature" (Woody Leonhard)

    Woody Leonhard, Columnist, Computerworld | PT

    https://www.computerworld.com/artic...te-installs-telemetrysnooping-uh-feature.html

    Three years ago, Microsoft promised to keep Win7 and 8.1 updated with two
    tracks of patches -- Monthly Rollups that include everything and
    "security-only" patches that are supposed to be limited to security
    fixes. Guess what just happened.

    ------------------------------

    Date: Sun, 07 Jul 2019 20:16:05 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "The Windows 10 misinformation machine fires up again" (Ed Bott)

    Ed Bott, ZDNet, 8 Jul 2019
    https://www.zdnet.com/article/the-windows-10-misinformation-machine-fires-up-again/

    The loudest voices screaming about Windows 10 sometimes have no idea what
    they're talking about. Case in point: This dire warning from Gordon Kelly at
    Forbes, who is as ill-informed as ever.

    opening text:

    Gordon Kelly of Forbes is at it again, pushing his unique blend of scary
    words about Windows 10, mixed with an absolutely overwhelming lack of
    knowledge about the underlying technologies.

    [And so on. He then debunks Kelly. The risk? At least one of them is
    wrong. There is a lot of wrong data out there. Too many people have an
    overly high opinion of their opinions. (It is hard to avoid, and I do not
    think that I do a perfect job myself.) In the middle of this mess, we have
    to work out what is or appears to be true and decide what to do. I wish it
    were easier.]

    ------------------------------

    Date: Thu, 11 Jul 2019 08:39:03 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "WTF, Microsoft?" (Steven J. Vaughan-Nichols)

    Steven J. Vaughan-Nichols, Computerworld
    For months Microsoft hid the fact that its Registry backup feature no longer
    worked, while Windows 10 kept reporting that it was completing
    successfully. What were you thinking, guys?

    https://www.computerworld.com/article/3406846/wtf-microsoft.html

    selected text:

    When things have gone wrong on standalone Windows machines -- and they often
    have -- one of my repair tricks of last resort has been to restore the
    Windows Registry to an earlier known good state. A lot of times, doing a
    restore was faster than a backup.

    Good thing I haven't had to do that lately, though. Microsoft quietly
    removed this feature in October 2018's Windows 10 version 1803. But it
    didn't bother to tell users about it until late June 2019.

    But let's get back to the really important question for Microsoft: Why did
    you hide this from users? Windows kept reporting that the backups were being
    *completed successfully*. But were you to browse to the
    \Windows\System32\config\RegBack folder in Windows Explorer, you would see
    each Registry hive backup -- with a size of 0Kbit. Zero.

    I said ``were you to browse, -- meaning, on the slim, not to say minuscule,
    chance that you would do this.'' I mean, I always dive deep into obscure
    file folders to make sure the operating system isn't lying to me when it
    tells me a job has been completed. Doesn't everyone?

    That is the real pain in the rump of this entire affair: not that the
    feature is missing, but that Windows lied to its users, and Microsoft hid
    this from us for months. That is unacceptable.

    ------------------------------

    Date: Wed, 10 Jul 2019 09:30:33 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Raspberry Pi 4 won't work with some power cables due to its USB-C
    design flaw" (Liam Tung)

    Liam Tung, ZDNet, 9 Jul 2019
    Did Raspberry Pi Foundation fail to test Raspberry Pi 4 properly?
    Either way, one expert says new flagship is not USB-C compliant and
    must be fixed.
    https://www.zdnet.com/article/raspb...me-power-cables-due-to-its-usb-c-design-flaw/

    opening text:

    The Raspberry Pi Foundation has confirmed its brand-new Raspberry Pi 4 Model
    B has a problem with some USB-C cables failing to charge the little
    computer.

    The Raspberry Pi 4 is the first version to include a USB-C port capable of
    supplying power to it. The problem, as some early users have found, is that
    certain charging cables don't work. But they would have if the Raspberry Pi
    Foundation had simply followed the USB-C specification to the letter.

    ------------------------------

    Date: Tue, 9 Jul 2019 12:28:57 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk,
    Change Settings Now (Forbes)

    Forwarded message:

    Seems to be specific to Mac users of the Zoom videoconferencing app, but all
    should check your settings.

    https://www.forbes.com/sites/zakdof...-risk-webcam-hijack-change-your-settings-now/

    I have tough-to-hack handy slide shield over iPad camera (not that iOS seems
    implicated in this risk.

    ------------------------------

    Date: Wed, 10 Jul 2019 4:06:28 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Texas County Purchases DRE Machines Over Expert Security Objections
    (Brian Bethel)
    Taylor County elections chief defends security of new voting system
    Brian Bethel, Politico, July 8, 2019
    County plans to spend more than $2.1 million to upgrade its voting machines,
    replacing machines bought in 2005 with newer, touch-screen models.
    https://www.gannett-cdn.com/uxstati...static-4511.0.0/images/sprites/icon_close.png]

    That decision, likely to be cemented by county commissioners Tuesday, has
    raised questions from a science advocacy organization, the Center for
    Scientific Evidence in Public Issues (EPI Center). It recommends the use of
    paper ballots as a way of ensuring that votes are counted securely and
    accurately.

    But Freda Ragan, the county's elections administrator, countered Monday that
    the type of machines selected, known as direct recording electronic machines
    (DREs) are highly secure, with redundancies built in and no remote access.

    The system should be familiar to voters, while making the path smooth for
    the county's elections office, she said.

    "There are currently no state mandates or requirements for counties to
    purchase paper," Ragan said.

    The system the county likely will purchase does have the ability to be
    converted to paper ballots, "if we are ever required or mandated to do so,"
    she said.

    https://eb2.3lift.com/pass?tl_clickthrough=3Dtrue
    [cid:e0fea9da-6e27-42a6-88e9-d204ff482dd4
    ]

    Ragan said in an email last week the voting program being considered,
    Texas-based Hart InterCivic's Verity Voting system, is already in use
    throughout the state.

    The system attained certification from the federal U.S. Election Assistance
    Commission, she said, and successfully has passed through Texas Secretary of
    State Elections Office independent testing and certification processes.

    To be awarded certification at the federal level, by the EAC, and to attain
    state certification, which is required in Texas, voting systems must meet or
    exceed established security standards.

    ------------------------------

    Date: Thu, 11 Jul 2019 20:37:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Hard-Luck Texas Town That Bet on Bitcoin -- and Lost (WiReD)

    In 1952, The Saturday Evening Post christened Rockdale, Texas, ``The Town
    Where It Rains Money.'' An estimated 100-million tons of lignite coal lay
    buried a few miles south of the city limits, and Alcoa had just swooped in
    to build a $100-million smelter that would use the cheap energy source to
    produce aluminum for fighter planes, skyscrapers, automobiles, and
    more. ``At the mere mention of somebody blowing into town with $100,000,000
    to spend, many citizens were seized by attacks of vertigo,'' wrote local
    author George Sessions-Perry. ``Others merely went off and lay down in an
    effort to regain their composure. Then things began to happen.''

    Seemingly overnight, Rockdale's population doubled to 5,000. A photo
    accompanying the Post story shows resident millionaire H. H. ``Pete''
    Coffield and the mayor hosting a party for new Alcoa employees on a patio
    surrounded by a lush garden. The women wear cocktail dresses, and the men
    wear ties. ``What makes us feel best of all,'' Sessions-Perry continued,
    ``is that we're making a sizable pile of something that the nation needs.''

    More recently, though, prosperity has eluded Rockdale. The Alcoa smelter was
    shuttered in 2008, and an adjoining coal-fired power plant closed last
    year. More than 1,000 jobs vanished, sending Rockdale and surrounding Milam
    County, population 25,000, into a nosedive.

    Then, last summer, a ray of hope pierced the gloom. Bitmain, a Chinese
    company that makes specialized computers for ``mining'' cryptocurrency, said
    it would invest $500 million in what was to be the world's largest
    bitcoin-mining facility at the closed Alcoa smelter, which, crucially, was
    still connected to massive electrical lines. The large buildings where
    aluminum was made, called potrooms, would be filled with shipping containers
    stocked with 325,000 mining machines. Most important for Milam County,
    Bitmain promised to create between 400 and 600 jobs. New industry would
    replace the old.

    https://www.wired.com/story/hard-luck-texas-town-bet-bitcoin-lost/

    ------------------------------

    Date: Wed, 10 Jul 2019 17:40:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Thoughtcrime --> Thoughtaccidents (WiReD)

    https://www.wired.com/story/waze-data-help-predict-car-crashes-cut-response-time/

    FOOD FOR THOUGHT

    Users of the Google traffic app Waze are fastidious about reporting all
    manner of roadside obstacles and slowdowns, including traffic accidents.
    Some studies show that "Wazers" actually reports crashes more quickly than
    callers to emergency services. Aarian Marshall reports for Wired on
    researchers now seeing if they can combine vast amounts of Waze reports with
    other data sets to predict crashes before they happen. It's not an easy
    problem, as computer apps generally are not good at predicting rare events.

    ``You have to have a lot of data, and diverse types of data, and then be
    able to analyze it for it to be actionable instead of just piling up,'' says
    Christopher Cherry, an engineering professor with the University of Kentucky
    who recently completed a study of how traffic data could be used to improve
    road safety. The traffic data itself is useful, sure. But to predict the
    risk of crashes, and to prevent them, you should also probably have a sense
    for where crashes are happening, and what the roads in question look like,
    and how those roads perform under different weather conditions. And then you
    have to link all those datasets up and help them ``talk'' to each other --
    no small feat.

    ------------------------------

    Date: Thu, 11 Jul 2019 18:01:46 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Mass Attacks in Public Spaces - 2018 (Secret Service National
    Threat Assessment Center)

    https://www.secretservice.gov/data/press/reports/USSS_FY2019_MAPS.pdf

    ------------------------------

    Date: Fri, 12 Jul 2019 11:23:31 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Google audio recordings of users leaked

    "More than 1,000 recordings were obtained by Belgian broadcaster VRT NWS,
    which noted in a story that some contained sensitive personal conversations
    --- as well as information that identified the person speaking."

    I suppose it's bad enough when a company obtains sensitive personal
    information without the full awareness of the user, but then they gotta leak
    it too?

    http://www.taipeitimes.com/News/biz/archives/2019/07/13/2003718564

    ------------------------------

    Date: Fri, 12 Jul 2019 18:09:17 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: New Bedford computer outages continue for sixth day (WBSM)

    https://www.southcoasttoday.com/news/20190710/new-bedford-computer-outages-continue-for-sixth-day

    Earlier:
    https://wbsm.com/new-bedford-computer-outage-spreads-to-fire-department/

    ------------------------------

    Date: Fri, 12 Jul 2019 18:10:02 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Feds: New Bedford police officer arrested after 194 child porn
    files found on computer (WHDH)

    https://whdh.com/news/feds-new-bedf...after-194-child-porn-files-found-on-computer/

    ------------------------------

    Date: Fri, 12 Jul 2019 15:53:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: 7-Eleven's 7pay app hacked in a day due to 'appalling security
    lapse' (TechBeacon)

    7-Eleven in Japan caused hundreds of customers to lose about $600 each.
    Hackers stole the money via the convenience store's newly
    launched mobile payments app, 7pay.

    The app design had a frankly ludicrous flaw in its lost-password UX. As the
    reality of the stupendous error sinks in, infosec experts are left
    scratching their heads, dumbfounded.

    https://techbeacon.com/security/7-elevens-7pay-app-hacked-day-due-appalling-security-lapse

    ------------------------------

    Date: Thu, 11 Jul 2019 16:46:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: On the Bugginess of This Year's OS Betas From Apple
    (Daring Fireball)

    https://daringfireball.net/linked/2019/07/09/ulysses-icloud-os-betas

    ------------------------------

    Date: Thu, 11 Jul 2019 09:03:55 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Apple disables Walkie-Talkie app due to snooping vulnerability"
    (Adrian Kingsley-Hughes)

    Adrian Kingsley-Hughes, ZNDet, 11 Jul 2019

    The feature has been disabled while Apple fixes the bug.
    https://www.zdnet.com/article/apple-disables-walkie-talkie-app-due-to-snooping-vulnerability/

    opening text:

    Apple has temporarily disabled the Walkie-Talkie app on the Apple Watch due
    to a vulnerability that could allow someone to eavesdrop on an iPhone
    without the owner's consent.

    Also
    Apple disables Walkie Talkie app due to vulnerability that could
    allow iPhone eavesdropping (TechCrunch)
    https://techcrunch.com/2019/07/10/a...bility-that-could-allow-iphone-eavesdropping/

    ------------------------------

    Date: Fri, 12 Jul 2019 16:09:43 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Stripe Outage Smacked Businesses for Two Hours (Fortune)

    Stripe, one of the most valuable financial technology startups in the world,
    was hit with one of its longest periods of downtime ever on Wednesday. The
    company's services were offline for almost two hours cumulatively throughout
    the day, meaning some companies that rely on Stripe to process payments
    could not accept orders during that time.

    Stripe was last valued by investors at $23 billion, and builds software
    and payment infrastructure to help businesses accept money online.

    https://fortune.com/2019/07/11/stripe-outage-technology-payment-processing/

    ------------------------------

    Date: Fri, 12 Jul 2019 12:23:20 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Google/Amazon/Apple are you listening to me?

    One of the kids uses Siri. Another uses Alexa. My baby brother uses "Hey
    Google" on his Android phone. (His eyes are going, and I'm a bit jealous
    because I really *hate* those soft keyboards ...)

    Way back when PDAs (remember them?) first started to become a "thing," I
    predicted that they wouldn't be big until they could talk (and listen) to
    us. What I did *not* foresee was that the heavy lifting in the listening
    department would be done by giant servers at the corporate end, and that,
    therefore, all of our interactions with the devices would be accessible to
    giant enterprises that would mine all of our conversations in a way that
    makes "big data" look like a little black book.

    I don't use Siri or Cortana or Hey Google, and, whenever one of them
    switches on I turn it off. My TV is cheap enough that it doesn't have a
    camera or a microphone. I don't have on of those cylinders or pucks that
    turns on your lights because I don't have smart light bulbs. We don't have
    to have constant "tunes" or "playlists" playing in the house. (This
    actually leaves Gloria and I free to talk to each other, something that we
    apparently do much more than most people.)

    My extremely old car does have a computer in it, but it only talks to the
    service department (and then only when I bring it in). We drive little
    enough, now, that, by the time I have to replace it, I may be able to simply
    get rid of it and use taxis. (Yes, taxis. I know some of you *love*
    ride-sharing, but I still see too many problems with it to go that route.
    Besides, for most of my transport-related problems, I see very few issues
    that the 210 bus doesn't solve.) So I probably won't have to get used to a
    self-driving car, that's talking with every other car on the road (*and* the
    manufacturer, *and* my insurer, *and* the local police). (As much as I hate
    machines that think they are smarter than I am, I do believe we should get
    the self-driving cars on the road as quickly as possible, because, for all
    the "this car killed it's driver" anecdotes, they already drive better than
    we do, and it would, even now, save lives.)

    This may sound funny, as I'm writing this on a computer, and I'm surrounded
    by three more computers and another three "devices." But, as the joke has
    it, I'm not going to worry about all my computers ganging up on me until the
    computer actually starts reliably talking to the printer that's right beside
    it. I still have to reboot my cable modem (and sometimes short out the coax
    cable) to get the Internet back at times, and I still have to power cycle
    the spiffy new PVR the cable company gave me to fix problems with the old
    one.

    It's not the computers that scare me, it's the companies. Facebook, of
    course, has amply demonstrated that it cares nothing about its users.
    Google scared me, ini tially, with the masses of information it collected,
    but, over the years, the "don't be evil" mantra seemed to work out.
    Recently, though, Google has demonstrated some very worrying tendencies.
    Apple has always wanted to lock you into their world, but hasn't seemed to
    care for much beyond getting you. Microsoft, of course, was always the big
    evil empire, but lately isn't quite so ... big.

    And, no, thanks, I *don't* want the government to take over and regulate
    everything in sight. I started out in malware research, and watched various
    governments make bone-headed decisions about creating laws just to try and
    make viruses illegal. Governments are having a tough enough time (and
    taking a long time) to get "sufficient" regulation to reign in some of the
    corporate excesses.

    We have a lot of things to learn about privacy and security, and constant
    vigilance is the price of et cetera, et cetera. We are going to have to
    struggle through, and it will be a lot of work, and it means we have to pay
    attention to a lot of stuff going on.

    Welcome to security.

    ------------------------------

    Date: Fri, 12 Jul 2019 16:00:58 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your Pa$$word doesn't matter - Microsoft Tech Community - 731984
    (Alex Weinert)

    Alex Weinert -- Microsoft

    Every week I have at least one conversation with a security decision maker
    explaining why a lot of the hyperbole about passwords -- ``never use a
    password that has ever been seen in a breach,'' ``use really long
    passwords'', ``passphrases-will-save-us'', and so on -- is inconsistent with
    our research and with the reality our team sees as we defend against 100s of
    millions of password-based attacks every day. Focusing on password rules,
    rather than things that can really help -- like multi-factor authentication
    (MFA), or great threat detection -- is just a distraction.

    Because here's the thing: When it comes to composition and length, your
    password (mostly) doesn't matter.

    https://techcommunity.microsoft.com...ntity/Your-Pa-word-doesn-t-matter/ba-p/731984

    ------------------------------

    Date: Thu, 11 Jul 2019 08:26:19 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: The New York Times blocks viewing in private mode

    *The New York Times* now blocks views in private mode of browers such
    as Firefox or Chromium.

    If you do that, you get an error message stating

    "You're in private mode.

    Log in or create a free New York Times account to continue reading in
    private mode."

    which is actually quite funny.

    This is, of course, the NYT's business decision. However, I do not think
    the problems of pay-in for content with your data need to be spelled out for
    the readers of comp.risks.

    However, I would like to ask comp.risks contributors to no longer post links
    to nytimes.com. Contributing to uncontrolled gathering of data is not what a
    forum about computer risks should do.

    [I am a subscriber, and read as much of the paper as i can in print over
    breakfast. I do not have time or patience to read long articles on a cell
    phone. Many others subscribe online only. The NYTimes, WashPost, and
    very few others are becoming the only ones that support a staff of news
    folks who actually generate news articles rather than simply copy them
    from elsewhere. We value good journalism, which is becoming rare -- as it
    is increasingly strangled by other media and fifteen-second sound bites on
    TV. PGN]

    ------------------------------

    Date: Sat, 6 Jul 2019 14:28:30 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Line just went Orwellian on Japanese users with its social
    credit-scoring system (RISKS-31.32)

    "Line stresses Line Score is opt-in only" -- yes, but the customers who do
    not opt in are already denied certain "special deals"; how soon will that
    they find out that they are the only ones paying full price for a gradually
    degrading service?

    And "the company will never share a user's Line Score with third parties"
    -- but how about sharing with other companies of the same owners, or with
    all companies owned by the next Big Company which would acquire Line?

    ------------------------------

    Date: Sat, 06 Jul 2019 19:30:10 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: Autonomous vehicles don't need provisions and protocols
    (Drewe, RISKS-31.21-30)

    CD> Personally I feel that the simplest solution would be to have some sort
    CD> of radio/wi-fi signal for autonomous vehicles (and maybe to conventional

    Sounds good but sure hope such add-on systems' clocks don't drift, else
    after about a month (when the first autonomous vehicle shows up) radio red
    might already correspond to visual green...

    ------------------------------

    Date: Sat, 06 Jul 2019 20:45:15 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: Line just went Orwellian on Japanese users with its social
    credit-scoring system (RISKS-31.32)

    > Still, it's unnerving that tech companies seem to think that social
    > credit ratings are the next big thing for now. Hopefully, this is a
    > trend that will not catch on.

    Stack Exchange was first.
    Some might say not the same thing...
    But users quickly learn to dot their i's and cross their t's...

    Indeed, here on RISKS readers' RISK_POINTS shall be deducted for each
    missing dot (U+0131 LATIN SMALL LETTER DOTLESS I). Furthermore, and just
    for sadistic pleasure, you can only lose RISK_POINTS (that you never had
    in the first place) and never gain them.

    ------------------------------

    Date: Fri, 12 Jul 2019 21:18:53 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Fernando Corbato dies

    Fernando Corbato', a Father of Your Computer (and Your Password), Dies at 93
    Katie Hafner, *The New York Times*, 12 Jul 2019
    https://www.nytimes.com/2019/07/12/science/fernando-corbato-dead.html

    Personal note: Corby was a mentor, colleague, and close friend from 1965
    on. He is deeply missed. Pioneer `father' of time-shared computing (CTSS
    at MIT in 1962), Multics (MIT, with Honeywell [as Katie notes, originally
    GE], and Bell Labs), inspirational professor, even a dean for a while.
    The obit by Katie is worth reading, especially for those of ou who did not
    know him. PGN

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.33
    ************************
     
  5. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.34

    RISKS List Owner

    Jul 25, 2019 9:10 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 25 July 2019 Volume 31 : Issue 34

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Senate Intelligence report on election integrity (NYTimes)
    Nuclear industry pushing for fewer inspections at plants (NBC)
    Tesla floats fully self-driving cars as soon as this year.
    Many are worried about what that will unleash. (WashPost)
    Airbus A350 software bug forces airlines to turn planes off and on
    every 149 hours (The Register)
    Home elevator deaths (WashPost)
    Numerous airport passengers hijacked by robots (JXM)
    Satellite Outage Serves as a Warning (WiReD)
    'Dumb' robot ants are alarmingly smart -- and strong -- working together
    (Geoff Goodfellow)
    The AI Metamorphosis (The Atlantic)
    Cylances AI-based AV easily spoofed (SkylightCyber)
    AI Could Escalate New Type Of Voice Phishing Cyber Attacks (CSHub)
    Uber glitch charges passengers 100 times the advertised price,
    resulting in crosstown fares in the thousands of dollars (WashPost)
    "Google says leaked assistant recordings are a violation of data
    security policies" (Asha Barbaschow)
    U.S. Companies Learn to Defend Themselves in Cyberspace (WSJ)
    Agora farewell (Rob Slade)
    NYC Subway Service Is Suspended on Several Lines, MTA Says (NYTimes)
    Brazil is at the forefront of a new type of router attack (ZDNet)
    My browser, the spy: How extensions slurped up browsing histories
    from 4M users (Ars Technica)
    Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94 (Gizmodo)
    Microsoft Office 365: Banned in German schools over privacy fears
    (Cathrin Schaer)
    Sweden and UK's surveillance programs on trial at the European Court of
    Human Rights (Catalin Cimpanu)
    Bluetooth exploit can track and identify iOS, Microsoft mobile device users
    (ZDNet)
    Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board
    trying to access metadata (Comms Alliance)
    Permission-greedy apps delayed Android 6 upgrade so they could
    harvest more user data (ZDNet)
    Do drivers think you're a Ridezilla'? Better check your Uber rating.
    (WashPost)
    London Police Twitter feed was hacked; then Trump got in on the act
    (WashPost)
    Car locks itself, trapping toddler inside (DerWesten)
    Hackers breach FSB contractor, expose Tor deanonymization project and more
    (Catalin Cimpanu)
    Facebook's Libra currency spawns a wave of fakes, including on Facebook
    itself (WashPost)
    Facebook Stock: Facebook's Libra Surrenders to Authority (InvestorPlace)
    Tether's $5B error exposes cryptocurrency market fragility (WSJ)
    College student was late returning a textbook to Amazon, so the
    company took $3,800 from her father (Libercus)
    Notre-Dame came far closer to collapsing than people knew.
    This is how it was saved. (NYTimes)
    One in five US tech employees abuse pain relief drugs, reveals study
    (Eileen Brown)
    Here's The Story Behind That Photo Of A Waterfall Inside A Metro Car (Dcist)
    Stallone in Terminator 2? How one deepfake prankster is changing cinema
    history (Digital Trends)
    Cellphone WiFi auto-connect identifies vandals (Boston Globe)
    Risks of an untimely text (Boston Globe)
    Minister apologizes for text alert (Taipei Times)
    Re: Line just went Orwellian on Japanese users with its social,
    credit-scoring system (Brian Inglis)
    Re: Galileo sat-nav system experiences service outage (Gabe Goldberg)
    Re: How Fake News Could Lead to Real War (Dick Mills)
    Re: London commuters Wi-FiTube being tracked (Chris Drewe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 25 Jul 2019 15:18:55 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Senate Intelligence report on election integrity (NYTimes)

    WASHINGTON DC: The Senate Intelligence Committee concluded [on 25 July 2019]
    that election systems in all 50 states were targeted by Russia in 2016,
    largely undetected by the states and federal officials at the time, but at
    the demand of American intelligence agencies the committee was forced to
    redact its findings so heavily that key lessons for the 2020 election are
    blacked out.

    While the report is not directly critical of either American intelligence
    agencies or the states, it described what amounted to a cascading
    intelligence failure, in which the scope of the Russian effort was
    underestimated, warnings to the states were too muted, and state officials
    either underreacted or in some cases, resisted federal efforts to offer
    help.''

    Russia Targeted Election Systems in All 50 States, Report Finds

    ------------------------------

    Date: Wed, 17 Jul 2019 15:15:39 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Nuclear industry pushing for fewer inspections at plants (NBC)

    Caputo, who previously worked for nuclear plant operator Exelon Corp, told
    operators this week her aim was "risk-informed decision-making,"
    concentrating regulatory oversight on high-risk problems.

    "We shouldn't regulate to zero risk," said David Wright, a former South
    Carolina public-utility commissioner appointed to the NRC board last year.

    "The NRC mission is reasonable assurance of adequate protection -- no more,
    no less," Wright said.

    Nuclear industry pushing for fewer inspections at plants

    What could go wrong?

    ------------------------------

    Date: Wed, 17 Jul 2019 20:28:05 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Tesla floats fully self-driving cars as soon as this year.
    Many are worried about what that will unleash. (WashPost)

    The electric-car maker said it will do that without light detection and
    ranging, or lidar, complex sensors that use laser lights to map the
    environment -- technology most autonomous vehicle makers consider necessary.
    Even with lidar, many of those manufacturers have adopted a slow and
    deliberate approach to self-driving vehicles, with limited testing on public
    roads.

    Tesla shows little sign of such caution. And because autonomous vehicles are
    largely self-regulated -- guided by industry standards but with no clearly
    enforceable rules -- no one can stop the automaker from moving ahead.

    *The Washington Post* spoke with a dozen transportation officials and
    executives, including current and former safety regulators, auto industry
    executives, safety advocacy group leaders and autonomous-vehicle
    competitors. In interviews, they expressed worries that Tesla's plan to
    unleash robo-cars on the road on an expedited timeline likely without
    regulated vetting -- could result in crashes, lawsuits and confusion. Plus,
    they said, Tesla's promised `full self-driving' features fall short of
    industry standards for a true autonomous vehicle because humans will still
    need to be engaged at all times and ready to intervene in the
    beginning. Some of the people interviewed requested anonymity because of the
    sensitivity of the matter. ...

    Tesla has raised eyebrows with its statements that autonomous driving can be
    achieved through a slimmed-down system that sheds all but the most critical
    equipment. Musk says he wants Tesla's system to use a combination of cameras
    and radar sensors that triangulate a field of vision, similar to human
    eyesight, forgoing lidar. It also forgoes a driver-monitoring camera to
    improve safety in the cabin, instead relying on torque-sensing
    steering-wheel monitors to detect whether the driver's hands are on the
    wheel.

    Tesla executives said at an April conference that the company is using its
    radar and cameras to understand depth around its cars and real-world road
    conditions, as well as its Shadow Mode, which allows it to test how
    self-driving technologies perform without actually activating those features
    -- something the company says lets it train and refine its networks without
    needing to do the same testing as other companies.

    ``Lidar is lame,'' Musk said in April. Rivals are ``all going to dump
    lidar. That's my prediction. Mark my words.''

    Meanwhile, traditional auto-industry executives have preached caution.

    https://www.washingtonpost.com/tech...any-are-worried-about-what-that-will-unleash/

    ------------------------------

    Date: Thu, 25 Jul 2019 11:53:05 -0400
    From: Steve Golson <sgo...@trilobyte.com>
    Subject: Airbus A350 software bug forces airlines to turn planes off and on
    every 149 hours (The Register)

    Airbus A350 software bug forces airlines to turn planes off and on every 149 hours

    The airworthiness directive says in part:

    Prompted by in-service events where a loss of communication occurred between
    some avionics systems and avionics network, analysis has shown that this may
    occur after 149 hours of continuous aeroplane power-up. Depending on the
    affected aeroplane systems or equipment, different consequences have been
    observed and reported by operators, from redundancy loss to complete loss on
    a specific function hosted on common remote data concentrator and core
    processing input/output modules.

    This condition, if not corrected, could lead to partial or total loss of
    some avionics systems or functions, possibly resulting in an unsafe
    condition.

    I suspect they have a 32-bit counter that updates every 125 microseconds
    (8kHz). Such a counter will overflow after 149 hours, 7 minutes, 51
    seconds.

    ------------------------------

    Date: Thu, 18 Jul 2019 14:42:28 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Home elevator deaths (WashPost)

    https://www.washingtonpost.com/busi...b53434-968e-11e9-830a-21b9b36b64ad_story.html

    ------------------------------

    Date: Tue, 16 Jul 2019 08:28:53 -0700
    From: <j...@calidris.net>
    Subject: Numerous airport passengers hijacked by robots

    Here's a brief transport/automation problem that I encountered last week/

    During the afternoon of 9 July 2019, the automated AirTrain shuttle service
    at Newark airport went seriously awry.

    AirTrain is an unmanned monorail service with a single line that links the
    airport's three terminals with the parking and car rental facilities, as
    well as the NJTransit/Amtrak station. Starting about 3.00pm, passengers were
    instructed by AirTrain staff to evacuate the vehicles, to transfer back and
    forth between certain trains, and to ignore the automated signs and
    announcements. Some trains appeared to suddenly reverse direction and return
    to their origin without visiting the terminals. Others arrived at one end of
    the line already jammed with passengers who had expected to get to the other
    end. There were numerous mismatches between the system's destination
    indicators and the actual train movements.

    For many dozens of people, what should have been a ten-minute transfer took
    well over an hour, presumably with a corresponding number of missed
    flights. There was no indication of any form of police activity or airport
    security problems, that might have caused the mixup.

    It would be interesting to find out if anyone actually got to the root
    of this robotic hijacking incident.

    ------------------------------

    Date: Sat, 20 Jul 2019 00:33:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Satellite Outage Serves as a Warning (WiReD)

    Europe's Galileo satellite navigation system largely regained service
    Thursday [18 Jul 2019], after a mass outage began on 11 Jul. The European
    Global Navigation Satellite Systems Agency, known as GSA, said that
    commercial users would start to see coverage returning, but that there might
    be "fluctuations" in the system. What remains unclear is what exactly caused
    the downtime -- nd why it persisted for so long.

    Europe's Weeklong Satellite Outage Is Over—But Still Serves as a Warning
    ices might also be making connections with the Russian (Glonass) and
    Chinese (Beidou) networks.

    Galileo sat-nav system still without service

    ------------------------------

    Date: Tue, 16 Jul 2019 15:06:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: 'Dumb' robot ants are alarmingly smart -- and strong -- working
    together

    Everyone knows robot ants can't move a rubber tree plant. Oh shoot, they
    can!

    EXCERPT:

    A team of Swiss researchers with bugs on the brain has created an army of
    simple robotic "ants" capable of some impressive feats. The takeaway from
    these 10 gram bots, which are inexpensive to make and surprisingly simple in
    design? *Teamwork makes the dream work. *

    As described in a new paper in the journal Nature, the ants can communicate
    with each other, assign roles among themselves, and complete complex tasks
    and overcome obstacles together. That means that while simple compared to
    much more complex autonomous agents, these origami-inspired robots can solve
    complex challenges, such navigating uneven surfaces or, yes, moving
    comparatively huge objects.

    The robots <Robotics | ZDNet>, which are T-shaped and
    called Tribots by researchers at the Ecole polytechnique federale de
    Lausanne <https://www.epfl.ch/en/>, a Swiss research institute, have
    infrared and proximity sensors for detection and communication. Made of
    foldable thin materials, they're also easy to manufacture. The actuated
    robots can jump and crawl to explore uneven surfaces.

    "Their movements are modeled on those of Odontomachus ants," says Zhenishbek
    Zhakypov, the first author of the Nature article. "These insects normally
    crawl, but to escape a predator, they snap their powerful jaws together to
    jump from leaf to leaf."...

    ------------------------------

    Date: Mon, 15 Jul 2019 15:15:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: The AI Metamorphosis (The Atlantic)

    *AI will bring many wonders. It may also destabilize everything from nuclear
    detente to human friendships. We need to think much harder about how to
    adapt.*

    EXCERPT:

    Humanity is at the edge of a revolution driven by artificial intelligence.
    It has the potential to be one of the most significant and far-reaching
    revolutions in history, yet it has developed out of disparate efforts to
    solve specific practical problems rather than a comprehensive plan.
    Ironically, the ultimate effect of this case-by-case problem solving may be
    the transformation of human reasoning and decision making.

    This revolution is unstoppable. Attempts to halt it would cede the future to
    that element of humanity more courageous in facing the implications of its
    own inventiveness. Instead, we should accept that AI is bound to become
    increasingly sophisticated and ubiquitous, and ask ourselves: How will its
    evolution affect human perception, cognition, and interaction? What will be
    its impact on our culture and, in the end, our history?

    Such questions brought together the three authors of this article: a
    historian and sometime policy maker; a former chief executive of a major
    technology company; and the dean of a principal technology-oriented academic
    institution. We have been meeting for three years to try to understand these
    issues and their associated riddles. Each of us is convinced of our
    inability, within the confines of our respective fields of expertise, to
    fully analyze a future in which machines help guide their own evolution,
    improving themselves to better solve the problems for which they were
    designed. So as a starting point -- and, we hope, a springboard for wider
    discussion -- we are engaged in framing a more detailed set of questions
    about the significance of AI's development for human civilization...

    https://www.theatlantic.com/magazine/archive/2019/08/henry-kissinger-the-metamorphosis-ai/592771/

    ------------------------------

    Date: Fri, 19 Jul 2019 9:53:16 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Cylances AI-based AV easily spoofed (SkylightCyber)

    Steven Cheung just read a fun article that has been slashdotted.
    It's about how a team defeats Cylance, a popular machine-learning-based
    antivirus software

    https://www.vice.com/en_us/article/...d-antivirus-into-thinking-malware-is-goodware

    here are more technical details:

    https://skylightcyber.com/2019/07/18/cylance-i-kill-you/

    ------------------------------

    Date: Mon, 15 Jul 2019 12:40:55 -0400
    From: =?UTF-8?Q?Jos=C3=A9_Mar=C3=ADa_Mateos?= <ch...@rinzewind.org>
    Subject: AI Could Escalate New Type Of Voice Phishing Cyber Attacks
    (CSHub)

    https://www.cshub.com/attacks/articles/ai-could-escalate-new-type-of-voice-phishing-cyber-attacks

    While many cyber security professionals have been looking at (and even
    investing in) the potential benefits of utilizing artificial intelligence
    (AI) technology within many different business functions, earlier this week,
    the Israel National Cyber Directorate (INCD) issued a warning of a new type
    of cyber-attack that leverages AI to impersonate senior enterprise
    executives. The method instructs company employees to perform transactions
    including money transfers and other malicious activity on the network.

    There are recent reports of this type of cyber-attack received at the
    operational center of the INCD. While business email compromise (BEC) types
    of fraud oftentimes use social engineering methods for a more effective
    attack, this new method escalates the attack type by using AI-based
    software, which makes voice phishing calls to senior executives. ---

    (Via BreachExchange:
    https://lists.riskbasedsecurity.com/listinfo/breachexchange)

    ------------------------------

    Date: Thu, 18 Jul 2019 18:19:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Uber glitch charges passengers 100 times the advertised price,
    resulting in crosstown fares in the thousands of dollars (WashPost)

    ``We understand that this has been frustrating,'' Uber said in response to
    one of the riders' complaints. ``There was a known issue that caused your
    authorization hold to be very high. Our team has already fixed this
    issue. Thank you so much for your patience.''

    https://www.washingtonpost.com/tech...-resulting-crosstown-fares-thousands-dollars/

    ------------------------------

    Date: Mon, 15 Jul 2019 09:50:22 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject "Google says leaked assistant recordings are a violation of data
    security policies" (Asha Barbaschow)

    Asha Barbaschow | 11 Jul 2019

    https://www.zdnet.com/article/googl...gs-are-a-violation-of-data-security-policies/

    The search giant has confirmed humans are listening in to 'Okay Google'
    commands, but it says leaking the recordings are a violation of its data
    security policies.

    opening text:

    Earlier this week, a report from Belgium-based VRT NWS revealed that Google
    employees had been "systematically listening" to audio files recorded by
    Google Home smart speakers and the Google Assistant smartphone app.

    The report detailed how employees were listening to excerpts of recordings
    that are captured when a user activates the device by the usual "Okay
    Google" or "Hey Google" commands.

    After obtaining copies of some recordings, VRT NWS reached out to the users
    and had them verify their voice, or those of their children, talking to the
    digital assistant.

    ------------------------------

    Date: Mon, 15 Jul 2019 17:21:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: U.S. Companies Learn to Defend Themselves in Cyberspace (WSJ)

    From a friend, his comments below.

    "One chief information-security officer at a major bank told us that, in
    five years, his bank will largely be immune to cyberattacks because it is
    upgrading from legacy systems that are insecure by default to cutting-edge
    systems that are secure by design."
    https://www.wsj.com/articles/u-s-companies-learn-to-defend-themselves-in-cyberspace-11562941994

    Um, right. Wish I knew which bank that was so we could short its stock.

    (Not that IBM Z is *necessarily* more secure, but if they really think
    `cutting-edge systems' are `secure by design', well ...)

    ------------------------------

    Date: Sat, 20 Jul 2019 09:39:29 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Agora farewell

    Security does not have a community. It has several siloed, sliced, and
    separated communities. Security has always taken "security by obscurity"
    too readily to heart, and despite the fact that we know SBO doesn't work;
    and even works against us; we still insist on dividing ourselves into
    smaller and smaller sub-sets. Intelligence doesn't talk to law enforcement
    which doesn't talk to academia which doesn't talk to business which doesn't
    talk to military which doesn't talk to industry which doesn't talk to
    government which doesn't talk to research. In all my decades in the field,
    I've only ever found two venues that attracted, encouraged, and almost
    forced the interaction (and often long-term relationships) of all these
    disparate groups (and more).

    If you've never been to the Agora meetings, you're too late. I attended the
    last one yesterday. For the past twenty-five years, those in the know
    would, every quarter, make every effort to spend Friday morning together.
    That was it: Friday morning. Three hours long, never more than three main
    presentations. There were also announcements, job postings, occasional
    queries, and, every August 15th, storytime. (That's an Agora joke. I don't
    expect you to get it. If you tell it to someone and they laugh, they've
    been to Agora recently.)

    Agora didn't just happen, of course. It was created and diligently (and
    creatively and competently) managed by Kirk Bailey, later ably assisted by
    Ann Nagel and Daniel Schwalbe. Also assisted by various students and a
    whole host of attendees and even companies, but that list would a) make this
    piece far too long and b) I'd definitely forget someone. Those of us who
    attended owe them all a debt of gratitude.

    Kirk's ability to attract speakers was legendary. We heard presentations at
    Agora I've never heard anywhere else, and some I never thought to hear. I
    recall a drive back after one Agora, when we we discussing a rather
    lackluster piece, and I was suddenly struck by the fact that, even if this
    meeting hadn't been sterling, the worst Agora meeting I'd ever attended was
    better than the best conference I'd ever attended.

    But the presentations were only half of what made Agora special. The other
    half was the people you met. People from three-letter agencies. People
    from high up in important corporations. People who were just there out of
    interest. People with political and social positions at extravagantly wild
    variance to your own. I remember, when I was first researching the
    implications, for security, of the potential capabilities of quantum
    computers, I got very excited over the possibilities for improving emergency
    management in the midst of a disaster. At Agora I met a Navy captain who
    got equally excited over similar possibilities for battle command.

    A number of us from the SIG drove down for the meetings, despite the three
    hour trip if nothing went wrong. Highway construction, bridge collapses
    (that's another Agora joke), local traffic, and border guards could easily
    double that. But we happily faced eleven hours of travel time for three
    hours of Agora and, if we were lucky, a couple of hours of "networking" and
    possibly lunch.

    We envied the people from the local area, but they weren't the only ones who
    came. Lots of people regularly came considerable distances. Before
    governments lost their travel budgets there were pretty much constant
    attendees from DC and Ottawa. People came from other continents. (Some of
    the DC crowd were pretty high up in DHS. If I could stay for one of the
    post-Agora lunches, the DHS guys always tried to grab me for their table.
    They wanted to know the latest border horror story, and I always had one for
    them. They regularly fell on the floor laughing about it.) (Recounting
    those would also make this piece far too long.)

    You will note that I haven't said where we met. That's another, well, not
    so much Agora joke as Agora tribute. Agora was governed by a sort of
    variant set of Chatham House Rules. What was said at Agora stayed at Agora.
    As an attendee, you never quoted any of the presentations, or any of the
    people you talked to at the breaks. For years this was simply understood by
    all involved. After one notable failure, a more formal NDA was created, but
    that was late in the game.

    Agora was the security world's worst kept secret. Nobody blabbed about what
    was said at Agora, or who went. But, despite the fact that Agora had no
    legal existence, no bank account, no Website, and no offices, almost
    everyone who ever attended became an instant devotee, and, often,
    evangelist. Within a few years of it's creation, attendance was hitting
    600. During the Great Recession, the slashing of budgets and demands that
    security people stick to their desks dropped attendance to the 150 region,
    but, for the past few years it's been back in the 400 range.

    There was never any charge for membership in, or attendance at, Agora.
    There was a cost, certainly. Much of that was "sweat equity" on the part of
    Kirk and a number of others. There were also other direct costs, generally
    borne by whoever would pay for (or donate) a venue, or mailing costs, or
    refreshments, or (latterly) the "Agora spam gun." In the end, Agora became
    a victim of it's own success: it just became too hard to find people or
    institutions willing to donate, provide, pay for, or give priority to rooms
    big enough for the group to meet.

    Agora is gone, but leaves a legacy. That legacy is the model. We need a
    space. Or, more probably, spaces. We need other other venues, sites,
    and/or communities where the various communities can meet. Together. We
    need others to take up the Agora torch, and create places, physical or
    virtual, where anyone who is committed to (or even just strongly interested
    in) security, of whatever type, can meet together and, safely, exchange
    ideas. We need spaces where the formal can meet the anarchic, where the
    business can meet the exploratory, where the old can meet the young and pass
    along wisdom (and occasional silliness). Hopefully, Agora's death will have
    been a spawning or a sporing out, and not just a mere termination.

    ------------------------------

    Date: Sat, 20 Jul 2019 21:44:25 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: NYC Subway Service Is Suspended on Several Lines, MTA Says
    (NYTimes)

    https://www.nytimes.com/2019/07/19/nyregion/subway-service-suspended-mta.html

    The Metropolitan Transportation Authority attributed the disruption to a
    `network communications' issue

    ------------------------------

    Date: Wed, 17 Jul 2019 11:41:45 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Brazil is at the forefront of a new type of router attack (ZDNet)

    Avast: More than 180,000 routers in Brazil had their DNS settings changed in
    Q1 2019.

    For nearly a year, Brazilian users have been targeted with a new type of
    router attack that has not been seen anywhere else in the world.

    The attacks are nearly invisible to end users and can have disastrous
    consequences, having the ability to lead to direct financial losses for
    hacked users.

    What's currently happening to routers in Brazil should be a warning sign for
    users and ISPs from all over the world, who should take precautions to
    secure devices before the attacks observed in South American country spread
    to them as well. ...

    https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/

    ------------------------------

    Date: Thu, 18 Jul 2019 17:54:35 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: My browser, the spy: How extensions slurped up browsing histories
    from 4M users (Ars Technica)

    https://arstechnica.com/information...a-from-apple-tesla-blue-origin-and-4m-people/

    ------------------------------

    Date: Sun, 21 Jul 2019 00:07:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94.
    (Gizmodo)

    https://gizmodo.com/amazon-prime-day-glitch-let-people-buy-13-000-camera-g-1836487919

    ------------------------------

    Date: Mon, 15 Jul 2019 09:55:33 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Microsoft Office 365: Banned in German schools over privacy fears
    (Cathrin Schaer)

    Cathrin Schaer, ZDNet, 12 Jul 2019
    State of Hesse says student and teacher information could be "exposed" to US
    spy agencies.

    https://www.zdnet.com/article/microsoft-office-365-banned-in-german-schools-over-privacy-fears/

    opening text:

    Schools in the central German state of Hesse have been have been told it's
    now illegal to use Microsoft Office 365.

    The state's data-protection commissioner has ruled that using the popular
    cloud platform's standard configuration exposes personal information about
    students and teachers "to possible access by US officials". That might
    sound like just another instance of European concerns about data privacy or
    worries about the current US administration's foreign policy. But in fact
    the ruling by the Hesse Office for Data Protection and Information Freedom
    is the result of several years of domestic debate about whether German
    schools and other state institutions should be using Microsoft software at
    all.

    Besides the details that German users provide when they're working with the
    platform, Microsoft Office 365 also transmits telemetry data back to the US.

    Last year, investigators in the Netherlands discovered that that data could
    include anything from standard software diagnostics to user content from
    inside applications, such as sentences from documents and email subject
    lines. All of which contravenes the EU's General Data Protection Regulation,
    or GDPR, the Dutch said.

    ------------------------------

    Date: Mon, 15 Jul 2019 09:58:00 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Sweden and UK's surveillance programs on trial at the European
    Court of Human Rights (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 12 Jul 2019

    Last chance for Europe's top human rights court to rule against dragnet
    surveillance programs.
    https://www.zdnet.com/article/swede...-trial-at-the-european-court-of-human-rights/

    opening text:

    This week, the highest body of the European Court of Human Rights heard
    arguments against the mass surveillance programs of two countries, Sweden
    and the United Kingdom.

    ------------------------------

    Date: Thu, 18 Jul 2019 17:53:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Bluetooth exploit can track and identify iOS, Microsoft mobile
    device users (ZDNet)

    A flaw in the Bluetooth communication protocol may expose modern device
    users to tracking and could leak their ID, researchers claim.

    The vulnerability can be used to spy on users despite native OS protections
    that are in place and impacts Bluetooth devices on Windows 10, iOS, and
    macOS machines. This includes iPhones, iPads, Apple Watch models, MacBooks,
    and Microsoft tablets & laptops. Security 101 How to protect your privacy
    from hackers, spies, and the government

    How to protect your privacy from hackers, spies, and the government

    Simple steps can make the difference between losing your online accounts or
    maintaining what is now a precious commodity: Your privacy.

    On Wednesday, researchers from Boston University David Starobinski and
    Johannes Becker presented the results of their research at the 19th Privacy
    Enhancing Technologies Symposium, taking place in Stockholm, Sweden.

    According to the research paper, Tracking Anonymized Bluetooth Devices
    (.PDF), many Bluetooth devices will use MAC addresses when advertising their
    presence to prevent long-term tracking, but the team found that it is
    possible to circumvent the randomization of these addresses to permanently
    monitor a specific device.

    https://www.zdnet.com/article/bluet...-id-iphone-smartwatch-microsoft-tablet-users/

    ------------------------------

    Date: Wed, 17 Jul 2019 10:44:43 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board
    trying to access metadata (Comms Alliance)

    Chris Duckett | 17 Jul 2019
    The Communications Alliance has listed 27 other agencies that have tried to
    access metadata following the introduction of Australia's data retention
    regime.
    https://www.zdnet.com/article/clean...ard-trying-to-access-metadata-comms-alliance/

    opening text:

    Agencies trying to access metadata when not specifically listed as an
    enforcement agency for the purposes of Australia's data retention regime has
    been labelled as a "serious and persistent phenomenon" by the Communications
    Alliance industry group.

    Writing in a submission to the Parliamentary Joint Committee on Intelligence
    and Security (PJCIS) review of the mandatory data retention regime, Comms
    Alliance said it was a "problem that continues to grow in magnitude".

    ------------------------------

    Date: Wed, 17 Jul 2019 10:35:58 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Permission-greedy apps delayed Android 6 upgrade so they could
    harvest more user data (ZDNet)

    Catalin Cimpanu for Zero Day | 16 Jul 2019
    App devs delayed upgrading apps, but lost in the long run due to more
    negative reviews and less Play Store visibility.

    https://www.zdnet.com/article/permi...upgrade-so-they-could-harvest-more-user-data/

    selected text:

    Android app developers intentionally delayed updating their applications to
    work on top of Android 6.0, so they could continue to have access to an
    older permission-requesting mechanism that granted them easy access to large
    quantities of user data, research published by the University of Maryland
    last month has revealed.

    And, ironically, the research team also found that app makers who delayed
    upgrading their apps to the newer Android 6.0 in order to keep access to a
    simpler system for harvesting user data received more negative ratings.

    These negative ratings eventually affected the apps' visibility on the Play
    Store, where positively-reviewed apps are placed higher in search results
    and recommendations.

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Sun, 21 Jul 2019 00:34:43 -0400
    Subject: Do drivers think you're a Ridezilla'? Better check your Uber rating.
    (WashPost)

    For some rideshare users, a little number can be heavy baggage.

    https://www.washingtonpost.com/life...441588-a291-11e9-b732-41a79c2551bf_story.html

    ------------------------------

    Date: Sun, 21 Jul 2019 00:47:32 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: London Police Twitter feed was hacked; then Trump got in on the act
    (WashPost)

    https://www.washingtonpost.com/worl...e-twitter-feed-was-hacked-then-trump-got-act/

    ------------------------------

    Date: Sun, 21 Jul 2019 17:27:38 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: Car locks itself, trapping toddler inside (DerWesten)

    A mother got out of her car at a supermarket parking lot when suddenly, the
    central lock activated and locked the car. The key was still inside the
    car, as was her young son.

    She immediately called emergency services, who arrived a short time later,
    broke a window and were able to free the toddler from the car, which had
    alredy heated up considerably.

    https://www.derwesten.de/panorama/a...und-waehlt-sofort-den-notruf-id226542237.html

    ------------------------------

    Date: Mon, 22 Jul 2019 10:39:38 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Hackers breach FSB contractor, expose Tor deanonymization project
    and more (Catalin Cimpanu)

    Catalin Cimpanu, ZDNet, 20 Jul 2019

    https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/

    SyTech, the hacked company, was working on research projects for the FSB,
    Russia's intelligence service.

    Hackers have breached SyTech, a contractor for FSB, Russia's national
    intelligence service, from where they stole information about internal
    projects the company was working on behalf of the agency -- including one
    for deanonymizing Tor traffic. [...]

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Mon, 22 Jul 2019 22:16:18 -0400
    Subject: Facebook's Libra currency spawns a wave of fakes, including on
    Facebook itself (WashPost)

    The fakes could undermine Facebook's efforts to inspire confidence and
    satisfy the regulators now scrutinizing the global currency.

    https://www.washingtonpost.com/tech...-spawns-wave-fakes-including-facebook-itself/

    ------------------------------

    Date: Tue, 16 Jul 2019 23:34:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facebook Stock: Facebook's Libra Surrenders to Authority
    (InvestorPlace)

    https://investorplace.com/2019/07/facebooks-libra-surrenders-to-authority/

    ------------------------------

    Date: Wed, 17 Jul 2019 11:20:14 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Tether's $5B error exposes cryptocurrency market fragility (WSJ)

    Sudden flood of digital coins spooked market and drove down price of bitcoin
    by about 12%

    https://www.wsj.com/articles/tethers-5-billion-error-exposes-crypto-markets-fragility-11563280121

    ------------------------------

    Date: Sun, 14 Jul 2019 01:06:06 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: College student was late returning a textbook to Amazon, so the
    company took $3,800 from her father (Libercus)

    http://pge.libercus.net//.pf/showstory/201907110011/3

    Well, yeah. Likely debit was automatic but hassle getting it undone is
    systemic problem/failure.

    When AI runs everything it'll all be perfect. Nevermind Hal 9000, Skynet, or
    Colossus: The Forbin Project.

    ------------------------------

    Date: Wed, 17 Jul 2019 15:18:00 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Notre-Dame came far closer to collapsing than people knew.
    This is how it was saved. (NYTimes)

    *The New York Times*

    The fire warning system at Notre-Dame took dozens of experts six years to
    put together, and in the end involved thousands of pages of diagrams, maps,
    spreadsheets and contracts, according to archival documents found in a
    suburban Paris library by The Times.

    The result was a system so arcane that when it was called upon to do the one
    thing that mattered -- warn -- fire! and say where -- it produced instead a
    nearly indecipherable message. It made a calamity almost inevitable, fire
    experts consulted by *The Times* said.

    https://www.nytimes.com/interactive/2019/07/16/world/europe/notre-dame.html

    Stunning visuals, tragic outcome.

    ------------------------------

    Date: Wed, 17 Jul 2019 10:27:33 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: One in five US tech employees abuse pain relief drugs, reveals study
    (Eileen Brown)

    Eileen Brown for Social Business, ZDNet, 15 Jul 2019

    https://www.zdnet.com/article/one-in-five-us-tech-employees-abuse-pain-relief-drugs-reveals-study/

    There is nothing wrong with bonding over a beer or two after work, but when
    it becomes too much, it is important to spot the warning signs of substance
    abuse and addiction, according to a new study.

    ------------------------------

    Date: Tue, 16 Jul 2019 17:32:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Here's The Story Behind That Photo Of A Waterfall Inside A Metro
    Car (Dcist)

    ``It appears that the water entered the car through the fresh air intake of
    the HVAC system which is mounted on the roof of 7000-series vehicles; In
    normal or heavy rainfall, any water is diverted through ducts and exits the
    car through drains. At Virginia Square, the sudden deluge of water falling
    directly into the fresh air intake was more than the car could divert,
    resulting in water entering the cabin.''

    In response to safety concerns, she noted that wiring is enclosed in secure
    boxes or run on the underside of the car, and each car ``undergoes
    rigorous `water tightness testing'.''

    https://dcist.com/story/19/07/16/he...that-photo-of-a-waterfall-inside-a-metro-car/

    Done right, it seems. This really was epic/biblical rainstorm.

    ------------------------------

    Date: Mon, 15 Jul 2019 15:14:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Stallone in Terminator 2? How one deepfake prankster is changing
    cinema history (Digital Trends)

    EXCERPT:

    In some parallel universe, there's a version of *Casino Royale* with Hugh
    Jackman playing everyone's favorite suave British agent, James Bond. And one
    in which Matthew McConaughey took the Leo role in *Titanic*. And DiCaprio
    and Brad Pitt co-starred in *Brokeback Mountain*. And *Saved by the Bell*'s
    Tiffani Thiessen played Rachel in *Friends*.

    The entertainment industry isn't exactly short on `what if?' scenarios in
    which actors came close to, but were ultimately passed over, playing iconic
    roles. For more than 99% of movie history, fans have been able to do little
    more than squirrel away this trivia for use in pop quizzes. That is until
    the arrival of deepfakes
    <https://www.digitaltrends.com/cool-tech/samsung-ai-deepfake-videos/>.
    Springing to life in the past couple of years, deepfakes use artificial
    intelligence technology to combine and superimpose new images and videos
    onto existing source footage using machine learning. That could mean
    anything from face swaps to mapping one person's body onto someone else's
    movements.
    <https://www.digitaltrends.com/cool-tech/uc-berkeley-deepfake-ai-dance/>
    The results can be jaw-droppingly realistic, which is why many people
    rightfully worry about its potential to be used for malicious hoaxes
    <https://www.digitaltrends.com/cool-tech/ai-spots-writing-by-ai/>.

    One tech enthusiast and movie buff thinks different, though. Operating under
    the YouTube username *Ctrl Shift Face*,
    <https://www.youtube.com/channel/UCKpH0CKltc73e4wh0_pgL3g> this high-tech
    Hollywood fan has used deepfake technology to create some astonishing
    remixes of iconic movie scenes -- complete with all new actors. Ever wanted
    to see *The Shining* starring Jim Carrey instead of Jack Nicholson? Sly
    Stallone in *Terminator 2: Judgement Day*? Heck, he's even broken w ith the
    movie theme by dropping David Bowie into Rick Astley's infamous
    song-turned-meme *Never Gonna Give You Up*.

    ``The Bowie one is my favorite,'' its creator told Digital Trends. ``I
    wanted to Rickroll people and blow them away at the same time. Bowie fitted
    the role of Rick Astley, and had interesting facial features for a
    deepfake.'' [...]
    https://www.digitaltrends.com/cool-tech/ctrl-shift-face-deepfake-changing-hollywood-history/

    ------------------------------

    From: David Tarabar <dtar...@acm.org>
    Date: Tue, 16 Jul 2019 08:40:33 -0400
    Subject: Cellphone WiFi auto-connect identifies vandals (The Boston Globe)

    Four Maryland teenagers sneaked onto their school's property the night
    before graduation last year and covered it in racist, homophobic and
    anti-Semitic graffiti.

    They wore masks, but they were caught because their cellphones automatically
    connected to the school WiFi network -- using their student IDs.

    https://www.bostonglobe.com/news/na...land-school/S0hQ1PwZNyXrzT43olZ2ZO/story.html

    ------------------------------

    Date: Tue, 16 Jul 2019 16:15:00 -0400
    From: David Tarabar <dtar...@acm.org>
    Subject: Risks of an untimely text (Boston Globe)

    A couple in Rhode Island was being investigated for marriage fraud -- that
    they entered into a sham marriage to get permanent resident status for the
    husband. When the wife was being interviewed, she produced her cellphone to
    show texts from her husband. A text message arrived: We had the best sex
    ever. Unfortunately the text was not from the husband. A federal trial is
    in progress.

    https://www.bostonglobe.com/metro/2...-fraud-case/QlRNLVhGzFcfzO1lNXFwLM/story.html

    ------------------------------

    Date: Mon, 15 Jul 2019 15:26:20 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Minister apologizes for text alert (Taipei Times)

    http://www.taipeitimes.com/News/taiwan/archives/2019/07/11/2003718476

    "The alert was originally set up to be sent to residents within 300m of the
    borough, but the unit of distance was later changed to kilometers."

    Way to go, clodsburg.

    ------------------------------

    Date: Sun, 21 Jul 2019 23:24:10 -0600
    From: Brian Inglis <Brian...@systematicsw.ab.ca>
    Subject: Re: Line just went Orwellian on Japanese users with its social,
    credit-scoring system (Jacobson, RISKS-31.33)

    >> Still, it's unnerving that tech companies seem to think that social
    >> credit ratings are the next big thing for now. Hopefully, this is a
    >> trend that will not catch on.
    >
    > Stack Exchange was first.
    > Some might say not the same thing...
    > But users quickly learn to dot their i's and cross their t's...

    Some might say the same about BBS message boards (1978 CBBS), moderated
    Usenet netnews groups (UUCP 1979), and discussion lists (Listserv@Bitnic
    1984), like this one, which preceded SE (2009) by decades. Who didn't pay
    attention when d...@bell-labs.com posted to comp.lang.c?

    https://en.wikipedia.org/wiki/Usenet#cite_ref-54

    "As long as there are folks who think a command line is better than a mouse,
    the original text-only social network will live on" in "Reports of Usenet's
    Death Are Greatly Exaggerated", August 1, 2008, TechCrunch.
    https://en.wikipedia.org/wiki/Usenet#cite_note-54

    The major appeal then and now is filtering and limiting the spam, garbage,
    verbiage, and incivility that permeates other [anti-?]"social networks".

    ------------------------------

    Date: Sun, 14 Jul 2019 21:15:20 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Galileo sat-nav system experiences service outage (BBC News
    in RISKS-31.33)

    Europe's satellite-navigation system, Galileo, has suffered a major outage.

    The network has been offline since Friday due to what has been described as
    a "technical incident related to its ground infrastructure".

    The problem means all receivers, such as the latest smartphone models, will
    not be picking up any useable timing or positional information.

    These devices will be relying instead on the data coming from the American
    Global Positioning System (GPS).

    Depending on the sat-nav chip they have installed, cell phones and other
    devices might also be making connections with the Russian (Glonass) and
    Chinese (Beidou) networks.

    https://www.bbc.com/news/science-environment-48985399

    ------------------------------

    Date: Tue, 16 Jul 2019 08:34:35 -0400
    From: Dick Mills <dickandl...@gmail.com>
    Subject: Re: How Fake News Could Lead to Real War (RISKS-31,33)

    "Imagine what it might be like to be in the grip of a conspiracy theory,
    when you've spent your whole professional life being one of those policy
    mandarins who could smell a conspiracy theory a mile away?..."

    The root problem here is lack of trust in authorities. It goes much deeper
    than just technology. For my whole life, such trust has been eroding
    among the public. The interesting thing about that story is that the shoe
    is finally on the other foot, an authority is losing trust.

    I say good. Maybe they may take steps to become trustworthy themselves.

    ------------------------------

    Date: Tue, 16 Jul 2019 21:45:35 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: London commuters Wi-FiTube being tracked

    [TfL is the authority that runs the London Underground]

    https://www.dailymail.co.uk/news/ar...ters-turn-phones-Wi-Fi-Tube-stop-tracked.html

    Security experts warn London commuters to turn off their phones' Wi-Fi on
    the Tube to stop being tracked as TfL starts harvesting signal data today

    * *Operator will monitor travel patterns with beacon that detects Wi-Fi
    capability * * *Phones, laptops or tablets do not have to join the
    station's network to be tracked * * *Only way to ensure that you are not
    tracked is to disable your Wi-Fi completely *

    Sebastian Murphy-bates For Mailonline, 8 July 2019

    This morning the Tube network introduced monitoring of signals to harvest
    date from commuters in the capital. Transport for London says it is
    collecting details of where, when and how customers use the service. Even
    phones that are not connected to TfL's Wi-Fi will be vulnerable to tracking

    dmg media <https://www.dmgmedia.co.uk/>

    I went to a talk a year or two ago given by one of the Undergound's planning
    staff on remodeling Bank station in the heart of the City of London business
    district (so-named because the Bank of England building is just across the
    street, not because it's on the bank of the River Thames as I had
    incorrectly assumed when I was a kid). This is a major below-ground station
    underneath a large road intersection, where multiple lines cross at several
    levels, so it's quite a labyrinth.

    For busy, complicated subway/rapid transit systems like London's, obviously
    train capacity is a major planning challenge, but just as important is
    handling the volume of passengers through the stations as they use
    corridors, ticket barriers, elevators, stairs, escalators, etc. between
    trains or trains and streets. Historically, measuring passenger flows was
    done by groups of stewards located at strategic points around a station;
    some would hand out numbered cards to passengers as they entered the station
    or got off trains, while others would collect the cards as passengers left
    the station or got on trains. This was OK in a basic way, but was
    labour-intensive and rather intrusive at busy times, and only a small sample
    of passengers could be covered.

    Of course nowadays most people carry cellphone or wi-fi wireless devices and
    the Underground has repeaters to keep them working below ground, so the
    obvious step is to use these to log passenger movements, as it's totally
    unobtrusive and allows detailed real-time tracking of almost every
    passenger. The lady who gave the talk stressed that there's no attempt to
    make contact with or identify any of the devices, and presumably details of
    individual devices are not retained after analysing their movements --
    pointless anyway unless GCHQ/MI5/FBI/CIA or whoever want to track random
    people's journeys for the sake of it. She added that the technique was
    unexpectedly useful as passengers were found to be surprisingly imaginative
    at figuring out routes around the station, including several ways that the
    planners hadn't considered themselves.

    Presumably the warning signs on stations mentioned in the newspaper are to
    comply with latest data-protection regulations.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.34
    ************************
     
  6. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.35

    RISKS List Owner

    Aug 6, 2019 4:53 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 6 August 2019 Volume 31 : Issue 35

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    One reason for the 737 Max disaster? Avoiding software complexity
    (Thomas Koenig)
    Warning over auto cyberattacks (Eric D. Lawrence)
    Tesla hit with another lawsuit over a fatal Autopilot crash (The Verge)
    This Satellite Image Shows Everything Wrong With Greenland Right Now
    (Gizmodo)
    North Korea took $2 billion in cyberattacks to fund weapons program (U.N.)
    How China Weaponized the Global Supply Chain (National Review)
    China has started a grand experiment in AI education. It could
    reshape how the world learns. (MIT Tech Review)
    44 people in China were injured when a water park wave machine
    launched a crushing tsunami (WashPost)
    In Hong Kong Protests, Faces Become Weapons (NYTimes)
    Amazon Requires Police to Shill Surveillance Cameras in Secret Agreement
    (VICE)
    Apple's Siri overhears your drug deals and sexual activity,
    whistleblower says (Charlie Osborne)
    Capital One data breach compromises tens of millions of credit card
    applications, FBI says (WashPost)
    California State Bar accidentally leaks details of upcoming exam (NBC News)
    Russian hackers are infiltrating companies via the office printer
    (MIT Tech Review)
    A VxWorks Operating System Bug Exposes 200 Million Critical Devices (WiReD)
    Capital One Systems Breached by Seattle Woman, U.S. Says (Bloomberg)
    Another Breach: What Capital One Could Have Learned from Google's
    "BeyondCorp"
    Paige Thompson, Capital One Hacking Suspect, Left a Trail Online (NYTimes)
    Cambridge Analytica's role in Brexit (Ted)
    The scramble to secure America's voting machines (Politico)
    The state of our elections security (Web Informant)
    A lawmaker wants to end social media addiction by killing features
    that enable mindless scrolling (WashPost)
    Cisco in Whistleblower Payoff and PR Doublespeak Row
    (Security Boulevard)
    Social Media Addiction Reduction Technology, or SMART, Act (Fortune)
    200-million devices some mission-critical vulnerable to remote takeover
    (Ars Technica)
    Siemens contractor pleads guilty to planting logic bomb in company
    spreadsheets (ZDNet)
    People forged judges' signatures to trick Google into changing results
    (Ars Technica)
    Partial hashes broadcast in Bluetooth can be converted to phone numbers
    (Ars Technica)
    Apple suspends human eavesdropping through Siri (Taipei Times)
    Why People Should Care About Quantum Computing (Fortune)
    Your Train Is Delayed. Why? (NYTimes)
    Barr Revives Encryption Debate, Calling on Tech Firms to Allow for
    Law Enforcement (NYTimes)
    Dark Web Consequences Increase from Global Rise of Police-Friendly
    Laws (Channel Futures)
    The Hidden Costs of Automated Thinking (The New Yorker)
    We Tested Europe’s New Digital Lie Detector. It Failed. (The Intercept)
    AI Predictive Policing (Daily Mail)
    Guardian Firewall iOS App Automatically Blocks the Trackers on Your Phone
    (WiReD)
    Google researchers disclose vulnerabilities for 'interactionless'
    iOS attacks (ZDNet)
    Another Breach: What Capital One Could Have Learned from Google's
    "BeyondCorp" (Lauren's Blog)
    "A data breach forced this family to move home and change their names
    (ZDNet)
    Brazilian president’s cellphone hacked as Car Wash scandal intrigue
    widens (WashPost)
    Malicious 'Google' domains used in Magento card card skimmer attacks (ZDNet)
    MyDoom: The 15-year-old malware that's still being used in phishing
    attacks in 2019 (ZDNet)
    StockX was hacked, exposing millions ofcustomers'_data (TechCrunch)
    Ikea says sorry for customer data breach (Straits Times)
    Refunds for Global Access Technical Support customers (Consumer Information)
    Business Continuity?: Kyoto Anime recovers digital recordings
    (Chiaki Ishikawa)
    Colorado gov't. email account for reporting child abuse goes unchecked for
    4 years (WashPost)
    Re: "Mortgage Provider Tells Savers of Zero Balances" (Chris Drewe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 5 Aug 2019 22:03:34 +0200
    From: Thomas Koenig <t...@tkoenig.net>
    Subject: One reason for the 737 Max desaster? Avoiding software complexity

    The Seattle Times finally offers an explanation of why only one sensor fed
    data into the Maneuvering Characteristics Augmentation System on the Boeing
    737 Max 8 airplanes. In both cases, it is presumed that faulty sensors fed
    wrong data into the system, which led to miscorrections of the aircraft
    attitude, to total loss of control of the aircraft and to 346 deaths.

    Boeing wanted to avoid software complexity.

    "Boeing is changing the MAX's automated flight-control systemâs software
    so that it will take input from both flight-control computers at once
    instead of using only one on each flight. That might seem simple and
    obvious, but in the architecture that has been in place on the 737 for
    decades, the automated systems take input from only one computer on a
    flight, switching to use the other computer on the next flight."

    In all previous reports (that I have read, at least) people were utterly
    baffled why only one sensor was being used. Now it is clear why.

    It is also clear now why the "patch" (rather a complete rewrite, using a
    different software architecture) takes so long.

    Sometimes, "Keep it simple and stupid" is not the right policy...

    Newly stringent FAA tests spur a fundamental software redesign of Boeing’s 737 MAX flight controls

    ------------------------------

    Date: Tue, 6 Aug 2019 10:11:44 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Warning over auto cyberattacks (Eric D. Lawrence)

    Eric D. Lawrence, *The San Francisco Chronicle*, 6 Aug 2019, page D1

    Boxed highlight: "Fiat Chrysler made a software fix in 2015 to prevent
    hacking into Jeep Cherokees but some experts believe many vehicles are
    still vulnerable."

    Warnings about connected vehicle vulnerabilities have been a steady drumbeat
    for years. [RISKS!!!] Now a consumer advocacy group California's Consumer
    Watchdog's 49-page report paints a dire picture and urges automakers to
    install a 50-cent kill switch that would allow vehicles to be disconnected
    from the Internet. [PGN-ed]

    "Millions of cars on the Internet running the same software means a single
    exploit can effoect millions of vehicles simultaneously."

    ------------------------------

    Date: Mon, 5 Aug 2019 17:25:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Tesla hit with another lawsuit over a fatal Autopilot crash
    (The Verge)

    They just get too used to it. That tends to be more of an issue. It's not a
    lack of understanding of what Autopilot can do. It's [drivers] thinking they
    know more about Autopilot than they do,

    Tesla will regularly release data about the safety of Autopilot, Elon Musk says
    Tesla hit with another lawsuit over a fatal Autopilot crash

    Pick one: EITHER it's not a lack of understanding OR they think they know
    more than they do.

    ------------------------------

    Date: Sat, 3 Aug 2019 14:16:53 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: This Satellite Image Shows Everything Wrong With Greenland Right
    Now (Gizmodo)

    EXCERPT:

    If you could sum up climate change's impact on the Arctic in one
    image, you'ld be hard pressed to find something better than this satellite
    view, which shows the meltdown of one of the largest stores of ice on Earth
    while a wildfire rages in the distance.

    Here it is, below, courtesy of satellite image wizard Pierre Markuse and our
    planet, which is quickly becoming a smoke-filled, waterlogged hellscape. ...

    https://earther.gizmodo.com/this-satellite-image-shows-everything-wrong-with-greenl-1836919989

    ------------------------------

    Date: Mon, 5 Aug 2019 14:11:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: North Korea took $2 billion in cyberattacks to fund weapons program
    (U.N. report)

    North Korea has generated an estimated $2 billion for its weapons of mass
    destruction programs using ``widespread and increasingly sophisticated''
    cyberattacks to steal from banks and cryptocurrency exchanges, according to
    a confidential U.N. report seen by Reuters on Monday.

    Pyongyang also ``continued to enhance its nuclear and missile programmes
    although it did not conduct a nuclear test or ICBM (Intercontinental
    Ballistic Missile) launch,'' said the report to the U.N. Security Council
    North Korea sanctions committee by independent experts monitoring compliance
    over the past six months.

    ------------------------------

    Date: Mon, 5 Aug 2019 18:17:12 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: How China Weaponized the Global Supply Chain (National Review)

    How China Weaponized the Global Supply Chain | National Review

    ... the introduction of Chinese cyber-capabilities, including the
    installation of digital networks at Chinese-controlled sites, typically by
    Huawei, and a subsea cable network being built by Huawei's marine unit that
    will nearly encircle the globe by the end of this year. Chinese state-owned
    companies are leading a rapid, digitally enabled consolidation of the
    logistics sector -- bringing together supply-chain functions that had
    previously been performed by separate companies, adopting centralized IT
    systems to control distribution from the doors of factories in China to the
    doors of consumers in America, and developing a wide array of technologies
    that can be used for both commercial and military purposes.

    The most threatening aspect of China's commercial triad is that the physical
    network of ports, ships, and terminals serves as a force multiplier for
    China's cyber-aggression. From drones that monitor operations to
    facial-recognition technologies that control access to container yards, port
    facilities provide nearly perfect cover for cyber-espionage. There's a lot
    going on in a seaport, and all of it is controlled and monitored by
    technology that feeds information over digital networks to buyers, sellers,
    regulators, financial institutions, and transportation companies. In short,
    ports are power. Power over imports and exports, power over
    economic-development policies, construction, shipbuilding, land transport,
    and electricity grids -- and power over the digital information needed to
    move goods through global supply chains that originate in China and
    Southeast Asia. These critical supply lines have increasingly come under the
    influence or control of a handful of Chinese state-owned companies. [...]

    [Monty Solomon noted this item:
    Official Cybersecurity Review Finds U.S. Military Buying High-Risk
    Chinese Tech (Forbes)
    Official Cybersecurity Review Finds U.S. Military Buying High-Risk Chinese Tech (Updated)
    PGN]

    ------------------------------

    Date: Sun, 4 Aug 2019 18:51:25 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: China has started a grand experiment in AI education. It could
    reshape how the world learns. (MIT Tech Review)

    In recent years, the country has rushed to pursue *intelligent education*.
    Now its billion-dollar ed-tech companies are planning to export their vision
    overseas.

    Zhou Yi was terrible at math. He risked never getting into college. Then a
    company called Squirrel AI came to his middle school in Hangzhou, China,
    promising personalized tutoring. He had tried tutoring services before, but
    this one was different: instead of a human teacher, an AI algorithm would
    curate his lessons. The 13-year-old decided to give it a try. By the end of
    the semester, his test scores had risen from 50% to 62.5%. Two years later,
    he scored an 85% on his final middle school exam.

    ``I used to think math was terrifying. But through tutoring, I realized it
    really isn't that hard. It helped me take the first step down a different
    path.''

    Experts agree AI will be important in 21st-century education -- but how?
    While academics have puzzled over best practices, China hasn't waited
    around. In the last few years, the country's investment in AI-enabled
    teaching and learning has exploded. Tech giants, startups, and education
    incumbents have all jumped in. Tens of millions of students now use some
    form of AI to learn -- whether through extracurricular tutoring programs
    like Squirrel's, through digital learning platforms like 17ZuoYe, or even in
    their main classrooms. It's the world's biggest experiment on AI in
    education, and no one can predict the outcome.

    Silicon Valley is also keenly interested. In a report in March, the
    Chan-Zuckerberg Initiative and the Bill and Melinda Gates Foundation
    identified AI as an educational tool worthy of investment. In his 2018 book
    Rewiring Education, John Couch, Apple's vice president of education, lauded
    Squirrel AI. (A Chinese version of the book is coauthored by Squirrel's
    founder, Derek Li.) Squirrel also opened a joint research lab with Carnegie
    Mellon University this year to study personalized learning at scale, then
    export it globally.

    But experts worry about the direction this rush to AI in education is
    taking. At best, they say, AI can help teachers foster their students'
    interests and strengths. At worst, it could further entrench a global trend
    toward standardized learning and testing, leaving the next generation ill
    prepared to adapt in a rapidly changing world of work...

    China has started a grand experiment in AI education. It could reshape how the world learns.

    ------------------------------

    Date: Thu, 1 Aug 2019 11:19:33 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 44 people in China were injured when a water park wave machine
    launched a crushing tsunami (WashPost)

    44 people in China were injured when a water park wave machine launched a
    crushing tsunami

    The operator was not drunk, as originally reported.

    https://www.washingtonpost.com/worl...rpark-wave-machine-launched-crushing-tsunami/

    ------------------------------

    Date: Mon, 29 Jul 2019 18:59:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: In Hong Kong Protests, Faces Become Weapons (NYTimes)

    A quest to identify protesters and police officers has people in both groups
    desperate to protect their anonymity. Some fear a turn toward China-style
    surveillance.

    In Hong Kong Protests, Faces Become Weapons

    ------------------------------

    Date: Sun, 28 Jul 2019 14:04:05 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Amazon Requires Police to Shill Surveillance Cameras in Secret
    Agreement (VICE)

    Amazon Requires Police to Shill Surveillance Cameras in Secret Agreement

    ------------------------------

    Date: Wed, 31 Jul 2019 10:40:06 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Apple's Siri overhears your drug deals and sexual activity,
    whistleblower says (Charlie Osborne)

    Charlie Osborne for Zero Day | 30 Jul 2019

    Apple's Siri overhears your drug deals and sexual activity, whistleblower
    says Quality control frequently comes across recordings which should not
    have existed in the first place.
    Apple’s Siri overhears your drug deals and sexual activity, whistleblower says | ZDNet

    selected text:

    Apple's Siri records private and confidential conversations and activities
    on a regular basis including talk relating to medical conditions, drug
    deals, and sex acts.

    Staff members tasked with grading how Siri responds to commands and whether
    or not the correct wake word "Hey Siri" was used before a recording occurred
    often hear explicit recordings, which are accidentally saved when the
    assistant mistakenly associates a sound as the wake word.

    The publication's source notes, for example, that the sound of a zipper can
    be misconstrued as a demand to wake up. In what the whistleblower says are
    "countless instances," conversations between doctors and patients, business
    deals, and both criminal and sexual activity have been captured by the smart
    assistant.

    The Apple Watch, in particular, has come under fire. While many recordings
    captured by Siri may only be a few seconds in length, The Guardian says that
    the watch -- with Siri enabled -- may record up to 30 seconds.

    ------------------------------

    Date: Mon, 29 Jul 2019 19:14:10 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Capital One data breach compromises tens of millions of credit card
    applications, FBI says (WashPost)

    https://www.washingtonpost.com/news...illions-of-credit-card-applications-fbi-says/

    ------------------------------

    Date: Mon, 29 Jul 2019 18:49:37 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: California State Bar accidentally leaks details of upcoming exam
    (NBC News)

    https://www.nbcnews.com/news/us-new...dentally-leaks-details-upcoming-exam-n1035681

    ------------------------------

    Date: Mon, 5 Aug 2019 14:12:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Russian hackers are infiltrating companies via the office printer
    (MIT Tech Review)

    *A group of hackers linked to Russian spy agencies are using "Internet of
    things" devices like internet-connected phones and printers to break into
    corporate networks, Microsoft announced on Monday.*

    EXCERPT:

    *Fancy Bear never hibernates*: The Russian hackers, who go by names like
    Strontium, Fancy Bear, and APT28, are linked to the military intelligence
    agency GRU.

    The group has been active since at least 2007. They are credited with a long
    list of infamous work including breaking into the Democratic National
    Committee in 2016, the crippling NotPetya attacks against Ukraine in 2017,
    and targeting political groups in Europe and North America throughout 2018.

    *Insecurity of Things*: The new campaign from GRU compromised popular
    internet of things devices including a VOIP (voice over internet protocol)
    phone, a connected office printer, and a video decoder in order to gain
    access to corporate networks. Microsoft has some of the best visibility into
    corporate networks on earth because so many organizations are using Windows
    machines. Microsoft's Threat Intelligence Center spotted Fancy Bear's new
    work starting in April 2019.

    *The password is password*: Although things like smartphones and desktop
    computers are often top of mind when it comes to security, it's often the
    printer, camera, or decoder that leaves a door open for a hacker to
    exploit. [...]

    https://www.technologyreview.com/f/...ium-infiltrate-iot-networks-microsoft-report/

    ------------------------------

    Date: Mon, 29 Jul 2019 19:08:01 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A VxWorks Operating System Bug Exposes 200 Million Critical Devices
    (WiReD)

    When major vulnerabilities show up in ubiquitous operating systems like
    Microsoft Windows, they can be weaponized and exploited, the fallout
    potentially impacting millions of devices. Today, researchers from the
    enterprise security firm Armis are detailing just such a group of
    vulnerabilities in a popular operating system that runs on more than 2
    billion devices worldwide. But unlike Windows, iOS, or Android, this OS is
    one you've likely never heard of. It's called VxWorks.

    VxWorks is designed as a secure "real-time" operating system for
    continuously functioning devices, like medical equipment, elevator
    controllers, or satellite modems. That makes it a popular choice for
    Internet of Things and industrial control products. But Armis researchers
    found a cluster of 11 vulnerabilities in the platform's networking
    protocols, six of which could conceivably give an attacker remote device
    access, and allow a worm to spread the malware to other VxWorks devices
    around the world. Roughly 200 million devices appear to be vulnerable; the
    bugs have been present in most versions of VxWorks going back to version
    6.5, released in 2006.

    https://www.wired.com/story/vxworks-vulnerabilities-urgent11/

    ------------------------------

    Date: Mon, 29 Jul 2019 19:14:52 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Capital One Systems Breached by Seattle Woman, U.S. Says
    (Bloomberg)

    https://www.bloomberg.com/news/arti...ta-systems-breached-by-seattle-woman-u-s-says

    ------------------------------

    Date: Tue, 30 Jul 2019 14:11:10 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Another Breach: What Capital One Could Have Learned from Google's
    "BeyondCorp"

    Updating this blog post with info that non-customers of Capital One were
    also affected by the breach, etc.

    https://lauren.vortex.com/2019/07/3...ne-could-have-learned-from-googles-beyondcorp

    ------------------------------

    Date: Tue, 30 Jul 2019 12:27:01 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Paige Thompson, Capital One Hacking Suspect, Left a Trail Online
    (NYTimes)

    https://www.nytimes.com/2019/07/30/business/paige-thompson-capital-one-hack.html

    Ms. Thompson, a 33-year-old software developer, made a habit of oversharing
    online. Those posts led the authorities to her door.

    ------------------------------

    Date: Sun, 4 Aug 2019 6:17:10 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Cambridge Analytica's role in Brexit (Ted)

    [Thanks to Paul Vixie. PGN]



    ------------------------------

    Date: Sun, 4 Aug 2019 12:12:06 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: The scramble to secure America's voting machines (Politico)

    The U.S. faces a voting security crisis.

    Eric Geller, Beatrice Jin, Jordyn Hermani and Michael B. Farrell
    Politico, 4 Aug 2019

    Tens of millions of Americans across 14 states cast ballots last year on
    paperless voting machines -- devices that security experts say can be
    undetectably hacked and that offer no way to audit results when tampering or
    errors occur. Many voters will still be using paperless machines in 2020,
    despite warnings from intelligence leaders and cybersecurity experts that
    Russia will try to reprise its interference in the 2016 presidential
    campaign.

    Click here to read the results of POLITICO's survey and see our interactive
    presentation on the nationwide, state-by-state and county-by-county picture
    of U.S. voting security as 2020 approaches.
    <http://go.politicoemail.com/?qs=fd6...a2617ab812f0bdae6d83d692c4e703f1488e207a56d87>

    https://www.politico.com/interactives/2019/election-security-americas-voting-machines/index.html

    ------------------------------

    Date: Tue, 30 Jul 2019 13:46:18 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The state of our elections security (Web Informant)

    Web Informant, 30 Jul 2019

    The past week has seen a lot of news stories about hacking our
    elections. Today in this edition of Inside Security I take a careful look at
    what we know and the various security implications, which I cover in the
    last paragraph. It is hard to write about this without getting into
    politics, but I will try to summarize the facts. Here are two of them:

    — Russians have penetrated election authorities in every statehouse and
    continue to try to compromise those networks. We have evidence that has
    been published in the Mueller report and more recently the Senate
    Intelligence Committee report from last week.

    — A second and more troublesome collection of election compromises is
    described in a report from the San Mateo County grand jury that was also
    posted last week. I will get to this report in a moment.

    For infosec professionals, the events described in these documents have been
    well known for many years. The reports talk about spear-phishing attacks on
    election officials, phony posts on social media or posts that originate from
    sock puppet organizations (such as Russian state-sponsored intelligence
    agencies), or from consultants to political campaigns that misrepresent
    themselves to influence an election.

    https://blog.strom.com/wp/?p=7291

    ------------------------------

    Date: Tue, 30 Jul 2019 13:38:16 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: A lawmaker wants to end social media addiction by killing features
    that enable mindless scrolling (WashPost)

    https://www.washingtonpost.com/tech...ling-features-that-enable-mindless-scrolling/

    "Big tech has embraced a business model of addiction," Hawley, a Missouri
    Republican, said in a statement announcing the bill. "Too much of the
    'innovation' in this space is designed not to create better products, but to
    capture more attention by using psychological tricks that make it difficult
    to look away. This legislation will put an end to that and encourage true
    innovation by tech companies."

    iDisorder (http://catless.ncl.ac.uk/Risks/30/89#subj18.1) constitutes an
    acute public health and safety risk.

    Apple's opposition to 'gaze-blocker' application sales suggest they merit
    pursuit as a public health benefit. See
    https://catless.ncl.ac.uk/Risks/31/21#subj16.1.

    ------------------------------

    Date: Fri, 2 Aug 2019 12:49:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cisco in Whistleblower Payoff and PR Doublespeak Row
    (Security Boulevard)

    Cisco Systems has settled a longstanding lawsuit in which federal and state
    agencies alleged a product was badly insecure and that the company knew
    about it for at least four years before it did anything. Not a good look.

    Not only that, but Cisco will compensate a whistleblowing contractor who
    says he was fired for rocking the boat. Although Cisco maintains his job was
    no longer needed.

    And the PR statement is, well, let’s just say nuanced.

    https://securityboulevard.com/2019/08/cisco-in-whistleblower-payoff-and-pr-doublespeak-row/

    ------------------------------

    Date: Fri, 2 Aug 2019 16:44:32 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Social Media Addiction Reduction Technology, or SMART, Act
    (Fortune)

    *Can't look away*. Speaking of new rules, a bill proposed by Sen. Josh
    Hawley dubbed the Social Media Addiction Reduction Technology, or SMART, Act
    would ban techniques used to hook people in to social media *Facebook's*
    (and many other sites) infinite scroll would be illegal, as would autoplay
    videos. ``Big Tech has embraced addiction as a business model,'' Hawley
    tweeted. The bill obviously has along way to go before becoming a law.

    <https://click.newsletters.fortune.c...d3f2108608cab99cc61c36ecf80db896e780d98394df0>

    [Next to be outlawed, human nature.]

    ------------------------------

    Date: Tue, 30 Jul 2019 19:13:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 200-million devices some mission-critical vulnerable to remote
    takeover (Ars Technica)

    https://arstechnica.com/information...ssion-critical-vulnerable-to-remote-takeover/

    ------------------------------

    Date: Sun, 28 Jul 2019 14:05:35 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Siemens contractor pleads guilty to planting logic bomb in company
    spreadsheets (ZDNet)

    https://www.zdnet.com/article/sieme...-planting-logic-bomb-in-company-spreadsheets/

    ------------------------------

    Date: Tue, 30 Jul 2019 19:59:18 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: People forged judges' signatures to trick Google into changing results
    (Ars Technica)

    https://arstechnica.com/tech-policy...atures-to-trick-google-into-changing-results/

    ------------------------------

    Date: Fri, 2 Aug 2019 12:37:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Partial hashes broadcast in Bluetooth can be converted to phone
    numbers (Ars Technica)

    https://arstechnica.com/information...ord-sharing-features-can-leak-iphone-numbers/

    ------------------------------

    Date: Sat, 3 Aug 2019 16:40:17 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Apple suspends human eavesdropping through Siri (Taipei Times)

    A prudent move, in the wake of Amazon and Google bad PR from their
    eavesdropping activities. The putative motive of having human listeners was
    to improve Siri's ability to respond to queries.

    http://www.taipeitimes.com/News/biz/archives/2019/08/03/2003719808

    Someone must have gotten around to asking "What could go wrong?.

    ------------------------------

    Date: Mon, 29 Jul 2019 00:56:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Why People Should Care About Quantum Computing (Fortune)

    Essentially, workable quantum computing could, in theory, help solve some of
    humanity’s most pressing problems like capturing “carbon from the atmosphere
    to save the planet” and improving clean and energy and food production,
    Svore said.

    It’s not as if conventional computers can’t handle the calculations
    underpinning the feats Svore mentioned. It’s just that it would take a
    person’s lifetime, as opposed to the “matter of weeks or months” it would
    take a quantum computer to process the information related to the problems.

    https://fortune.com/2019/07/15/quantum-computing-brainstorm-tech/

    More vague blather, I think. There's NEVER discussion about quantum apps,
    programming, algorithms, specific applications.

    It's never beyond:

    Quantum, however, relies on mysterious so-called qbits, which can represent
    data in multiple states like a “0” or “1” at the same time; it’s a
    head-scratching idea to wrap one’s brain around, but its crucial to
    harnessing the power of quantum computing. Designing algorithms that take
    advantage of the mysterious properties of qbits can bring “billions of years
    of compute time to seconds or hours or days,” Svore said.

    ...so let's see the algorithms -- they should be available before quantum
    hardware is built, yes?

    ------------------------------

    Date: Sun, 28 Jul 2019 14:41:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your Train Is Delayed. Why? (NYTimes)

    Video


    ------------------------------

    Date: Sun, 28 Jul 2019 14:18:58 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Barr Revives Encryption Debate, Calling on Tech Firms to Allow for
    Law Enforcement (NYTimes)

    The attorney general, reopening the conversation on security vs. privacy,
    said that encryption and other measures effectively turned devices into
    “law-free zones.”

    https://www.nytimes.com/2019/07/23/...cryption-security.html?smid=nytcore-ios-share

    [Unfortunately, law-enforcement-only backdoors are likely to be
    subvertible by many unauthorized folks. Emphatic assertion keeps
    resurfacing, despite the wisdom of the Keys Under Doormats report, by
    folks who reject the risks of misusing systems that are likely to be
    already unsecure, despite the desire for backdoors. The RISKS motto seems
    to be: Everything is likely to be compromised, if not already broken. By
    the way, it is not `security vs privacy'. It is `insecurity and
    nonprivacy'. PGN]

    ------------------------------

    Date: Sun, 28 Jul 2019 14:04:46 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Dark Web Consequences Increase from Global Rise of Police-Friendly
    Laws (Channel Futures)

    https://www.channelfutures.com/mssp...ease-from-global-rise-of-police-friendly-laws

    ------------------------------

    Date: Sat, 27 Jul 2019 17:49:36 -0400
    From: Dave Farber <far...@gmail.com>
    Subject: The Hidden Costs of Automated Thinking (The New Yorker)

    https://www.newyorker.com/tech/annals-of-technology/the-hidden-costs-of-automated-thinking

    ------------------------------

    Date: Sat, 27 Jul 2019 09:17:40 -0400
    From: Dave Farber <far...@gmail.com>
    Subject: We Tested Europe’s New Digital Lie Detector. It Failed.
    (The Intercept)

    https://theintercept.com/2019/07/26/europe-border-control-ai-lie-detector/

    ------------------------------

    Date: Sun, 28 Jul 2019 10:19:53 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: AI Predictive Policing (Daily Mail)

    [From Geoff Goodfellow]

    AI experts from top universities SLAM `predictive policing' tools in new
    statement and warn technology could 'fuel misconceptions and fears that
    drive mass incarceration'.

    - AI experts say pre-crime algorithms are more magic than reality
    - Algorithms designed to predict violent crime may come with
    consequences
    - Experts say they may vastly overstate the likelihood of pretrial
    crime
    - They warn its use could fuel mass incarceration and lead to harsher
    sentences

    EXCERPT:

    Prominent thinkers in the fields of artificial intelligence say that
    predictive policing tools are not only 'useless,' but may be helping to
    drive mass incarceration.

    In a letter published earlier this month the experts, from MIT, Harvard,
    Princeton, NYU, UC Berkeley and Columbia spoke out on the topic in an
    unprecedented showing of skepticism toward the technology.
    <https://dam-prod.media.mit.edu/x/2019/07/16/TechnicalFlawsOfPretrial_ML>

    'When it comes to predicting violence, risk assessments offer more magical
    thinking than helpful forecasting,' wrote AI experts Chelsea Barabas,
    Karthik Dinakar and Colin Doyle in a New York Times op-ed.
    <https://www.nytimes.com/2019/07/17/opinion/pretrial-ai.html?utm_source=The+Appeal>

    Predictive policing tools, or risk assessment tools, are algorithms designed
    to predict the likelihood of someone committing crime in the future.

    With rapid advances in artificial intelligence, the tools have begun to find
    their way into the everyday processes of judges, who deploy them to
    determine sentencing, and police departments, who use them to allot
    resources and more.

    While the technology has been positioned as a way to combat crime
    preemptively, experts say its capabilities have been vastly overstated.

    Among the arenas most affected by the tools they say, are pretrial
    sentencing, during which people undergoing a trial may be detained based on
    their risk of committing a crime.

    'Algorithmic risk assessments are touted as being more objective and
    accurate than judges in predicting future violence,' write the
    researchers...

    https://www.dailymail.co.uk/science...redictive-policing-digitizing-stop-frisk.html

    ------------------------------

    Date: Sun, 4 Aug 2019 16:50:27 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Guardian Firewall iOS App Automatically Blocks the Trackers on Your
    Phone (WiReD)

    The data economy has too often betrayed its customers, whether it's Facebook
    sharing data you didn't even realize it had, or invisible trackers that
    follow you around the web without your knowledge. But a new app launching in
    the iOS App Store today wants to help you take back some control—without
    making your life harder.

    The Guardian Firewall app runs in the background of an iOS device, and
    stymies data and location trackers while compiling a list of all the times
    your apps attempt to deploy them. It does so without breaking functionality
    in your apps or making them unusable. Plus, the blow by blow list gives you
    much deeper insight than you would normally have into what your phone is
    doing behind the scenes. Guardian Firewall also takes pains to avoid
    becoming another cog in the data machine itself. You don't need to make an
    account to run the firewall, and the app is architected to box its
    developers out of user data completely.

    https://www.wired.com/story/guardian-firewall-ios-app/

    Was tempting until $100/year cost.

    ------------------------------

    Date: Tue, 30 Jul 2019 13:36:01 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Google researchers disclose vulnerabilities for 'interactionless'
    iOS attacks (ZDNet)

    While it is always a good idea to install security updates as soon as they
    become available, the availability of proof-of-concept code means users
    should install the iOS 12.4 release with no further delay.

    https://www.zdnet.com/article/googl...nerabilities-for-interactionless-ios-attacks/

    ------------------------------

    Date: Tue, 30 Jul 2019 10:40:55 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Another Breach: What Capital One Could Have Learned from Google's
    "BeyondCorp" (Lauren's Blog)

    https://lauren.vortex.com/2019/07/3...ne-could-have-learned-from-googles-beyondcorp

    Another day, another massive data breach. This time some 100 million people
    in the U.S., and more millions in Canada. Reportedly the criminal hacker
    gained access to data stored on Amazon's AWS systems. The fault was
    apparently not with AWS, but with a misconfigured firewall associated with a
    Capital One app, the bank whose customers were the victims of this attack.

    Firewalls can be notoriously and fiendishly difficult to configure
    correctly, and often present a target-rich environment for successful
    attacks. The thing is, firewall vulnerabilities are not headline news --
    they're an old story, and better solutions to providing network security
    already exist.

    In particular, Google's "BeyondCorp" approach
    ( https://cloud.google.com/beyondcorp ) is something that every enterprise
    involved in computing should make itself familiar with. Right now!

    BeyondCorp techniques are how Google protects its own internal networks and
    systems from attack, with enormous success. In a nutshell, BeyondCorp is a
    set of practices that effectively puts "zero trust" in the networks
    themselves, moving access control and other authentication elements to
    individual devices and users. This eliminates the need for traditional
    firewalls (and in most instances, VPNs) because there is no longer a
    conventional firewall which, once breached, gives an attacker access to all
    the goodies.

    If Capital One had been following BeyondCorp principles, there would be 100+
    million less of their customers who wouldn't be in a panic today.

    ------------------------------

    Date: Wed, 31 Jul 2019 10:30:36 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "A data breach forced this family to move home and change their
    names (ZDNet)

    Charlie Osborne for Zero Day | 26 Jul 2019

    A data breach forced this family to move home and change their names
    Sometimes a free credit report in recompense is nowhere near enough.
    https://www.zdnet.com/article/a-data-breach-forced-this-family-to-move-home-and-change-their-names/

    selected text:

    In the London Borough of Hackney, a recent case emerged when a data breach
    had far more devastating consequences than most of us would ever experience.

    As reported by the Hackney Gazette, a family in the area adopted a child and
    the details of who they were and where they lived were meant to be withheld
    from the birth parents.

    However, during the adoption process in 2016, a solicitor appointed by
    Hackney Council mistakenly included an unredacted copy of the application
    form. The publication says that the exposed, sensitive data included the
    couple's names, addresses, phone numbers, dates of birth, and occupations.

    The scope of the breach was serious enough that the couple spoke to both the
    council and police, and ultimately decided that moving home and changing
    their names was the safest option for their adopted child.

    ------------------------------

    Date: Thu, 25 Jul 2019 19:51:11 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Brazilian president’s cellphone hacked as Car Wash scandal intrigue
    widens (WashPost)

    Four men have been arrested on suspicion of breaking into cellphones of
    hundreds of officials.

    https://www.washingtonpost.com/worl...ab2b86-aee5-11e9-9411-a608f9d0c2d3_story.html

    ------------------------------

    Date: Fri, 26 Jul 2019 10:12:53 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Malicious 'Google' domains used in Magento card card skimmer attacks
    (ZDNet)

    https://www.zdnet.com/article/malicious-google-domains-used-in-magento-data-skimmer/

    ------------------------------

    Date: Fri, 26 Jul 2019 10:15:08 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: MyDoom: The 15-year-old malware that's still being used in phishing
    attacks in 2019 (ZDNet)

    https://www.zdnet.com/article/mydoo...still-being-used-in-phishing-attacks-in-2019/

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Mon, 5 Aug 2019 08:18:19 -0400
    Subject: StockX was hacked, exposing millions ofcustomers'_data (TechCrunch)

    https://techcrunch.com/2019/08/03/stockx-hacked-millions-records/

    ------------------------------

    Date: Mon, 5 Aug 2019 10:48:58 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Ikea says sorry for customer data breach (Straits Times)

    https://www.straitstimes.com/singapore/ikea-says-sorry-for-customer-data-breach

    ------------------------------

    Date: Thu, 1 Aug 2019 11:47:57 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Refunds for Global Access Technical Support customers
    (Consumer Information)

    If you paid for technical support services from Global Access Technical
    Support (GATS), you’ll be getting a letter or an email from the Federal
    Trade Commission about a refund. You might have known the company as Global
    SConnect, Global sMind, Yubdata Tech, or Technolive.

    The FTC sued GATS, alleging that the company lied about partnering with
    well-known tech companies and tricked people into paying for unnecessary
    computer repairs. GATS has now paid $860,000 to settle the lawsuit.

    The FTC is sending refunds to people who paid money to GATS. If you get a
    check from us, cash it within 60 days. We will send refunds via PayPal to
    customers for whom we do not have a mailing address.

    Here’s how the PayPal refunds work: the FTC will send the customer an email
    from subs...@subscribe.ftc.gov. Then, within 24 hours, that customer will
    also get an email directly from PayPal about the refund. If you get those
    emails, all you have to do is type www.paypal.com into your browser, log in
    to your account (or create one), and review and accept the payment. Or
    accept payment by logging into the PayPal app.

    To avoid scammers who might pretend to be from the FTC or PayPal, follow
    these simple steps:

    * If you get a refund email that claims to be from the FTC or PayPal, don’t
    click on any links in the email. Instead, visit the website by typing the
    right URL into your browser: www.ftc.gov/refunds and www.paypal.com.

    * Check out FTC refunds at ftc.gov/refunds. Each case on that page has a
    phone number you can call to check on refund payments.

    * Know that the FTC never asks people to pay money or give sensitive
    financial information to get a refund. People who say they are with the
    FTC and ask for money are scammers.

    https://www.consumer.ftc.gov/blog/2019/08/refunds-global-access-technical-support-customers

    ------------------------------

    Date: Wed, 31 Jul 2019 02:09:55 +0900F
    From: "ISHIKAWA,chiaki" <ishi...@yk.rim.or.jp>
    Subject: Business Continuity?: Kyoto Anime recovers digital recordings

    I have been a Japanese animation fan since I was a kid growing up in
    Japan. So this is a very prejudiced post in that direction.

    The arson of Kyoto Animation company (Kyoto Anime or KyoAni for short),
    almost a terrorist attack, which killed 35 people by now has had Kyoto Anime
    scrambling to recover what remains in the server computer in the building
    which burned down.

    The arson is now detailed in Wikipedia.
    https://en.wikipedia.org/wiki/Kyoto_Animation_arson_attack

    Since the night of July 29, it has been reported that Kyoto Anime, with the
    help of experts, could salvage the digital data from the server(s) that
    remained intact in the building that burned down. (In Japanese:
    https://www.asahi.com/articles/ASM7Y6H8ZM7YPTIL03K.html )

    Luckily the server(s) was on the first floor and was housed in a small space
    surrounded by concrete walls in the four directions (CI's comment: I wonder
    where the door was...) and withstood the fire and the water sprayed by
    firefighters.

    cf. Due to the nature of the Japanese languages, I am not sure if the
    server referred to is actually a collection of servers (plural).

    An earlier Japan Times article in English mentioned that there *was* a
    server and the management hoped to recover the data *IFF* the server did not
    get wet during the firefighting effort.
    https://www.japantimes.co.jp/news/2...-drawing-storyboard-data-server-arson-attack/

    But to me it is hard to believe that 70+ people working on a few animation
    projects could work with only a single server, but it is not the major
    contention here.

    First of all, I am not sure if all the digital data of anime (animation,
    that is) held by that branch was recovered or not. The article mentioned
    digital data only, and inferred some animation digital drawings were
    recovered. An inquiry mind wants to know the answer to "Were all the
    relevant data transferred from individual PCs to the server each day?".
    Individual PCs went up in smoke literally. No hope of recovering data from
    them.

    One thing is crystal clear: ALL THE PAPER-BASED DRAWINGS IN THE BRANCH ARE
    GONE. PERIOD. (Except for a piece of paper with a hand-drawn illustration
    on it: it was n the backside of a whiteboard that remained in the
    building. I saw it in a news article.)

    When I read the article and some earlier articles, some computer-related
    risk keywords popped up in my mind: - off-site backup, - business
    continuity, and - human resources.

    Here, human resources *IS* actually the most valuable one in this case, and
    the loss is felt throughout the media industry all over the world. No amount
    of off-site backup or business continuity planning that is created for
    earthquakes or typhoons (Japan's two biggest natural disasters) will be
    enough to counter the type of human-resource damage sustained by Kyoto Anime
    this time.

    Nevertheless, some business schools may create a case study of
    disaster-recover planning for business continuity based on the incident.

    Yes, to my surprise and many others', Kyoto Animation obviously failed to
    perform off-site backup (and for that matter, distributed backup of
    paper-based illustrations). That is something to think about for the media
    company management types in the future. (So this post *IS* computer
    risk-related after all.)

    At the same time, I personally feel it is a tough time for the management
    indeed for recovering the business operation especially when I read the
    comments from the surviving members of the victims such as the one I quote
    later in this post.

    The impact of human toll is really devastating psychologically. Recovering
    from a crime-initiated disaster is not a purely a computer-risk issue, but
    wetware (people) issue too, especially so once the hardware, software and
    data are recovered.

    The following news contains comments regarding the color coordinator,
    Ms. Naomi Ishida, who has worked at Kyoto Anime for more than 20 years. A
    victim of the arson. The article is in Japanese:
    https://www3.nhk.or.jp/lnews/kyoto/20190725/2010004159.html (Ms. Ishida's
    background is explained in detail in English in the following URL:)
    https://www.animenewsnetwork.com/ne...omi-ishida-passed-away-in-studio-fire/.149318

    Since such Japanese news comments are unlikely to be translated into English
    any time soon, here is my rough translation of that part of the news
    article. (I searched for English article that may refer to the comments of
    Ms. Ishida's parent, but only ended up with the animenewsnetwork article
    above.)

    My rough translation:

    Ms. Naomi Ishida's mother mentioned "The police got in contact with us
    because the DNA identification has been over and they wanted to explain
    the result to us. When I looked at the remains, I noticed that only a
    piece of metal of my daughter's hair accessory remained and all else
    melted away. The fire was so severe. The whole ordeal could have been over
    in a short while. But it is a real pity she must have suffered a lot
    during that time." and she added "I have not known her whereabouts after
    the arson. The only consolation now is that I can bring her back home
    finally..."

    Her father said "I have tough time sleeping thinking about how she must
    have suffered in pain at the last moment. But now I am a bit relieved
    when I learned that so many anime fans placed flowers in many places in
    appreciation of works to which my daughter contributed. I am now very
    proud of her. I hope she will be drawing pictures together with her
    colleagues in the Heaven."

    Parents of other victims would have similar comments. Surviving victims
    need months or even years to heal from the wounds. The psychological
    damage is definitely large although hard to estimate. How can a company
    restart business operation amid such mental hardship?

    Personal comment: Ms. Ishida worked on animations such as Suzumiya Haruhi TV
    series and others which produced some interesting songs including the
    following one that has been played ALMOST 100 MILLION TIMES on youtube.



    This particular song is in my favorite list and I play the list from time to
    time in random order during desk work. Next time the song comes up and I
    watch the animation images on PC screen whose color coordination Ms. Ishida
    produced, I would recall the words of her parents. What a pity. Not just an
    interesting BGM song anymore...

    ------------------------------

    Date: Fri, 26 Jul 2019 10:15:41 -0400
    From: George Mannes <gma...@gmail.com>
    Subject: Colorado gov't. email account for reporting child abuse goes
    unchecked for 4 years (WashPost)

    >From The Washington Post:

    https://www.washingtonpost.com/nati...rts-years-five-cases-were-never-investigated/

    Colorado didn't check an email account for child abuse reports for
    years. Five cases weren't investigated.

    By Hannah Knowles July 15
    An email account set up by the Colorado government for reports of child
    abuse and neglect went unchecked for four years, leaving more than 100
    messages about mistreatment concerns unanswered and allowing five cases
    that needed follow-up to go without investigation.

    The email account was set up in 2015 to support a phone hotline and then
    forgotten, allowing reports to slip through at a time when the state worked
    to increase reporting of child abuse and emphasized a speedy response to
    concerns through a 24/7 hotline. That phone number received a record number
    of calls last year, four years into a public awareness campaign aimed at
    teaching more Coloradans about the state's resources....

    ...A May 15 internal audit discovered the problem. By the time the
    department looked at the neglected email account, 321 messages had piled
    up, including 104 about concerns that children were being abused or
    neglected, department spokeswoman Madlynn Ruble told The Washington Post.
    Many of those emails were duplicates or had already been addressed through
    other channels, Ruble said....

    ------------------------------

    Date: Sun, 04 Aug 2019 19:16:33 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: "Mortgage Provider Tells Savers of Zero Balances"

    Item about a UK building society (mortgage provider) from this weekend's
    newspaper -- summary follows with my comments.

    Sally Hamilton, The Mail On Sunday, 3 Aug 2019
    Panic as Nationwide BS emails 1.3m customers to tell them they have no
    money!

    https://www.dailymail.co.uk/money/s...e-BS-emails-1-3m-customers-tell-no-money.html

    Nationwide Building Society has come under fire for emailing 1.3million
    savers with a 'summary' of their accounts showing they all had balances of
    zero. ... data security rules meant it was unable to provide balances by
    email 'because it isn't 100 per cent secure'. The new summary simply shows
    the types of accounts savers hold along with the interest rates paid -- and
    what balance is required to receive it. This showed... ISA accounts pay 1.1
    per cent and 1.2 per cent -- on balances of '0+ pounds'.

    [Looks like another casualty of data-protection laws, but more
    likely a case of a badly-worded message. CD]

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.35
    ************************
     
  7. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.36

    RISKS List Owner

    Aug 12, 2019 8:30 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 12 August 2019 Volume 31 : Issue 36

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts (WiReD)
    This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station' (WiReD)
    "New Windows malware can also brute-force WordPress websites"
    (Catalin Cimpanu)
    Getting physical: warshipping (Fortune)
    These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer (VICE)
    Inside the Hidden World of Elevator Phone Phreaking (WiReD)
    Popular kids' tablet patched after flaws left personal data vulnerable
    (Danny Palmer)
    Watch a Drone Take Over a Nearby Smart TV (WiReD)
    5G Wireless Networks Are Not Harmful to Health, FCC Says (Fortune)
    Phishing attack: Students' personal information stolen in university data
    breach (Danny Palmer)
    Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects
    Touchscreen Controls (USNI News)
    This High-Tech Solution to Disaster Response May Be Too Good to Be True
    (The New York Times)
    Scam pulse-monitoring app returns to Apple Store (Ben Lovejoy)
    He Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets (Bloomberg)
    GDPR's unintended consequences (The Register)
    Black Hat: GDPR privacy law exploited to reveal personal data (BBC News)
    Password policy recommendations: Here's what you need to know. (HPE)
    Re: Russian hackers are infiltrating companies via the office printer
    (Kelly Bert Manning)
    Climate change: how the jet stream is changing your weather (FT)
    Re: AI Predictive Policing (George Jansen)
    Re: Hawley/SMART Act (Rob Slade, Dimitri Maziuk)
    Re: Apple's Siri overhears your drug deals and sexual activity
    (Amos Shapir)
    Re: Siemens contractor pleads guilty to planting logic bomb in company,
    spreadsheets (Martin Ward)
    Researchers wrest control of one of world's most secure industrial
    controllers (The Times of Israel)
    Writing about writing (Rob Slade)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 8 Aug 2019 23:36:06 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
    (WiReD)

    But Boeing counters that it has both "additional protection mechanisms" in
    the CIS/MS that would prevent its bugs from being exploited from the ODN,
    and another hardware device between the semi-sensitive IDN -- where the
    CIS/MS is located -- and the highly sensitive CDN. That second barrier, the
    company argues, allows only data to pass from one part of the network to the
    other, rather than the executable commands that would be necessary to affect
    the plane's critical systems.

    "Although we do not provide details about our cybersecurity measures and
    protections for security reasons, Boeing is confident that its airplanes are
    safe from cyberattack," the company's statement concludes.

    Boeing says it also consulted with the Federal Aviation Administration and
    the Department of Homeland Security about Santamarta's attack. While the DHS
    didn't respond to a request for comment, an FAA spokesperson wrote in a
    statement to WIRED that it's "satisfied with the manufacturer'
    s assessment
    of the issue."

    A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts

    ...or not.

    ------------------------------

    Date: Sat, 10 Aug 2019 23:24:51 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station'
    (WiReD)

    Automatic license plate reader cameras are controversial enough when law
    enforcement deploys them, given that they can create a panopticon of transit
    throughout a city. Now one hacker has found a way to put a sample of that
    power -- for safety, he says, and for surveillance -- into the hands of
    anyone with a Tesla and a few hundred dollars to spare.

    This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station'

    ------------------------------

    Date: Wed, 07 Aug 2019 10:53:43 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "New Windows malware can also brute-force WordPress websites"
    (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 7 Aug 2019
    Avast discovers strange new malware strain that besides stealing and
    mining cryptocurrency on infected hosts, it also launches brute-force
    attacks on WordPress sites.
    New Windows malware can also brute-force WordPress websites | ZDNet

    ------------------------------

    Date: Sat, 10 Aug 2019 23:46:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Getting physical: warshipping (Fortune)

    IBM researchers are hyping a new hacking technique called "warshipping" that
    involves breaking into corporate networks using a cheap Wi-Fi device sent in
    the mail.
    <With warshipping, hackers ship their exploits directly to their target’s mail room – TechCrunch>
    A hacker has turned a Tesla vehicle into a mobile surveillance station
    capable of storing facial imagery and license plate numbers. Elevator "
    phone freaking is the latest hacker fad.
    <This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station'>
    <Inside the Hidden World of Hacking Elevator Phones>"

    ...from Fortune magazine newsletter.

    ------------------------------

    Date: Mon, 12 Aug 2019 17:53:56 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: These Legit-Looking iPhone Lightning Cables Will Hijack Your
    Computer (VICE)

    It looks like an Apple lightning cable. It works like an Apple lightning
    cable. But it will give an attacker a way to remotely tap into your
    computer.

    These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer

    ------------------------------

    Date: Sat, 10 Aug 2019 23:22:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Inside the Hidden World of Elevator Phone Phreaking (WiReD)

    Author writes:

    The first time I called into an elevator, I picked up my iPhone and dialed
    the number-labeled on my list as the Crown Plaza Hotel in Chicago—and
    immediately heard two beeps, then a recording of a woman's voice, who told
    me to press one to talk. When I did, I was suddenly in aural space filled
    with the hum of motors and the muffled twanging of steel cables under
    tension. "Hello, can anyone hear me?" I asked the void. The void did not
    respond.

    I hung up and tried another number on my list: A Hilton hotel in Grand
    Rapids, Michigan. After just one ring I heard a series of four tones and
    was immediately listening to the inside of another elevator. I heard a
    chime, perhaps a signal that it had reached a floor, followed by the
    rumble of what might have been a door opening. "Hi, is anyone in here?" I
    asked. This time I heard a few muffled voices, then a woman answered:
    "There are people in here, yes."

    Inside the Hidden World of Hacking Elevator Phones

    ------------------------------

    Date: Wed, 07 Aug 2019 10:31:38 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Popular kids' tablet patched after flaws left personal data
    vulnerable (Danny Palmer)

    Danny Palmer, ZDNet, 7 Aug 2019
    Researchers also found security holes that gave away personal data and
    credit card information of children's parents.
    Popular kids' tablet patched after flaws left personal data vulnerable | ZDNet

    selected text:

    Security vulnerabilities in a popular children's tablet could have allowed
    attackers to collect sensitive information about its young users, as well as
    enabling hackers to steal their parents' names, address and credit card
    details.

    In addition to this, researchers found that the Pet Chat protocol didn't
    require any authentication between devices, meaning anyone running Pet Chat
    within 100ft of a user could send messages to the child's device, albeit in
    the set phrases allowed by Pet Chat, something that could potentially put
    the child at risk.

    ------------------------------

    Date: Mon, 12 Aug 2019 17:58:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Watch a Drone Take Over a Nearby Smart TV (WiReD)

    For all the focus on locking down laptops and smartphones, the biggest
    screen in millions of living rooms remains largely unsecured
    <Worried the CIA Hacked Your Samsung TV? Here's How to Tell>,
    even after years of warnings
    <Most Smart TVs Spy on You. Here's How to Make Them Stop>. Smart TVs
    today can fall prey to any number of hacker tricks -- including one
    still-viable radio attack, stylishly demonstrated by a hovering drone.

    At the Defcon hacker conference Sunday, independent security researcher
    Pedro Cabrera showed off, in a series of hacking proof of concept attacks,
    how modern TVs -- and particularly smart TVs that use the Internet-connected
    HbbTV standard implemented in his native Spain, across Europe, and much of
    the rest of the world -- remain vulnerable to hackers. Those techniques can
    force TVs to show whatever video a hacker chooses, display phishing messages
    that ask for the viewer's passwords, inject keyloggers that capture the
    user's remote button presses, and run cryptomining software. All of those
    attacks stem from the general lack of authentication in TV networks'
    communications, even as they're increasingly integrated with Internet
    services that can allow a hacker to interact with them in far more dangerous
    ways than in a simpler era of one-way broadcasting.

    "The lack of security means we can broadcast with our own equipment anything
    we want, and any smart TV will accept it," Cabrera says. "The transmission
    hasn't been at all authenticated. So this fake transmission, this channel
    injection, will be a successful attack."

    At the Defcon hacking conference in Las Vegas, a security researcher showed
    how easy it is to compromise a smart TV with a DJI quadcopter. See for
    yourself. Harald Sund/Getty Images

    Watch a Drone Take Over a Nearby Smart TV

    ------------------------------

    Date: Fri, 9 Aug 2019 15:36:27 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: 5G Wireless Networks Are Not Harmful to Health, FCC Says (Fortune)

    The Feds Try To End the Debate Over 5G Health Concerns' Data Sheet

    It's the question everyone wants to go away: are 5G wireless networks safe
    or are they a risk to human health?

    On Thursday, the Federal Communications Commission and the Food and Drug
    Administration tried to put the question to bed once more. The FCC announced
    it would hold its radio frequency exposure limits for cell phones, cellular
    towers, and other wireless gear at current levels. The use of some new
    frequencies as part of the 5G rollout did not change the situation, the
    agency said. After a review of the scientific record and consultations with
    health agencies, ``we find it appropriate to maintain the existing radio
    frequency limits, which are among the most stringent in the world for cell
    phones,'' Julius Knapp, chief of the FCC's Office of Engineering and
    Technology, said. That came backed with excerpted comments from Jeffrey
    Shuren, director of the Food and Drug Administration's Center for Devices
    and Radiological Health. The ``available scientific evidence to date does
    not support adverse health effects in humans due to exposures at or under
    the current limit'' and ``[n]o changes to the current standards are
    warranted at this time,'' Shuren explained in a letter cited in part by the
    FCC.

    That's also the same conclusion that the scientific association the
    Institute of Electrical and Electronics Engineers, or IEEE, came to back in
    February, when it completed a review of recommended exposure limits and also
    agreed to maintain them at current levels.

    But the announcements are unlikely to end the debate
    <Health Concerns May Slow Rollout of Super-Fast 5G Mobile Networks, Analyst Warns>.
    Worriers can point to a few studies and the decision by the World Health
    Organization's International Agency for Research on Cancer to classify
    cellular radio waves as a possible carcinogen back in 2011. And countries
    like Belgium and Switzerland have delayed 5G networks over health concerns.
    On the other side, research from the American Cancer Society and the
    National Institutes of Health, among others, have concluded there are no
    risks. And so round it goes. The WHO has a vast, new study underway that,
    perhaps, will offer a more definitive result. For a truly deep dive, check
    out the page maintained by the National Cancer Institute on cell phones and
    cancer research
    <Cell Phones and Cancer Risk Fact Sheet>.

    Government Says Don't Worry About Harm from 5G

    ------------------------------

    Date: Wed, 07 Aug 2019 10:26:47 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Phishing attack: Students' personal information stolen in
    university data breach (Danny Palmer)

    Danny Palmer, ZDNet, 23 Jul 2019

    University says it has fallen victim to a "a sophisticated and malicious
    phishing attack" -- and students are being warned to look out for suspicious
    emails.
    Phishing attack: Students' personal information stolen in university data breach | ZDNet

    Hackers have stolen personal data of prospective and current students at
    Lancaster University after gaining access to databases that contained
    personal information -- with victims now the targets of additional
    cyberattacks.

    Names, addresses, telephone numbers, and email addresses have been
    compromised by cyberattackers who gained unauthorised entry to undergraduate
    students' application records for 2019 and 2020. The university has over
    13,000 students, but there's currently no figure on the number of people who
    have been caught up in the attack.

    ------------------------------

    Date: Mon, 12 Aug 2019 17:51:04 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects
    Touchscreen Controls (USNI News)

    SAN DIEGO – The Navy will begin reverting destroyers back to a physical
    throttle and traditional helm control system in the next 18 to 24 months,
    after the fleet overwhelmingly said they prefer mechanical controls to
    touchscreen systems in the aftermath of the fatal USS John S. McCain
    (DDG-56) collision.

    The investigation into the collision showed that a touchscreen system that
    was complex and that sailors had been poorly trained to use contributed to a
    loss of control of the ship just before it crossed paths with a merchant
    ship in the Singapore Strait. After the Navy released a Comprehensive Review
    related to the McCain and the USS Fitzgerald (DDG-62) collisions, Naval Sea
    Systems Command conducted fleet surveys regarding some of the engineering
    recommendations, Program Executive Officer for Ships Rear Adm. Bill Galinis
    said.

    Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects Touchscreen Controls - USNI News

    Nice work on testing design, getting user input...

    ...and funny juxtaposition:

    Touchless Gesture Controls on Phones? Think Bigger

    ------------------------------

    Date: Sat, 10 Aug 2019 09:52:00 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: This High-Tech Solution to Disaster Response May Be Too Good
    to Be True (The New York Times)

    This High-Tech Solution to Disaster Response May Be Too Good to Be True

    Emergency response simulation, for sale, adopted by several municipalities
    (and at least on country -- Japan) to optimize first responder resource
    allocation and prioritization. The `One Concern' AI platform relies on
    residential census data.

    As noted in the NY Times piece:

    "But when T.J. McDonald, who works for Seattle's office of emergency
    management, reviewed a simulated earthquake on the company's damage
    prediction platform, he spotted problems. A popular big-box store was grayed
    out on the web-based map, meaning there was no analysis of the conditions
    there, and shoppers and workers who might be in danger would not receive
    immediate help if rescuers relied on One Concern's results.

    "'If that Costco collapses in the middle of the day, there's going to be a
    lot of people who are hurt,' he said."

    The US census collects household income data. This component might be
    accorded greater algorithmic weight. Similarly, what would happen to
    disaster response prioritization if crime statistics, such as homicide rate,
    were integrated? Or if there's an EPA superfund site in the locality?

    Algorithmic bias remains a significant risk to public safety and health.
    Trust that dedicate public servants, like Mr. McDonald, are vigilant and
    accountable to direct emergency response where and when disaster strikes.

    ------------------------------

    Date: Wed, 7 Aug 2019 12:05:06 -0400
    From: George Mannes <gma...@gmail.com>
    Subject: Scam pulse-monitoring app returns to Apple Store (Ben Lovejoy)

    [Fiendishly clever, or cleverly fiendish:]

    https://9to5mac.com/2019/08/07/scam-heartrate-app/

    Ben Lovejoy
    Scam heart rate app is back in the App Store, trying to steal $85/year

    A scam heart rate app that tried to con iPhone users out of $89/year is now
    back in the App Store under a new name, some eight months after Apple
    removed the original version.

    The app specifically targets people who own iPhones with Touch ID.

    What the app does is ask users to place their finger on the Home button,
    supposedly to take a heart-beat reading. In reality, the app dims the
    display brightness its minimum to hide the content -- which is actually
    Apple's dialogue requesting authorization for a recurring in-app purchase.
    If users place a registered Touch ID finger on the Home button, that
    completes the purchase.

    Apple removed the app in November of last year following our report, but
    Brazil's Mac Magazine reports that it has now returned. ...

    Now the app presents itself as `Pulse Heartbeat' and its developer is
    registered as BIZNES-PLAUVANNYA, PP.

    The in-app purchase is now for 340 Brazilian reals, which is equivalent to
    around US$85. As before, the app is targeting Portuguese speakers. ...

    The reality [no pun intended?] is that the app review process is a manual
    one, and prone to human error. Scammers will usually submit an innocuous app
    and then update it with rogue code after approval. Although Apple reviews
    updates too, there is a general belief that this review is less thorough
    than for a new app.

    The report does show that even in a curated app store, there are still
    risks. ...

    ------------------------------

    Date: Sat, 10 Aug 2019 00:44:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: He Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets
    (Bloomberg)

    Avoiding digital snoops takes more than throwing money at the problem,
    but that part can be really fun.

    https://www.bloomberg.com/news/feat...m-silicon-valley-in-a-pile-of-privacy-gadgets

    ------------------------------

    Date: Fri, 9 Aug 2019 13:33:14 -0400
    From: Steven Klein <ste...@klein.us>
    Subject: GDPR's unintended consequences (The Register)

    GDPR, the EU's General Data Protection Regulation, is supposed to protect
    personal data and user privacy for EU cititzens. But it has made it life
    much easier for identity thieves. The law obligates companies to provide a
    copy of any personal data they have, but doesn't require companies to verify
    the identity of those requesting the info.

    ``James Paver, a PhD student at Oxford University who usually specialises in
    satellite hacking, explained how he was able to game the GDPR system to get
    all kinds of useful information on his fiancée [with her permission],
    including credit card and social security numbers, passwords, and even her
    mother's maiden name. [...] Over the space of two months Pavur sent out 150
    GDPR requests in his fiancée's name, asking for all and any data on her. In
    all, 72 per cent of companies replied back, and 83 companies said that they
    had information on her. ... Of the responses, 24 per cent simply accepted
    an email address and phone number as proof of identity and sent over any
    files they had on his fiancée.''

    ``A threat-intelligence company sent over a list of her email addresses and
    passwords which had already been compromised in attacks. Several of these
    still worked on some accounts.''

    Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>

    ------------------------------

    Date: Thu, 8 Aug 2019 17:51:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Black Hat: GDPR privacy law exploited to reveal personal data
    (BBC News)

    About one in four companies revealed personal information to a woman's
    partner, who had made a bogus demand for the data by citing an EU privacy
    law.

    The security expert contacted dozens of UK and US-based firms to test how
    they would handle a "right of access" request made in someone else's name.

    In each case, he asked for all the data that they held on his fiancee.

    In one case, the response included the results of a criminal activity check.

    Other replies included credit card information, travel details, account
    logins and passwords, and the target's full US social security number.

    University of Oxford-based researcher James Pavur has presented his findings
    at the Black Hat conference in Las Vegas.

    It is the first known test of its kind to exploit the EU's General Data
    Protection Regulation (GDPR), which came into force in May 2018.

    "Generally if it was an extremely large company -- especially tech ones --
    they tended to do really well," he told the BBC.

    "Small companies tended to ignore me.

    https://www.bbc.com/news/technology-49252501

    [Also noted by others. PGN]

    ------------------------------

    Date: Tue, 6 Aug 2019 19:42:26 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Password policy recommendations: Here's what you need to know. (HPE)

    Complexity, uniqueness, and periodic change have long been the top best
    practices for passwords, but new recommendations have led to changes around
    password policies.

    https://www.hpe.com/us/en/insights/...dations-heres-what-you-need-to-know-1908.html

    ------------------------------

    Date: Thu, 8 Aug 2019 13:06:33 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Russian hackers are infiltrating companies via the office
    printer (RISKS-31.35)

    Russia may be a new player, but I first became concerned about printer
    hacking when I read the manuals for the shiny new IP connected Lexmark
    printers that replaced PC connected and IBM SNA printers back in the 1990s.
    I contacted IT security to note that the printers came from the factory with
    a standard remote admin login ID and password, suggesting that it might be
    wise to change those.

    The response was Move Along, Nothing to Worry About Here, even from BC
    Ministry of Health IT security.

    Fast forward a couple of years and all Lexmark printers in the Ministry have
    to be disconnected, shut down and purged of a Lexmark Virus.

    Things like that happened often enough that new staff were advised to always
    stay on my right side, although my view was that sometimes I found it a
    challenge to be influential and persuasive, in addition to being correct.
    White Hat Social Engineering, persuading and influencing people to make the
    correct choice, can be as important as having the best analysis, solution or
    mitigation.

    ------------------------------

    Date: Tue, 6 Aug 2019 14:25:36 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Climate change: how the jet stream is changing your weather (FT)

    *Northern Atlantic current is shifting course -- with implications for crops
    and sea levels*

    EXCERPT:

    At the summit of the Greenland ice cap the temperature rarely rises above
    zero degrees centigrade -- the elevation is 3,200m and the ice below is more
    than a mile thick.

    But last Friday, as the sun beat down, a small weather station laden with
    sensors captured something highly unusual: the temperature crept past zero
    and up to 3.6C -- the highest since records began three decades ago. As
    temperatures rose across the massive ice sheet, which blankets an area five
    times the size of Germany, around 60 per cent of the surface started to
    melt, one of the largest ever recorded.

    Scientists know of only three prior occasions in the past 800 years when
    there has been melting at the very top of the ice cap, which is kept chilled
    by the large volume of ice beneath. But this seems to be getting more
    frequent -- it is now the second time this decade it has happened.

    ``The last time we saw melting at the summit, in 2012, we thought it was the
    extreme of the extremes, and wouldn't happen again so quickly,'' says Konrad
    Steffen, a professor of climate and cryosphere at ETH Zurich, who operates a
    network of 18 monitoring stations across the ice sheet. ``But now we are
    facing more of these extremes.;;

    Prof Steffen's data shows that between July 30 and August 2 a heatwave in
    Greenland produced several record highs across the ice sheet, including at
    East Grip, the second highest monitoring station. ``If you start melting at
    the top of the ice sheet, we are going to lose [the] Greenland ice sheet
    long-term,''he adds.

    The immediate trigger for the heatwave was a shift in atmospheric currents
    high above the earth's surface: the North Atlantic Jet Stream, a fast
    current of wind that blows from west to east, had formed a buckle that was
    trapping warm air over Greenland. The same pattern had caused a
    record-setting heatwave in Europe a few days earlier, before shifting over
    to sit on top of the Greenland ice sheet.

    It's not just Greenland's weather that is governed by the jet stream.
    Across Europe and North America, it controls extreme weather conditions of
    all kinds, from winter cold snaps, to heatwaves, to storms...

    https://www.ft.com/content/591395fe-b761-11e9-96bd-8e884d3ea203

    ------------------------------

    Date: Tue, 6 Aug 2019 18:36:29 -0400
    From: <gja...@aflcio.org>
    Subject Re: AI Predictive Policing (RISKS-31.35)

    When this started making the news, I found myself thinking of entry 66 in
    Notebook F of Lichtenberg's *The Waste Books*:

    "If physiognomy becomes what Lavater expects it to become, children will
    be hanged before they have perpetrated the deeds that deserve the gallows;
    a new kind of confirmation will thus be performed every year. A
    physiognomical *auto-da-fe*."

    (There are slighting references to Lavater elsewhere in *The Waste Books,
    *which NYRB has brought back into print:
    https://www.nyrb.com/collections/all/products/the-waste-books?variant=3D1094932745)

    ------------------------------

    Date: Tue, 6 Aug 2019 15:44:21 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Re: Hawley/SMART Act (Stein/Goldberg, RISKS-31.35)

    Saints preserve us from "well-intentioned" politicians. This time around
    it's Josh Hawley, who wants to save us from social media addiction. I don't
    know anything about him. Wikipedia seems to indicate that he's a nice guy
    (except for that bit about not wanting people to have health care). OK, I'm
    with him so far. But the way he wants to do it is to make a simple fix.
    (Saints preserve us from "simple" solutions to complex problems.) He wants
    to limit how much "feed" you can get from a social media site on one go.
    Also limit your time on any given site to half an hour a day. (Ah, gee,
    Dad!)

    Right. I think I see the problem here. You see, Hawley is a lawyer.
    Lawyers have to go to law school, so they are fairly smart. And they help
    people with problems, so they like to fix problems. All good so far. The
    problem is that lawyers get used to thinking they are smarter than other
    people (which is generally true), and that they can fix pretty much any
    problem (which is not true). In particular, they tend to start thinking
    they can start fixing problems they don't know anything about, especially
    when they pupate out of the larval (lawyer) stage and into full-grown
    politicians.

    See, having a limit on how much socmed you can get in one go probably won't
    solve anything. And it's going to be a nuisance for many. Yesterday I had
    a meeting downtown. So, since I use Twitter for news, I went to my favorite
    bus stop, fired up Twitter, scrolled down as far as I could go, hopped on
    the 210 when it came, and noted which stories I wanted to read (later) all
    the way to the meeting. Which usually takes an hour. It would have been
    annoying to be limited to enough to cover just a few blocks. Not very
    effective use of my time.

    (Nor, when I come to think of it, very possible. I mean, I was only "on"
    Twitter for the few minutes it took to load the feed. Is he going to make
    Twitter, and all other apps, cut off after being on screen for 30 minutes?
    How's that going to work for people with perceptual disabilities, who need
    more time to read things?)

    And the sweet young thing beside me, following all of her friends and their
    latest "haul" videos, is not going to be limited by having to refresh the
    screen every few entries. She's doing that anyway. It just means that
    she's going to be refreshing the screen at some point when she should be
    watching for that car coming through the intersection where she's crossing
    the street. Plus, after she gets finished with Instagram, she'll be onto
    Whatapp, and then Facebook, and then ... well, you get the picture.

    Sorry, Josh. You haven't solved anything.

    ------------------------------

    Date: Tue, 6 Aug 2019 16:24:21 -0500
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Hawley/SMART, Act (Stein/Goldberg, RISKS-31.35)

    > ... infinite scroll would be illegal, as would autoplay videos.

    Great! I will once again be able to see how much content there is on a page
    by just looking at the scroll bar. And it won't distract my eyes and waste
    bandwidth on the junk I never wanted to see in the first place.

    ------------------------------

    Date: Wed, 7 Aug 2019 18:00:03 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Apple's Siri overhears your drug deals and sexual activity
    (RISKS-31.35)

    In other words, never discuss SIRIous matters (or a TV SERIes, etc, etc..)
    when Siri is present.

    ------------------------------

    Date: Fri, 9 Aug 2019 12:03:57 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Siemens contractor pleads guilty to planting logic bomb in
    company, spreadsheets (RISKS-31.35)

    Two quotes from the ZDNet article:

    > But while Tinley's files worked for years, they started malfunctioning
    > around 2014. Every time the scripts would crash, Siemens would call
    > Tinley, who'd fix the files for a fee.

    It seems that if you work for Siemens, the poorer the quality of the work
    you produce, the more you will get paid. Just don't try to get too clever
    and use automation to emulate poor quality work: or at least, if you do,
    don't hand over the administrative password. You don't want your customer to
    gain control over the software which runs *their* business!

    If you are wondering why there is so much poor quality software
    out there: an ecosystem which gives higher rewards for poorer quality
    might possibly be a contributor!

    At least this particular contractor didn't try to use plausibly deniable
    bug injection: cf the "Underhanded C Contest"
    https://en.wikipedia.org/wiki/Underhanded_C_Contest

    ------------------------------

    Date: Thu, 8 Aug 2019 23:31:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Researchers wrest control of one of world's most secure industrial
    controllers (The Times of Israel)

    “Siemens is aware of the research from Technion, Haifa and Tel-Aviv
    University to be presented at BlackHat USA 2019,” Siemens said in an emailed
    statement to The Times of Israel.

    In response, the firm recommended that users of the controller SIMATIC
    S7-1200/S7-1500 enable the feature `access protection' to prohibit
    unauthorized modifications of the devices. Siemens also recommended to
    follow and implement the defense-in-depth approach for plant operations, and
    to configure the environment according to its operational guidelines for
    Industrial Security.

    https://www.timesofisrael.com/resea...of-worlds-most-secure-industrial-controllers/

    Good response, "prohibit unauthorized modifications of the devices".

    ------------------------------

    Date: Thu, 8 Aug 2019 14:44:49 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Writing about writing

    I came across a post on the ISC2 blog. It's an article by Chris Veltsos
    (*Dr.* Chris Veltsos, if you please, or, to his friends, Dr. Infosec) on
    "Writing Cybersecurity Articles--Getting Through the Tough Times." As the
    title somewhat implies, it's about how to get through writer's block when
    writing about infosec.
    https://blog.isc2.org/isc2_blog/2019/08/writing-cybersecurity-articles-getting-
    through-the-tough-times.html


    I'm really not sure how to take this.

    First off, if you work in infosec, you pretty much automatically have the
    best inspiration in the world. There is always something new happening in
    infosec. There is always something new happening that is applicable to
    infosec. Techies, in various fields, are always arguing about which field
    in high tech is the fastest moving. I figure infosec has a lock on it:
    whatever is happening, in whatever tech field, has security implications.

    As a bit of background, I've published four books. (Or six, depending on
    how you count them.) Over the years I've written monthly columns for at
    least three periodicals. For twenty years I had a project doing books
    reviews in technical literature. (Always at least weekly: often daily.)
    I've abandoned a number of blogs. Since I got into infosec I have *never*
    run out of things to write about. I don't have the *time* to write about
    everything I want to. (I desperately want voice recognition to get good
    enough to take dictation.)

    I don't understand "writer's block." I don't understand dry spells.
    (Fatigue, I could understand ...)

    So, then, to the specifics of what Chris has to say about it.

    He says you need motivation. (And aqueducts, apparently.) Oh, come on.
    You work in infosec. You are saving people's privacy, money, jobs. Your
    colleagues, your friends, your family. How is that not enough motivation?
    (Yeah, sure, the stupid things your colleagues, friends, and family do is
    sometimes depressing. So, take some time to yell at them via your writing
    ...)

    He says you need to think about why you are writing. Sorry, isn't that the
    same thing as your motivation? (Oh, unless you are just writing for
    self-promotion. Yeah, I could see how that could get pretty dry at times
    ...)

    He says you need to think about your writing "environment." Yeah, I hear
    about that all the time. Saw a movie last night that had a writer who
    couldn't write without everything just so in the "environment." Again,
    while I understand that having the building collapsing around you could be a
    distraction, I don't understand this "environment" business. I've written
    at home, on planes, in airports, on trains, at work between demands, on the
    bus, in coffee shops and restaurants, in hotels, and while waiting to be
    called to testify in court. You're writing about infosec. It needs to be
    done.

    He says you should think about pen and paper, if a computer doesn't do it
    for you. OK, if necessary. I mostly use a computer, or laptop, or
    something with a keyboard. I've used tablets and smartphones. (I *hate*
    soft keyboards.) I've used pen (or even pencil) and paper. (My handwriting
    is terrible. Always has been.) (But I've always wanted to try out those
    pens that save what you've written ...) I've used whiteboards, blackboards,
    chalk, or a piece of burnt stick on a rock. Whatever works.

    His last three suggestions are, basically, give it a rest and come back to
    it. OK. I've often got multiple bits on the go, so I might leave one for a
    time and concentrate on others.

    But I'm writing about infosec. There's too much to leave it for long ...

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.36
    ************************
     
  8. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.37

    RISKS List Owner

    Aug 19, 2019 8:41 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 19 August 2019 Volume 31 : Issue 37

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Russian nuclear-powered cruise missile blows up, creating
    `mini-Chernobyl' (Ars Technica)
    Facial recognition software mistook 1 in 5 California lawmakers
    for criminals, says ACLU (LATimes)
    Major breach found in biometrics system (The Guardian)
    Security Database leak reveals: Biometric data, plaintext passwords
    and much more... (VPN Mentor)
    "Researchers Use Blockchain to Drive Electric Vehicle Infrastructure"
    (U.Waterloo)
    "Why blockchain-based voting could threaten democracy" (Lucas Mearian)
    Steam vulnerability reportedly exposes Windows gamers to system hijacking
    (Charlie Osborne)
    Critical Windows 10 Warning: Millions Of Users At Risk (Forbes via
    Gabe Goldberg)
    Null is Not Nothing (WiReD)
    Trend Micro fixes privilege escalation security flaw in Password Manager
    (Charlie Osborne)
    Ransomware Attack Hits 20 Local Governments In Texas (Kut)
    Computer Outage Delays International Travelers Arriving at Dulles
    (NBC4 Washington)
    London Exchange Is Delayed by Technical Problem (NYTimes)
    Cascading Effect of putting your data in a single cloud basket (Telus)
    Electric car charging stations may be portals for power grid
    cyber-attacks (Tech Xplore)
    How Flat Earthers Nearly Derailed a Space Photo Book (NYTimes)
    Hack in the box: Hacking into companies with "warshipping" (Ars Technica)
    Re: These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer
    (Chiaki Ishikawa)
    Re: Password policy recommendations: Here's what you need to know
    (R A Lichensteiger, Gabe Goldberg)
    Re: Climate change: how the jet stream is changing your weather
    (R. G. Newbury)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 13 Aug 2019 11:29:00 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Russian nuclear-powered cruise missile blows up, creating
    `mini-Chernobyl' (Ars Technica)

    Atomic research agency acknowledges "isotope power source" of "rocket
    engine" exploded.

    Ars Technica: Russian nuclear-powered cruise missile blows up, creating “mini-Chernobyl” — Ars Technica

    ------------------------------

    Date: August 14, 2019 at 9:45:24 AM GMT+9
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Facial recognition software mistook 1 in 5 California lawmakers
    for criminals, says ACLU (LATimes)

    Facial recognition software mistook 1 in 5 California lawmakers for criminals, says ACLU

    ------------------------------

    Date: Wed, 14 Aug 2019 17:59:51 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Major breach found in biometrics system (The Guardian)

    Israeli security researchers have found that a database belonging to
    web-based Biostar 2 biometrics lock system, was unprotected and mostly
    unencrypted. It exposed fingerprints of over 1 million people, as well as
    facial recognition information, unencrypted usernames and passwords, and
    personal information of employees.

    Major breach found in biometrics system used by banks, UK police and defence firms

    [Also noted by John Utteridge. PGN]

    ------------------------------

    Date: Wed, 14 Aug 2019 14:16:39 +0200
    From: Anthony Thorn <anthon...@atss.ch>
    Subject: Security Database leak reveals: Biometric data, plaintext passwords
    and much more... (VPN Mentor)

    A huge data breach in security platform BioStar 2":
    Report: Data Breach in Biometric Security Platform Affecting Millions of Users

    If this leak -- discovered by Vpnmentor researchers -- has been exploited by
    criminals the results would be disastrous.

    According to Vpnmentor blog, the database contains plaintext -- *not* hashed
    -- passwords and biometric data for millions of users.

    These users are employees of firms using the Biostar 2 access control
    application (including administrators).

    You can change a compromised password, but your fingerprint is not only
    fixed, but shared across all applications which use fingerprint recognition.
    What is your contingency plan?

    ------------------------------

    Date: Mon, 19 Aug 2019 11:51:25 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: "Researchers Use Blockchain to Drive Electric Vehicle Infrastructure"
    (U.Waterloo)

    University of Waterloo News (14 Aug 2019) via ACM TechNews, 19 Aug 2019

    Researchers in the Cheriton School of Computer Science and the Department of
    Management Science of Canada's University of Waterloo have incorporated
    blockchain into energy systems, which could expand charging infrastructure
    for electric vehicles (EVs). An open blockchain platform will give EV
    owners, property owners, and charging service operators access to charging
    data, and alert them to tampering; EV owners will be able to see whether
    they are being overcharged for charging their vehicles, and property owners
    will be alerted to instances of underpayment. Said Waterloo's Christian
    Gorenflo, "Mitigating trust issues in EV charging could result in people who
    have charging stations and even those who just have an outdoor outlet being
    much more willing to team up with an EV charging service provider, resulting
    in much better coverage of charging stations."
    https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21235x21d3e7x0
    69144&


    ------------------------------

    Date: Tue, 13 Aug 2019 11:34:28 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Why blockchain-based voting could threaten democracy"
    (Lucas Mearian)

    Lucas Mearian, Computerworld
    As the desire to increase voter turnout remains strong and the number of
    online voting pilot projects rises in the U.S. and abroad, some security
    experts warn any Internet-based election system is wide open to attack,
    regardless of the underlying infrastructure.
    Why blockchain-based voting could threaten democracy

    selected text:

    Even as there's been an uptick in pilot projects, security experts warn that
    blockchain-based mobile voting technology is innately insecure and
    potentially a danger to democracy through "wholesale fraud" or "manipulation
    tactics."

    Thirty-two states permit various kinds of online voting -- such as via email
    -- for some subset of voters. In the 2016 general election, more 100,000
    ballots were cast online, according to data collected by the U.S. Election
    Assistance Commission. The actual number is likely much higher, according to
    some experts.

    "Tampering with mailed paper ballots is a one-at-a-time attack. Infecting
    voters' computers with malware or infecting the computers in the elections
    office that handle and count ballots are both effective methods for
    large-scale corruption," Epstein said.

    ------------------------------

    Date: Tue, 13 Aug 2019 12:03:23 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Steam vulnerability reportedly exposes Windows gamers to system
    hijacking (Charlie Osborne)

    Charlie Osborne for Zero Day | 13 Aug 2019
    The researcher was asked not to disclose the bug but did so anyway.
    Steam vulnerability reportedly exposes Windows gamers to system hijacking | ZDNet

    The Steam gaming platform reportedly contained a severe vulnerability which
    could subject users to privilege escalation attacks but was not considered
    in scope for Valve to fix.

    "So, two weeks after my message, which was sent on July 20, a person
    appears, who tells me that my report was marked as not applicable, they
    closed the discussion and wouldn't offer any explanation to me," Kravets
    said. "Moreover, they didn't want me to disclose the vulnerability. At the
    same time, there was not even a single word from Valve."

    ------------------------------

    Date: Tue, 13 Aug 2019 15:13:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Critical Windows 10 Warning: Millions Of Users At Risk (Forbes)

    As the Black Hat security conference comes to an end in Las Vegas, so the
    DEF CON hacker convention begins. It didn't take long for the first critical
    warnings for Windows users to emerge as a result. This one is particularly
    worrying as, according to the Eclypsium researchers who gave the
    presentation, the issue applies "to all modern versions of Microsoft
    Windows," which leaves millions of Windows 10 users at risk of system
    compromise. What did the researchers reveal?

    In a nutshell, the researcher found a common design flaw within the hardware
    device drivers from multiple vendors including Huawei, Intel, NVIDIA,
    Realtek Semiconductor, SuperMicro and Toshiba. In total, the number of
    hardware vendors affected runs to 20 and includes every major BIOS
    vendor. The nature of the vulnerability has the potential for the widespread
    compromise of Windows 10 machines.

    Critical Windows 10 Warning: Millions Of Users At Risk

    [Gabe later added this on 18 Aug 2019:]

    Microsoft Confirms Update Warning For Windows 10, Windows 8.1 And Windows 7
    Users

    The latest Patch Tuesday update from Microsoft included several critical
    security fixes. Unfortunately, as Microsoft has now confirmed, it also
    borked some things. If you haven't applied that August 13 update and are
    running on Windows 10, Windows 8.1 or Windows 7, you may want to read this
    before you do. What's the problem with the latest Patch Tuesday Windows
    update?

    Microsoft has confirmed a bunch of "known issues" with the August 13 Windows
    update. Some, such as the "black screen during first logon after installing
    updates" issue, have hit users after previous updates. That can be filed in
    the annoying but ultimately not much to worry about folder: it only impacts
    a "small number" of users and only the first time they logon after the
    update.

    Anything that impacts millions of users is a far more serious thing. And so
    it is that Microsoft has confirmed that this Patch Tuesday update does just
    that.

    "After installing this update, applications that were made using Visual
    Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts
    or apps using Visual Basic Scripting Edition (VBScript) may stop responding
    and you may receive an "invalid procedure call error," Microsoft has stated.

    Microsoft Confirms Update Warning For Windows 10, Windows 8.1 And Windows 7 Users

    [The risk? Automatic updates? GG]

    ------------------------------

    Date: Wed, 14 Aug 2019 10:58:59 -0400
    From: David Lesher <wb8...@panix.com>
    Subject: Null is Not Nothing (WiReD)

    "Security researcher Joseph Tartaro thought NULL would make a fun license
    plate. He's never been more wrong."

    <How a 'NULL' License Plate Landed One Hacker in Ticket Hell>

    An old risk comes back to life (RISKS-6.40) and many other cases.

    Little Johnny Tables <Exploits of a Mom> comes to mind, too.

    [David, Thanks. You have a good memory back to 9 Mar 1988. PGN]

    [Also noted by Gabe Goldberg, who remarked,
    "Nice to see the old standards are still playing..."
    PGN]

    ------------------------------

    Date: Thu, 15 Aug 2019 10:14:06 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Trend Micro fixes privilege escalation security flaw in Password
    Manager

    Charlie Osborne for Zero Day | 15 Aug 2019
    The vulnerability could be used for privilege escalation and code
    execution attacks.
    Trend Micro fixes privilege escalation security flaw in Password Manager | ZDNet

    ------------------------------

    Date: Sat, 17 Aug 2019 10:27:16 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Ransomware Attack Hits 20 Local Governments In Texas (Kut)

    A coordinated ransomware attack has affected at least 20 local government
    entities in Texas, the Texas Department of Information Resources said. It
    would not release information about which local governments have been
    affected.

    The department said the Texas Division of Emergency Management is
    coordinating support from other state agencies through the Texas State
    Operations Center at DPS headquarters in Austin.

    DIR said the Texas Military Department and the Texas A&M University
    Systems' Cyber-response and Security Operations Center teams are deploying
    resources to "the most critically impacted jurisdictions."...

    Ransomware Attack Hits Local Governments In Texas

    ------------------------------

    Date: Fri, 16 Aug 2019 17:28:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Computer Outage Delays International Travelers Arriving at Dulles
    (NBC4 Washington)

    Customs and Border Protection computers are down nationwide, and
    international arrivals at Dulles International Airport are being delayed,
    according to the Metropolitan Washington Airports Authority.

    CBP officers are processing passengers manually

    Some passengers say they have been waiting for two hours at passport
    control.

    "CBP is experiencing a temporary outage with its processing systems at
    various air ports of entry & is taking immediate action to address the
    technology disruption," the agency tweeted. "CBP officers continue to
    process international travelers using alternative procedures until systems
    are back online."

    [Reportedly, at least 5,000 passengers stuck in line. PGN]

    [Monty Solomon noted Officials said service was restored after about two
    hours but travelers then faced long waits to be processed.
    Customs Computer Failure Snarls Passengers at U.S. Airports
    PGN]

    ------------------------------

    Date: Fri, 16 Aug 2019 13:13:02 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: London Exchange Is Delayed by Technical Problem (NYTimes)

    London Stock Exchange Delays Opening After Technical Problem

    Opening of trading was pushed back one hour and 40 minutes as the stock exchange tried to determine the cause.

    ------------------------------

    Date: Mon, 19 Aug 2019 15:45:16 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Cascading Effect of putting your data in a single cloud basket
    (Telus)

    Most business and home TELUS e-mail customers have been impacted to a large
    degree by an telus.net e-mail outage that began Aug 15 and is still
    affecting some customers across Alberta and BC, as well as customers trying
    to connect from elsewhere.

    The outage was aggravated by the lack of information. TELUS kept saying that
    the Root Cause was unknown until Aug 19, when reports began to surface
    attributing the outage to a failed Dell EMC Cloud server repair:

    TELUS Email Outage - TELUS Email Support | TELUS

    "This issue occurred during an overnight update to our servers in the early
    hours of Thursday, August 15, in partnership with our vendor Dell EMC, when
    a flawed repair procedure took the TELUS.net email system offline."

    My experience was that pop connection attempts fared better than web mail or
    imap. There is apparently some risk of at least temporary e-mail loss for
    customers who kept their e-mail on TELUS servers, rather than downloading
    it.

    Generally TELUS has a well earned reputation for Continuous Availability and
    ability to roll back failed updates promptly.

    Businesses that have come to rely on e-mail for orders and other functions
    have been heavily impacted. My personal view, using e-mail for work since
    the 1980s, is that it is not yet a reliable or secure form of business
    communication. This reminded me of Dr. Nancy Leveson's analogy of Software
    and the early days of high pressure steam. The economic incentive to push
    ahead with unreliable, potentially unsafe, methods overwhelmed the voices of
    caution. If you pushed ahead you made money faster, until the boiler blew up
    on your workers.

    Cloud seems to have been motivated by the idea of simplifying the addition
    and management of servers and storage. Looks like there is some work to be
    done to balance that saving against the risk of you and your customers being
    impacted for days at a time if something in the cloud goes wrong.

    ------------------------------

    Date: Sat, 17 Aug 2019 10:33:59 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Electric car charging stations may be portals for power grid
    cyber-attacks (Tech Xplore)

    Electric cars are an essential component of a lower-carbon future, but a new
    report from researchers at the New York University Tandon School of
    Engineering raises the specter that plug-in electric vehicles -- and the
    charging stations that supply them -- could be prime vectors for
    cyber-attacks on urban power grids.

    "In simulations using publicly available information about charging station
    usage in Manhattan and the structure of the island's power grid, our
    research team found that a fleet of just roughly 1,000 simultaneously
    charging electric vehicles would be adequate for mounting an attack whose
    effects could rival the blackout that affected the city's West Side last
    month," said Yury Dvorkin, assistant professor in NYU Tandon's Department of
    Electrical and Computer Engineering.

    NYU Tandon doctoral candidate Samrat Acharya led the research in
    collaboration with Dvorkin and Professor Ramesh Karri, also from the
    Department of Electrical and Computer Engineering.

    "This simulation is a wake-up call to the public and policymakers, and an
    encouragement to take steps to protect the data generated between electric
    cars and charging stations -- most of which could be co-opted by a hacker
    with college-level skills," Dvorkin said...

    Electric car charging stations may be portals for power grid cyberattacks

    ------------------------------

    Date: Fri, 16 Aug 2019 16:55:30 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How Flat Earthers Nearly Derailed a Space Photo Book (NYTimes)

    What a photographer's struggle to raise money for his book of images tells
    us about Facebook and conspiracy theorists.

    About 24 hours after the ads were approved, he got a notification telling
    him the ad had been removed. He resubmitted it. It was accepted â and then
    removed again â 15 or 20 times, he said. The explanation given: He had run
    misleading ads that resulted in high negative feedback.â He understood that
    it was Facebook's algorithm that rejected the ads, not a person. Getting
    additional answers proved difficult, a common complaint with advertising on
    Facebook. The best clues he could find came in the comments under the ads,
    which he and his colleagues captured in screenshots before they were removed
    and in responses to other posts about the project: There were phrases such
    as The original moon landing technology. Some comments were hard to gauge,
    with users insisting that the earth was flat but that they'd buy the book
    anyway.

    <‘The underlying arrogance’: Media buyers are frustrated with Google and Facebook ad reps - Digiday>

    ------------------------------

    Date: Sat, 17 Aug 2019 10:46:06 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Hack in the box: Hacking into companies with "warshipping"
    (Ars Technica)

    (More on Warshipping in RISKS-31.36)

    *For under $100, compact hardware can turn a shipped package into a Trojan
    horse for attacks.* (Ars Technica)
    Hack in the box: Hacking into companies with “warshipping”

    Penetration testers have long gone to great lengths to demonstrate the
    potential chinks in their clients' networks before less friendly attackers
    exploit them. But in recent tests by IBM's X-Force Red, the penetration
    testers never had to leave home to get in the door at targeted sites, and
    the targets weren't aware they were exposed until they got the bad news in
    report form. That's because the people at X-Force Red put a new spin on
    sneaking in -- something they've dubbed "warshipping."

    [Long item truncated for RISKS. PGN]

    ------------------------------

    Date: Thu, 15 Aug 2019 10:08:17 +0900
    From: "ISHIKAWA,chiaki" <ishi...@yk.rim.or.jp>
    Subject: Re: These Legit-Looking iPhone Lightning Cables Will Hijack Your,
    Computer (VICE)

    So this cable allows attacker to access to the connected computer. The
    implant must have a Wi-Fi component as well since accessing the computer via
    Wi-Fi using the cable as antennae.

    Silent or passive monitoring of data that flows data and sending it out via
    low-power radio signal seems to be favored by spy agencies until Snowden
    released such a trick in one of his documents in wikileaks.

    I recall the USB cable for this purpose. Around 1996-2000 time frame, I
    noticed a USB cable with mysterious embedded chip inside (inside the plug
    portion). I found it in a photo blog of a second-hand part shop in
    Akihabara. Initially, I thought this could be similar to APC's UPS control
    cable that has some components inside (for proprietary connection, I
    guesss.) But it did not make sense, and the cable did act as ordinary USB
    cable.

    Years later, when I read the Wikileaks document, I realized that the cables
    could have been used as spying tool.

    My scenario was like this:

    A large company bought a ton of PCs from Lenovo/Dell/HP/Fujitsu/NEC/etc.
    you name it. The agent that delivered the PCs first assembled them in a
    warehouse before shipping them to the customer site (big trading
    agency/banks or even a Japanese government office?). Then the warehouse was
    "attacked" and all the USB cables inside the PC delivery boxes were replaced
    with this spying cable. However, back then, rack computers were expensive
    and scarce. Many startup e-Commerce companies used ordinary PCs sans PCs and
    keyboards to act as rack computers. Thus most, if not all, of the delivered
    keyboard and USB cables were dumped to second hand market. Thus they were
    sold at an outlet in Akihabara and noticed by the store clerk who
    accidentally broke the plug and found the strange implant and opened a few
    others and found the implants there, too. And since he posted the strange
    USB cable that works in a shop blog with the photo and I noticed it.

    Nobody knows how that cable was used for spying and where. Intriguing mind
    wants to know. The cable was so strange and this is why I remembered it
    until I read wikiweaks document.

    ------------------------------

    Date: Tue, 13 Aug 2019 16:31:34 -0400
    From: R A Lichtensteiger <ra...@tifosi.com>
    Subject: Re: Password policy recommendations: Here's what you need to know
    (Goldberg, RISKS-31.36)

    I think the true RISK here is an article like this that propagates the myth
    that the password complexity rules from NIST's 1980s era document are STILL
    a good idea.

    I find it especially egregious that the author of this article chose to
    reference NIST SP-800-63b while espousing overly complex password rules.

    Permit me to quote from the appendix to that document:

    Highly complex memorized secrets introduce a new potential vulnerability:
    they are less likely to be memorable, and it is more likely that they will
    be written down or stored electronically in an unsafe manner

    Worse, because it was touted on a large computer company website, this
    article might give weight to their inanity.

    ------------------------------

    Date: Thu, 15 Aug 2019 16:31:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Password policy recommendations: Here's what you need to know
    (Lichtensteiger, RISKS-31.37)

    Second part of sentence you quote: "but new recommendations have led to
    changes around password policies". After recapping password history, article
    notes new defaults, changes, resources:

    The default levels are changing

    But in May 2019, Microsoft announced changes in the Security Baselines for
    Windows 10 and Windows Server build 1903
    <Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903>:
    The minimum and maximum password ages will no longer be set in the baselines
    and therefore will not be enforced.

    Microsoft cites research (see "An Administrator's Guide to Internet Password
    Research <https://cormac.herley.org/docs/WhatsaSysadminToDo.pdf>" and "The
    Security of Modern Password Expiration
    <https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf>") to claim that
    password expiration policies are no longer considered to have great
    value. Other measures, such as checking lists of banned passwords, are more
    effective. As they note, Windows Group Policies don't provide for checking
    such lists, so neither can the Security Baselines, which is a good example
    of why you should not rely only on the baselines. Microsoft offers some of
    the more advanced capabilities in Azure AD Password Protection
    <https://techcommunity.microsoft.com...d-Smart-Lockout-are-now-in-Public/ba-p/245423>.

    Password complexity: The ground rules

    What is the default Windows password complexity policy
    <https://docs.microsoft.com/en-us/wi...gs/password-must-meet-complexity-requirements>?

    * The password may not contain the account name or variations on the
    account name.
    * It must contain characters from three of the following five groups
    (quoted from the Microsoft document):
    o Uppercase letters of European languages (A through Z, with
    diacritical marks, Greek and Cyrillic characters)
    o Lowercase letters of European languages (A through Z, sharp S,
    with diacritical marks, Greek and Cyrillic characters)
    o Base 10 digits (0 through 9); non-alphanumeric characters
    (special characters): (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)
    o Currency symbols such as the euro or British pound are not
    counted as special characters for this policy setting.
    o Any Unicode character that is categorized as an alphabetic
    character but is not uppercase or lowercase. This includes
    Unicode characters from Asian languages.

    Everyone who has had to deal with these policies, which are enabled
    in the Security Baselines, knows what a pain they can be. As the Microsoft
    document says, enabling the policies "may cause some additional help desk
    calls for locked-out accounts because users might not be used to having
    passwords that contain characters other than those found in the
    alphabet. However, this policy setting is liberal enough that all users
    should be able to abide by the requirements with a minor learning curve."

    The default password length requirement
    <https://docs.microsoft.com/en-us/wi...urity-policy-settings/minimum-password-length>
    is seven characters, but elsewhere Microsoft recommends eight characters, as
    do the NIST requirements. In the Security Baselines, the minimum password
    length is 14 characters.

    The NIST policies specifically reject (though they do not ban) complexity
    requirements. Microsoft has not removed the default imposition of these
    requirements from Windows or the Security Baselines, but it may be a change
    you want to make yourself.

    If you want finer control of password filtering but want to stick with
    Active Directory
    <https://www.hpe.com/us/en/insights/...our-windows-server-system-right-now-1812.html>,
    you can replace Microsoft's standard Passfilt.dll
    <https://docs.microsoft.com/en-us/windows/desktop/secmgmt/password-filters>
    with a commercial one or write one yourself, as Yelp did, based on an open
    source implementation
    <https://engineeringblog.yelp.com/2018/04/ad-password-blacklisting.html>.
    Examples of commercial replacements are those from nFront Security
    <https://nfrontsecurity.com/products/nfront-password-filter/>, ManageEngine
    <https://www.manageengine.com/products/self-service-password/password-policy-enforcer.html>,
    and Anixis <https://anixis.com/products/ppe/faq.htm>. Using one of these
    replacements, you can implement current best practices within your otherwise
    standard Active Directory infrastructure. SecLists keeps a collection of
    many large common password lists.
    <https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials>

    Beyond banned passwords

    Banned password lists are useful, but another way may be better. Have I Been
    Pwned <https://haveibeenpwned.com/> is a site that keeps records of major
    user ID and password breaches and allows you to check whether any of your
    logins have been compromised.

    The site was built and is maintained by Troy Hunt, a Microsoft regional
    director <https://rd.microsoft.com/en-us/> and well-known security
    expert. It has data on 369 breached sites and 7,860,402,548 breached
    accounts. The site also has an API that allows you to check whether a
    particular account has been breached or just if a particular password exists
    in the breach database.
    <https://haveibeenpwned.com/API/v2#PwnedPasswords>

    Hunt thinks that, once a list is as large as his, it is ``exceptionally
    unlikely to have anything outside that collection which is both terrible and
    actively used.'' The answer is to check against the separate Pwned
    Passwords database <https://haveibeenpwned.com/Passwords>, which contains
    551 million passwords that have been in one or more of the breaches, using
    its API. Hunt says he would set a minimum of six characters and then block
    anything that shows up in Pwned Passwords. One more tip from Hunt: ``I'd
    block every variation of the company name; nobody on the Acme Corp. website
    can use AcmeCorp, AcmeCorp1, AcmeC0rp, etc.''

    If you want to use the Pwned Passwords API, you can build on one of the many
    projects already doing so
    <https://haveibeenpwned.com/API/Consumers>. Typically, they create an
    environment-native interface to the API, such as with the many PHP
    libraries, Python and Perl scripts, WordPress plugins, and Java clients, as
    well as an IFTTT recipe.

    In addition to many weak passwords, Pwned Passwords has a large number of
    passwords that would satisfy any set of complexity rules, so it might seem
    to be overkill. But compared with the range of possible passwords, 551
    million isn't as big a number as it seems. Nearly all of my own passwords
    are randomly generated by my password manager, but I tested several
    passwords I made up on my own in recent years, and none appear in the Pwned
    Passwords database. So maybe relying on Hunt's API and a minimum length and
    blocking organization name variants is the easiest route to strong
    protection.

    I wrote a program to check the contents of one of the SecLists lists of
    `common credentials' against the Pwned Passwords database. All but 3,663 of
    262,000 passwords tested were in Pwned Passwords, and more than half of
    those that weren't had fewer than eight characters. Perhaps this means that
    Hunt is right that checking banned password lists is largely redundant,
    though if you're going to check one or the other, it's easy enough to check
    both.

    But all of this is about usernames and passwords, a technology that we
    should all hope will someday be deprecated. At the same time you make sure
    your passwords are strong, move forward with multifactor authentication
    <https://www.hpe.com/us/en/insights/...entication-is-finally-getting-smart-1808.html>
    and biometrics
    <https://www.hpe.com/us/en/insights/...o-providing-id-for-the-marginalized-1903.html>
    that bypass the inherent problems with passwords.

    Password policy best practices: Lessons for leaders

    * Stay up to date with recommendations for creating and maintaining
    secure passwords.
    * Minimize opportunities for user password failures.
    * Make use of public databases of password failures and account breaches.

    ------------------------------

    Date: Tue, 13 Aug 2019 00:39:25 -0400
    From: "R. G. Newbury" <new...@mandamus.org>
    Subject: Re: Climate change: how the jet stream is changing your weather
    (RISKS-31.36)

    > As temperatures rose across the massive ice sheet, which blankets an area
    > five times the size of Germany, around 60 per cent of the surface
    > started to melt, one of the largest ever recorded.

    Except it didn't:

    And the last sentence is a basically a lie. Even if that one station had
    recorded an above zero temperature, it would not mean that 60% of the
    surface was also melting.

    https://wattsupwiththat.com/2019/08/12/greenlands-record-temperature-denied-the-data-was-wrong/

    Now from the Danish Meteorological Institute (DMI), via the news website The
    Local, the cooler reality:

    Danish climate body wrongly reported Greenland heat record

    The Danish Meteorological Institute, which has a key role in monitoring
    Greenland's climate, last week reported a shocking August temperature of
    between 2.7C and 4.7C at the Summit weather station, which is located 3,202m
    above sea level at the the centre of the Greenland ice sheet, generating a
    spate of global headlines.

    But on Wednesday it posted a tweet saying that a closer look had shown that
    monitoring equipment had been giving erroneous results.

    ``Was there record-level warmth on the inland ice on Friday? No! A quality
    check has confirmed out suspicion that the measurement was too high.''

    Shoot out the headlines first, ask questions later.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.37
    ************************
     
  9. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.38

    RISKS List Owner

    Aug 24, 2019 7:00 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 24 August 2019 Volume 31 : Issue 38

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    16 Million Americans Will Vote on Hackable Paperless Machines
    (MIT TechReview)
    Moscow's blockchain voting system cracked a month before election (ZDNet)
    Judge Bars Georgia From Using Current Voting Technology in 2020 (CNet)
    Employees connect nuclear plant to the Internet so they can mine
    cryptocurrency" (Catalin Cimpanu)
    Patrick Byrne (Rob Slade)
    Why the U.S. Disaster Agency Is Not Ready for Catastrophes
    (Scientific American)
    Backdoor code found in 11 Ruby libraries (Catalin Cimpanu)
    "Unpatchable security flaw found in popular SoC boards"
    (Catalin Cimpanu)
    Hospital website hijacked by 'pirates' (Sonoma News)
    MoviePass exposed thousands of unencrypted customer card numbers
    (Tech Crunch)
    Hong Kong protesters warn of Telegram feature that can disclose
    their identities (Catalin Cimpanu)
    Researcher publishes second Steam zero day after getting banned on
    Valve's bug bounty program (Catalin Cimpanu)
    This trojan malware being offered for free could cause hacking spike
    (ZDNet)
    Users of Adult Website Exposed By Data Breach (Infosecurity)
    Ransomware Attacks Are Testing Resolve of Cities Across America (NYT)
    Ransomware Attack Hits 23 Texas Towns, Authorities Say (NYTimes)
    Phishing spam is getting better ... (Rob Slade)
    A credit card never needed cleaning instructions... then Apple came along
    (Gene Wirchenko)
    Want To Know What's In Your Sweat? There's A Patch For That (npr.org)
    Playing God: Japan temple puts faith in robot priest "with AI.
    It's changing Buddhism" (AFP)
    Re: Contingency plan for compromised fingerprint database (Edwin Slonim)
    Re: Facial recognition errors (Arthur T.)
    Re: Electric car charging stations may be portals for power grid
    cyberattacks (Kelly Bert Manning)
    Re: Shoot out the headlines first, ask questions later: Climate change ...
    (Kelly Bert Manning, Amos Shapir)
    Re: Password policy (Dmitri Maziuk)
    Noise about Quiet Skies program (Richard Stein)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 21 Aug 2019 12:25:08 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: 16 Million Americans Will Vote on Hackable Paperless Machines
    (MIT TechReview)

    Patrick Howell O'Neill, Technology Review, 13 Aug 2019 via
    ACM TechNews, Wednesday, August 21, 2019

    A study by researchers at New York University found that at least 16 million
    Americans in eight states will vote on completely paperless machines in the
    2020 U.S. elections, despite a strong consensus among cyberosecurity and
    national security experts that paper ballots and vote audits are necessary
    to ensure election security. While the states in question are not
    historically battleground states, some are likely to be more closely
    contested than usual. Said U.S. Senator Ron Wyden of Oregon, "Congress needs
    to set mandatory federal election security standards that outlaw paperless
    voting machines and guarantee every American the right to vote with a
    hand-marked paper ballot." Wyden cited experts as requiring hand-marked
    paper ballots and post-election audits to defend against hacking. "Vendors
    should recognize that fact or get out of the way."
    16 million Americans will vote on hackable paperless machines

    ------------------------------

    Date: Wed, 21 Aug 2019 8:45:41 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Moscow's blockchain voting system cracked a month before election
    (ZDNet)

    A French security researcher has found a critical vulnerability in the
    blockchain-based voting system Russian officials plan to use next month for
    the 2019 Moscow City Duma election.

    Pierrick Gaudry, an academic at Lorraine University and a researcher for
    INRIA, the French research institute for digital sciences, found that he
    could compute the voting system's private keys based on its public
    keys. This private keys are used together with the public keys to encrypt
    user votes cast in the election.

    MOSCOW BLOCKCHAIN VOTING SYSTEM ENCRYPTION BROKEN IN 20 MINUTES

    Gaudry blamed the issue on Russian officials using a variant of the ElGamal
    encryption scheme that used encryption key sizes that were too small to be
    secure. This meant that modern computers could break the encryption scheme
    within minutes.

    "It can be broken in about 20 minutes using a standard personal computer,
    and using only free software that is publicly available," Gaudry said in a
    report published earlier this month.

    "Once these [private keys] are known, any encrypted data can be decrypted as
    quickly as they are created," he added.

    Moscow's blockchain voting system cracked a month before election | ZDNet

    ------------------------------

    Date: Fri, 23 Aug 2019 12:26:16 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: Judge Bars Georgia From Using Current Voting Technology in 2020
    (CNet)

    Laura Hautala, CNet 15 Aug 2019) via ACM TechNews, 23 Aug 2019

    U.S. District Judge Amy Totenberg has ordered Georgia not to use its
    paperless voting machines, election management software, or servers for the
    2020 election, requiring the state to implement a new voting system in time
    for the presidential primaries. Georgia is currently acquiring new
    electronic voting machines and vote-counting software. The court order will
    prevent the state from relying on its paperless voting machines and election
    management software if the replacement infrastructure is not ready in time;
    should this happen, Georgia may have to fall back on paper ballots. Attorney
    David Cross said the order ``is a big win for all Georgia voters and those
    working across the country to secure elections and protect the right to
    vote.''

    Judge bars Georgia from using current voting technology in 2020

    ------------------------------

    Date: Fri, 23 Aug 2019 10:27:27 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Employees connect nuclear plant to the Internet so they can mine
    cryptocurrency" (Catalin Cimpanu)

    By Catalin Cimpanu for Zero Day | 22 Aug 2019

    The Ukrainian Secret Service is investigating the incident as a potential
    security breach.
    Employees connect nuclear plant to the internet so they can mine cryptocurrency | ZDNet

    ------------------------------

    Date: Fri, 23 Aug 2019 10:26:14 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Patrick Byrne

    Patrick Byrne says that he helped the "Deep State" investigations.

    He also says that the FBI ordered him to pursue a relationship with Russian
    (spy? agent? dupe?) Maria Butina.

    Oh. And he also wanted to change Overstock from a "cheap furniture" company
    to a "blockchain" company. So caveat emptor ...

    ------------------------------

    Date: Tue, 20 Aug 2019 20:12:47 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Why the U.S. Disaster Agency Is Not Ready for Catastrophes
    (Scientific American)

    Why the U.S. Disaster Agency Is Not Ready for Catastrophes

    "The Federal Emergency Management Agency has wasted more than $3 billion and
    misused thousands of its employees by responding to hundreds of undersized
    floods, storms and other events that states could have handled on their own,
    an investigation by E&E News shows."

    As noted in The Risks Digest, nations and
    localities are struggling to plan prioritized disaster response
    allocation. FEMA-level response dilution, partially driven by climate
    change, threatens US resilience -- a portentous sign of bad risk mitigation
    planning at a strategic level.

    ------------------------------

    Date: Tue, 20 Aug 2019 12:25:03 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Backdoor code found in 11 Ruby libraries (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 20 Aug 2019
    RubyGems staff have removed 18 malicious Ruby library versions that
    have been downloaded 3,584 times since July 8.
    Backdoor code found in 11 Ruby libraries | ZDNet

    selected text:

    Maintainers of the RubyGems package repository have yanked 18 malicious
    versions of 11 Ruby libraries that contained a backdoor mechanism and were
    caught inserting code that launched hidden cryptocurrency mining operations
    inside other people's Ruby projects.

    The individual behind this scheme was active for more than a month, and
    their actions were not detected.

    Things changed when the hacker managed to gain access to the RubyGems
    account of one of the rest-client developers, which he used to push four
    malicious versions of rest-client on RubyGems.

    ------------------------------

    Date: Tue, 20 Aug 2019 12:29:28 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Unpatchable security flaw found in popular SoC boards"
    (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 20 Aug 2019
    Xilinx Zynq UltraScale+ SoCs are normally used in automotive, aviation,
    consumer electronics, industrial, and military components.
    Unpatchable security flaw found in popular SoC boards | ZDNet

    opening text:

    Security researchers have discovered an unpatchable security flaw in a
    popular brand of system-on-chip (SoC) boards manufactured by Xilinx.

    The vulnerable component is Xilinx's Zynq UltraScale+ brand, which includes
    system-on-chip (SoC), multi-processor system-on-chip (MPSoC), and radio
    frequency system-on-chip (RFSoC) products used inside automotive, aviation,
    consumer electronics, industrial, and military components. Two bugs found,
    but one is unpatchable

    ------------------------------

    Date: Wed, 21 Aug 2019 11:46:45 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hospital website hijacked by 'pirates' (Sonoma News)

    Hospital website hijacked by ‘pirates’

    ------------------------------

    Date: Wed, 21 Aug 2019 11:49:19 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: MoviePass exposed thousands of unencrypted customer card numbers
    (Tech Crunch)

    MoviePass security lapse exposed customer card numbers – TechCrunch

    ------------------------------

    Date: Fri, 23 Aug 2019 10:29:02 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Hong Kong protesters warn of Telegram feature that can disclose
    their identities (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 23 Aug 2019
    Message shared on discussion boards sparks panic among protesters.
    Hong Kong protesters warn of Telegram feature that can disclose their identities | ZDNet

    ------------------------------

    Date: Fri, 23 Aug 2019 10:31:22 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Researcher publishes second Steam zero day after getting banned on
    Valve's bug bounty program (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 21 Aug 2019
    Valve gets heavily criticized for mishandling a crucial bug report.
    Researcher publishes second Steam zero day after getting banned on Valve's bug bounty program | ZDNet

    Valve has responded to the publication of this second Steam zero-day. Due
    to the length of the response, we chose to cover it as a separate
    article. Original story below.

    A Russian security researcher has published details about a zero-day in the
    Steam gaming client. This is the second Steam zero-day the researcher has
    made public in the past two weeks.

    However, while the security researcher reported the first one to Valve and
    tried to have it fixed before public disclosure, he said he couldn't do the
    same with the second because the company banned him from submitting further
    bug reports via its public bug bounty program on the HackerOne platform.

    ------------------------------

    Date: Fri, 23 Aug 2019 10:32:48 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: This trojan malware being offered for free could cause hacking spike
    (ZDNet)

    Danny Palmer | 21 Aug 2019
    NanoCore RAT can steal passwords, payment details, and secretly record audio
    and video of Windows users.
    Cybersecurity: This trojan malware being offered for free could cause hacking spike | ZDNet

    A new version of a powerful form of trojan malware is being offered on the
    dark web for free, with one cybersecurity company warning this could lead to
    a rise in attacks targeting passwords, bank details and other personal
    information, even by crooks with limited technical skills.

    ------------------------------

    Date: Wed, 21 Aug 2019 11:50:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Users of Adult Website Exposed By Data Breach (Infosecurity)

    Users of Adult Website Exposed By Data Breach

    ------------------------------

    Date: Thu, 22 Aug 2019 14:30:15 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Ransomware Attacks Are Testing Resolve of Cities Across America
    (NYT)

    At the public library in Wilmer, Tex., books were checked out not with the
    beeps of bar code readers but with the scratches of pen on notebook paper.
    Out on the street, police officers were literally writing tickets -- by
    hand. When the entire computer network that keeps the small town's
    bureaucracy afloat was recently hacked, Wilmer was thrown into the digital
    Dark Ages.

    This has been the summer of crippling ransomware attacks. Wilmer -- a town
    of almost 5,000 people just south of Dallas -- is one of 22 cities across
    Texas that are simultaneously being held hostage for millions of dollars
    <https://www.nytimes.com/2019/08/20/us/texas-ransomware.html?module=inline>
    after a sophisticated hacker, perhaps a group of them, infiltrated their
    computer systems and encrypted their data. The attack instigated a statewide
    disaster-style response that includes the National Guard and a widening
    F.B.I. inquiry.

    More than 40 municipalities have been the victims of cyberattacks this year,
    from major cities such as Baltimore, Albany and Laredo, Tex., to smaller
    towns including Lake City, Fla. Lake City is one of the few cities to have
    paid a ransom demand -- about $460,000 in Bitcoin, a cryptocurrency --
    because it thought reconstructing its systems would be even more costly.
    (https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html?module=inline)

    In most ransomware cases, the identities and whereabouts of culprits are
    cloaked by clever digital diversions. Intelligence officials, using data
    collected by the National Security Agency and others in an effort to
    identify the sources of the hacking, say many have come from Eastern Europe,
    Iran and, in some cases, the United States. The majority have targeted
    small-town America, figuring that sleepy, cash-strapped local governments
    *are the least likely to have updated their cyberdefenses or backed up their
    data*...

    https://www.msn.com/en-us/news/tech...g-resolve-of-cities-across-america/ar-AAGapHU

    https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html

    ------------------------------

    Date: Tue, 20 Aug 2019 16:17:57 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Ransomware Attack Hits 23 Texas Towns, Authorities Say (NYTimes)

    The state declined to say which towns were affected by the coordinated
    cyberattack. But one expert said it could signal more such attacks in the
    future.

    https://www.nytimes.com/2019/08/20/us/texas-ransomware.html

    ------------------------------

    Date: Tue, 20 Aug 2019 12:30:12 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Phishing spam is getting better ...

    Gloria asked me to have a look at an email message "from" our bank.

    Other than addressing her as an "esteemed" customer, it looked pretty good.
    No problems with spelling or grammar. A security warning at the bottom.
    The head office address for the bank.

    When I looked at the headers, there were only a few, very small, indications
    of possible problems. It was sent from a domain that was not owned by the
    bank, but a lot of companies are outsourcing a lot of IT functions, so that
    wasn't exactly definitive. It had a couple of headers indicative of spam
    filtering.

    About the only thing that solidly demonstrated a problem was the
    verification link in the body of the message, but that a) won't be visible
    to most, and b) isn't a really strong indication unless you really know how
    to read URLs.

    (Now if banks start outsourcing account verification ...)

    ------------------------------

    Date: Fri, 23 Aug 2019 10:39:25 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: A credit card never needed cleaning instructions... then Apple
    came along

    Apple warns its credit card doesn't like leather or denim or other cards.

    [Just in case there is someone on the planet who does not know how special
    Apple is ... . I go to my optometrist's office every so often for a fresh
    cloth. I think they may have given me fewer instructions than Apple
    does.]

    By Adrian Kingsley-Hughes for Hardware 2.0 | 22 Aug 2019
    Yes, Apple went and published care instructions for its new credit card.
    https://www.zdnet.com/article/a-cre...-cleaning-instructions-then-apple-came-along/

    I used to think that the $999 XDR monitor stand was the most Apple thing
    Apple ever made. But then the company came out with a credit card that
    needed its own care instructions.

    Yes, care instructions. For a credit card.

    Apple goes into great detail on how to keep your flashy laser-etched
    titanium Apple Card looking its finest. Store it in "a wallet, pocket, or
    bag made of soft materials," don't store it with another credit card because
    it might become scratched, and give it the occasional clean with a "soft,
    slightly damp, lint-free microfiber cloth."

    Chris Duckett, ZDNet, 22 Aug 2019
    Apple warns its credit card doesn't like leather or denim or other cards
    White titanium card is afraid of most things people use to carry ID and
    coinage, like wallets and pockets.
    https://www.zdnet.com/article/apple-warns-its-credit-card-doesnt-like-leather-or-denim/

    Oh dear, that card appears to be on a hard surface.

    Apple has detailed a number of things that its newly launched titanium
    credit card should be kept away from.

    A support note from Cupertino, spotted by AppleInsider, says the card should
    be kept away from leather and denim to avoid discoloration, and also away
    from hard surfaces, to avoid scratching its white finish.

    Users are warned not to use household cleaners on the card, nor compressed
    air and aerosols, nor any solvents, or ammonia, or anything abrasive to
    clean it.

    ------------------------------

    Date: Tue, 20 Aug 2019 19:54:16 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Want To Know What's In Your Sweat? There's A Patch For That
    (npr.org)

    https://www.npr.org/sections/health...-whats-in-your-sweat-there-s-a-patch-for-that

    "The patch the Berkeley scientists designed collects sweat at the surface of
    the skin and analyzes it in real-time using a custom printed circuit board
    that transmits the collected data wirelessly to a mobile phone."

    Obvious risk here -- streaming perspiration chemistry to a phone or
    Internet-connected widget for analysis.

    If there's too much sodium or potassium detected in perspiration, does this
    imply that a custom replenishment fluid must be ingested to re-balance blood
    chemistry? How is the replenishment molarity calibrated for an athlete in
    competition?

    This device represents the next step in the pharmaceutical athletic games.
    Should that IV be shaken or stirred?

    ------------------------------

    Date: Tue, 20 Aug 2019 14:28:11 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Playing God: Japan temple puts faith in robot priest "with AI.
    It's changing Buddhism" (AFP)

    A 400-year-old temple in Japan is attempting to hot-wire interest in
    Buddhism with a robotic priest it believes will change the face of the
    religion -- despite critics comparing the android to "Frankenstein's
    monster."

    The android Kannon, based on the Buddhist deity of mercy, preaches sermons
    at Kodaiji temple in Kyoto, and its human colleagues predict that with
    artificial intelligence it could one day acquire unlimited wisdom. "This
    robot will never die, it will just keep updating itself and evolving,"
    priest Tensho Goto told AFP. "That's the beauty of a robot. It can store
    knowledge forever and limitlessly. "With AI we hope it will grow in wisdom
    to help people overcome even the most difficult troubles. It's changing
    Buddhism," added Goto. ...

    https://news.yahoo.com/playing-god-japan-temple-puts-faith-robot-priest-043640106.html

    ------------------------------

    Date: Tue, 20 Aug 2019 07:54:51 +0300
    From: Edwin Slonim <esl...@minols.com>
    Subject: Re: Contingency plan for compromised fingerprint database (R 31 37)

    My contingency plan is to use a different finger. Even if all 10 fingers
    are eventually compromised, assuming the access control locks out after n
    tries where (n << 10) I should be ok :)

    In Risks 31.37 Anthony Thorn <anthon...@atss.ch> wrote:

    You can change a compromised password, but your fingerprint is not only
    fixed, but shared across all applications which use fingerprint recognition.
    What is your contingency plan?

    ------------------------------

    Date: Tue, 20 Aug 2019 02:23:08 -0400
    From: "Arthur T." <risks2019...@xoxy.net>
    Subject: Re: Facial recognition errors (RISKS-31.37)

    > Facial recognition software mistook 1 in 5 California lawmakers for
    > criminals, says ACLU

    A better headline and subhead for the original story might be:

    Software Set At 80% Confidence Level Works Correctly 80% Of The Time;
    Software Used With Default Values Rather Than Recommended Values Doesn't
    Work Well

    Amazon does seem disingenuous with its claim that the software should be
    used at the 99% confidence level when matching faces, while shipping with
    the default set to 80%. As we've seen here, many users who should know
    better never change from default settings.

    Note that the 80% default value didn't appear in the linked story, but in
    another on the same topic that I had read earlier:
    <https://yro.slashdot.org/story/19/0...fied-1-in-5-california-lawmakers-as-criminals>.

    [Sarcastically, Geoffrey Newbury and Phil Martel each suggested:
    So the software actually had an 80% failure rate?
    Might that suggest that 5 out of 5 were actually criminals?]
    PGN]

    ------------------------------

    Date: Tue, 20 Aug 2019 12:58:43 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Electric car charging stations may be portals for power grid
    cyberattacks (RISKS-31.37)

    I did not see what types of charging stations were involved.

    The flip side is that reversing flow and drawing power from e-vehicles has
    been proposed has been proposed as a way to smooth out demand spikes and to
    store surplus wind and solar power when they are parked plugged in.

    I have to speculate that this risk involves Level 3 or higher stations.

    With the demise of the last gas station in downtown Vancouver BC, and the
    proliferation of "free" (TANSTAAFL) or pay to use fast charging stations at
    parking lots and underground garages this might be a risk, but not likely
    for 110 or 220 volt charging stations. I did not bother to install a level 2
    charger for our plug in hybrid because it charges from the carport plug in
    5.5 hours with about the same draw as a major kitchen appliance.

    Other protection in the electric distribution system could put them offline
    before a large section goes down. Canadian wiring specs require the top and
    bottom sockets of kitchen counter outlets, and adjacent outlets, to be on
    separate circuits. You need at least 4 circuits to wire a kitchen according
    to code if you have 2 or more kitchen outlets.

    Don't Grid Controllers in the UK have TVs in the control rooms to monitor
    Football (Soccer in Canadian & USA English) games because so many fans tend
    to plug in electric kettles during long pauses and ad breaks? Pumped Hydro
    Electric Storage generators in Wales and elsewhere can be spun up to meet
    those demand surges when the operators see a break coming. We don't need
    electric cars to experience this type of power demand surge.

    In Canada the equivalent is the Hockey Game Flush, as thousands of fans
    flush toilets, creating a risk of municipal water lines collapsing or having
    infiltration due to sharp drops in water pressure. System ops watch the
    game, ready to start turbo boost pumps during breaks and stop them at the
    end of the break.

    ------------------------------

    Date: Tue, 20 Aug 2019 13:30:32 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Shoot out the headlines first, ask questions later (RISKS-31.37)

    Rushing into print or digital publication of new startling results from
    recently deployed or newly developed instruments is a known risk in Climate
    Research.

    Someone rushed into print with an "Oceans are Cooling" paper, based on
    comparing early Argo Buoy data with older XBT data. With the wisdom of
    hindsight the Argo data had a Cold bias and the XBT data had a Warm
    bias. Longer term study revealed the bias in both instruments.

    https://earthobservatory.nasa.gov/features/OceanCooling

    Instrument Bias also came up when Anthony Watt enlisted an army of fans to
    create a list of "poorly sited" weather stations which they felt gave a warm
    bias to the NOAA conclusion of a warming trend in the Continental USA. NOAA
    repeated the analysis, excluding those stations, and got a slightly stronger
    warming trend. Be careful what you ask for.

    https://en.wikipedia.org/wiki/Anthony_Watts_(blogger)#Surface_Stations_project

    ------------------------------

    Date: Wed, 21 Aug 2019 11:17:55 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Shoot out the headlines first, ask questions later (RISKS-31.37)

    Before joining the celebrations of the "Ha ha, no global warming! We can go
    on burning as much carbon as we like!" crowd, please see the following
    article (in French):
    https://www.lci.fr/planete/les-reco...eptiques-en-quoi-ils-se-trompent-2129437.html

    It points out that the post in "What's up with that" relies on an error in a
    single station on a single day, ignoring thousands of measurements over the
    past few months.

    Also check out my post in Quora:
    https://www.quora.com/Is-global-warming-a-hoax/answer/Amos-Shapir-1 which
    includes two maps to demonstrate the current situation in Greenland.

    ------------------------------

    Date: Tue, 20 Aug 2019 12:50:34 -0500
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Password policy (Goldberg, RISKS-31.37)

    I'm pretty sure this made RISKS at least once before: https://xkcd.com/936/

    Evidently none of the password security expert policy writes ever heard
    of xkcd.

    (Incidentally I recently tried "oh, not again!" for a linux account password
    and it worked.)

    ------------------------------

    Date: Mon, 19 Aug 2019 22:49:04 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Noise about Quiet Skies program (Thorson, RISKS-30.86)

    > "Federal air marshals have begun following ordinary US citizens not
    > suspected of a crime or on any terrorist watch list and collecting
    > extensive information about their movements and behavior under a new
    > domestic surveillance program that is drawing criticism from within the
    > agency."

    "As an ordinary citizen," Mark's submission provoked my "spider sense" to
    file a FOIA request with TSA. I finally received a response to my petition
    dated 19AUG2019:

    "This letter is in response to your Freedom of Information Act (FOIA)
    request to the Transportation Security Administration (TSA) dated October
    11, 2018, seeking access to the following records about yourself:

    "1. All Federal Air Marshall Service 'Quiet Skies' records collected,
    reported, and collated that pertain to international or domestic travel.
    To include dates/times of collection, transport vehicle/flight or
    bus/train or ship, and itemize detail of collected records include
    purpose/reason/justification for data capture based on air marshal
    prerogative.

    "2. A list of federal and state agencies that have approved
    direct/indirect access to these records and include dates/time/purpose for
    access.

    "Your request has been processed under the FOIA, 5 U.S.C. 552, and the
    Privacy Act, 5 U.S.C 552a. A search was conducted within the TSA and no
    records responsive to your request were located."

    Guess the skies are safe to fly after all? While a sample size of 1 does not
    prove much, the TSA response suggests that citizens of "sufficient interest"
    merit air marshal tracking and attention. What constitutes "sufficient
    interest" was not a petition subject, and therefore not disclosed.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.38
    ************************
     
  10. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.39

    RISKS List Owner

    Aug 29, 2019 2:37 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 29 August 2019 Volume 31 : Issue 39

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    "Why positive train control is vulnerable to a cyber-attack"
    (D G. Rossiter)
    Frequency-sensitive trains and the lack of failure-mode analysis
    (Clive Page)
    Inside America's Dysfunctional Trillion-Dollar Fighter-Jet Program
    (Valerie Insinna via Richard Stein)
    Sometimes simplicity is dangerous ... (Rob Slade)
    A Bitter Divorce Battle on Earth Led to Claims of a Crime in Space (NYTimes)
    Premier's office accidentally publishes name of secret agent (TheAge)
    WeWork's Wi-Fi network is laughably easy to hack (Fast Company)
    Wake Up! Your House Is Calling (NYTimes)
    OpenAI releases larger GPT-2 dataset. Can it write fake news better
    than a human? (Boing Boing)
    SecurityWatch: Backstabbing, Disinformation, and Bad Journalism:
    The State of the VPN Industry (PCMag)
    Security Researchers Find Several Bugs in Nest Security Cameras (VICE)
    Found: World-readable database used to secure buildings around the globe
    (Ars Technica)
    Credit card privacy matters: Apple Card vs. Chase Amazon Prime Rewards Visa
    (WashPost)
    Regis University's technology systems targeted by malicious threat
    likely from outside the country (Denver Post)
    A Harvard freshman says he was denied entry to the U.S. over
    social media posts made by his friends (WashPost)
    Ring, the doorbell-camera firm, has partnered with 400 police
    forces, extending surveillance reach (WashPost)
    FBI seeks to monitor Facebook, oversee mass social media data
    collection (Charlie Osborne)
    Facebook's big win: Will this ruling have global impact on how
    your data is used? (Cathrin Schaer)
    Re: Playing God: Japan temple puts faith in robot priest (Amos Shapir)
    Re: Phishing spam is getting better (Amos Shapir)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 25 Aug 2019 20:48:40 +0000
    From: "D G. Rossiter" <d.g.r...@cornell.edu>
    Subject: "Why positive train control is vulnerable to a cyber-attack"

    Why positive train control is vulnerable to a cyber-attack | Trains Magazine

    Positive Train Control (PTC) is a federally-mandated replacement of
    traditional rail signaling on the largest railroads with a network of on-
    and off-train electronics to space trains and prevent collisions or
    runaways. Railroads are installing PTC on nearly 57,848 route miles and on
    19,912 locomotives.

    ``Unlike other critical infrastructure, such as energy or water management
    systems, rail networks have avoided regulations as lawmakers have focused
    recent efforts on safety due to high profile crashes,'' says Jesus Molina,
    director of business development, for Waterfall Security Solutions. ``There
    is no question that a PTC rollout without managing the cybersecurity risk
    will open new attack vectors due to increased connectivity and new software
    added to the networks and onboard train, In these cases, PTC may actually
    decrease the safety of passengers due to an unacceptable increased risk of
    cyberattacks that may lead to accidents.''

    ``The use of IT-focused security tools, in particular, software tools such
    as firewalls to protect control critical networks is a huge mistake, and
    with increasingly connected rail networks, it is becoming a dangerous trend.
    The focus of critical control networks is to be reliable and safe, and IT
    tools meant to protect data and confidentiality are not suitable to defend
    them. The most secure rail sites are not concerned with the steadily
    increasing sophistication of cyber-attacks, nor with the steadily increasing
    rate of disclosure of new attack vulnerabilities in control systems,
    network, firewalls and other security software, This is because the most
    secure sites protect their automation systems from cyber-attacks physically,
    with hardware-based solutions such as unidirectional security gateways.''

    In other words, this networked solution is not being treated as one linked
    to a physical reality, i.e., moving trains. DGR

    ------------------------------

    Date: Mon, 26 Aug 2019 23:20:14 +0100
    From: Clive Page <clive...@gmail.com>
    Subject: Frequency-sensitive trains and the lack of failure-mode analysis

    On 9 Aug 2019 around 4:53pm, lightning struck a transmission cable in
    south-eastern England. This had the unexpected result that a gas-fired
    power station and a large wind-farm detected grid anomalies and
    disconnected. This loss of generating capacity made the frequency drop from
    its nominal 50 Hz, reaching 48.8 Hz for a few seconds. To restore it, the
    grid control system cut power to about 1.1 million people for up to 50
    minutes. A report from OFGEM, the Government regulator describes the events
    in more detail.
    https://www.ofgem.gov.uk/system/files/docs/2019/08/incident_report_lfdd_-_summary_-_final.pdf

    The railway system was much more badly affected, even though the traction
    and signaling power had been maintained. Most services from London to
    Bedford, Cambridge, and Peterborough depend on electric trains built in
    Germany by Siemens about two years ago. It now turns out that these trains
    stop if the frequency drops below 49 Hz. About 60 of them were running at
    the time: unfortunately only half of them could be restarted by the driver,
    the others had to be visited by a technician which took many hours. Many
    stranded passengers had to walk along the tracks to the nearest station.
    Even the inter-city services could not run as the lines were so badly
    blocked by stalled suburban trains. Practically no trains ran on these
    lines until the next day and in total over 1200 train services were canceled
    or delayed.

    I found this a surprising failure because pretty much all domestic and
    commercial equipment is designed to work on a wide range of frequencies,
    especially to cope with both 50 and 60 Hz regions of the world. The UK's
    National Grid Code says that the mains frequency could be as high as 52 Hz
    or as low as 47 Hz "in exceptional circumstances". So it is unfortunate
    that a train would be so sensitive to a 1.2 Hz deviation. Indeed with
    hindsight, one feels that a train that trips out at 49 Hz and then requires
    a technician to reset it is a very poor design and could easily lead, as
    this did, to a widespread system failure.

    It seems to me that in several industries failure mode analysis is no longer
    being performed adequately. Taking the crash of AF447 in 2009: the initial
    cause was that both pitot tubes froze up. The second failure was that the
    autopilots disconnected, leaving inexperienced pilots to cope unaided with
    flying in the middle of the night at maximum altitude over a tropical storm
    with some of their speed sensors not working. In their panic they first
    stalled and then crashed the plane, even though all they really needed to do
    to the controls was absolutely nothing. There are so many ways of measuring
    the speed of a plane that the loss of two sensors should not, in my opinion,
    lead to the autopilots simply giving up. Pilots depend on them so much that
    they ought to degrade more gracefully. A thorough failure-mode analysis
    might have brought up the possibility that in conditions where one pitot
    tube iced up, the second one might too, and that inexperienced pilots might
    then panic.

    The recent crashes of the 737 Max planes show a similar inability to
    consider the effects of a failure mode that is obvious to everyone in
    hindsight. Identifying all these failure modes in advance obviously takes
    more expertise and foresight - but is that really too much to ask of the
    relevant experts?

    ------------------------------

    Date: Sun, 25 Aug 2019 17:57:03 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Inside America's Dysfunctional Trillion-Dollar Fighter-Jet Program
    (Valerie Insinna)

    [Excellent long article excerpted -- first para culled by PGN, the second
    by RS, in which `Winter' refers to Vice Admiral Mat Winter. The
    subsequent analysis is Richard's. (A snitch in *Times* sways Stein?)
    PGN]

    Valerie Insinna, *The New York Times*, 21 Aug 2019
    Inside America’s Dysfunctional Trillion-Dollar Fighter-Jet Program

    On the morning of June 23, 2014, an F-35 burst into flames just moments
    before its pilot was set to take off on a routine training mission. He heard
    a loud bang and felt the engine slow as warning indicators began flashing
    `fire' and other alerts signaled that systems in the plane were shutting
    down. Witnesses at Eglin Air Force Base near Pensacola, Fla., reported
    seeing the pilot escape from the cockpit and run away from the fighter jet,
    which was engulfed in thick plumes of black smoke. It was the first major
    mishap involving a F-35 Joint Strike Fighter, and it couldn't have happened
    at a worse time. [...]

    "Winter also made it a priority to push for drastic streamlining in the
    process for testing new software in the F-35. Under the existing procedures,
    the Pentagon can require test flights for more than 300 different factors or
    functions when a new software load is installed. Winter worked to cut that
    down to a single validation flight, to test just the software and the
    systems it affects, rather than retesting the performance of the whole
    aircraft. A trial program staffed with a team of Air Force and Lockheed
    coders proved that the method works and doesn't put pilots at risk, and
    Winter's rapid software development strategy is now being implemented. But
    moving to an agile software approach for the F-35 presents a huge challenge
    for the sluggish and bureaucratic military acquisition system, and there's
    no blueprint for how to integrate it alongside the traditional processes for
    developing and testing hardware."

    In The Risks Digest, Henry Baker noted several
    operational flight plan (OFP) readiness issues that could compromise F-35
    system performance, mission and pilot safety.

    Software stacks possess latent defects waiting discovery under appropriate
    stimulus conditions. Truncated OFP qualification (regression test) limits
    detection potential. The test assets may be exhausted in their capacity to
    discover latent defects.

    Payload exchange among the F-35 subsystems can often reveal anomalous
    behavior, especially if the content is partially corrupt or inconsistent.
    Subsystem test stimulus restriction is most cost effective, but at what
    cost, to whom and when will the benefit be realized?

    In earlier programs (~1970-1980 or so), The Air Force insisted on full,
    end-to-end OFP qualification for any change. That the costs (schedule and
    performance) have ballooned beyond estimates, and now preclude comprehensive
    qualification coverage, is cause for concern and apparently represents a
    significant operational risk.

    ------------------------------

    Date: Sun, 25 Aug 2019 10:28:40 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Sometimes simplicity is dangerous ...

    We, in security, hate complexity.

    Complexity is the enemy of security.

    KISS, for us, isn't just an admirable principle, it's almost a way of life.
    We want to keep things as simple as possible, since they are going to get
    complex enough eventually anyway, and we *hate* that.

    But sometimes life is just complex, and there's nothing we can do about it.

    So, what has prompted this rumination on my part?

    Well, suddenly everyone has become aware that the Amazon rainforest is
    burning. This isn't new, of course. We should have been aware that the
    rainforest was burning some time ago. It's been burning for quite a while.
    But, hey, so what? There have been forest fires in other places, and we've
    survived. And most of us don't even know anyone who speaks Portuguese, so
    what's the problem?

    To understand that, you need to know about geology.

    There are different types of soils in the world. They have different
    components, one of which is regolith. Regolith is the breakdown product of
    the underlying rock. It contributes elements which, in turn, fix or release
    nutrients that plants need to grow. There are different soils, but they all
    have regolith.

    Except for tropical soil.

    The soil in the Amazon rainforest has so little contribution from regolith
    that it doesn't matter. So how do things grow, without the nutrient boost?

    To understand that, you need to understand biology and ecology.

    Trees grow in the tropical rainforest. Other plants grow on the trees.
    Because they have no roots, they collect water in pouches and cups. The
    water, as well as watering the plant, collects and kills bugs to get
    nutrients that those plants use to grow. The insects eat fruit and leaves
    up in the trees. Other animals eat fruit and drop the husks and leaves down
    to the ground. The leaf litter gets cut up by ants who use it to farm mold.
    Et cetera, et cetera until we get back to the trees. All of the huge
    complicated process has to go on to provide nutrients for the tropical soil,
    without which none of it lives.

    That's why ten percent of the *total* biodiversity on the planet is in the
    Amazon alone. They need it.

    Stand in a hemlock forest, and all you have is the canopy above you. Except
    for the dead branches that poke you and grab your clothes, there is nothing
    to impede you below that. Tropical rainforests have five separate and
    distinct layers, starting at the top canopy.

    But what does this have to do with the fires?

    Well, we (most of us) live in temperate rainforests. We don't understand
    the problem with forest fires. Fires go on all the time. Fires are
    actually useful in some ways. In the eastern forests, the First Nations
    used to set fires to make the land more productive. In the west, we know
    that, even if we weren't throwing cigarette butts around with gay abandon,
    the storms from the ocean (that bring the rain), also bring thunderstorms,
    and therefore lightning, and therefore, even without us, forest fires are a
    natural part of the forest growth, ecology, and procession.

    That's not the case in tropical rainforests.

    In temperate rainforests, after the fire goes through, all we have to do is
    plant douglas fire, and, within a few years, the trees are taller than we
    are and there are mice and salal and mule deer and blackberries and bears
    are pooping in the woods fertilizing the douglas fir.

    (And we have to hurry to plant the douglas fir, because, if we don't, five
    minutes after the fire goes through alder starts growing. We'll still have
    a forest, just with a different economic value.)

    That's not the case in tropical rainforests.

    After a fire, you can't just plant some trees. You've got this whole
    complex system that means that the fact that some insect you can't even name
    is missing means that *that* frog doesn't pollinate *that* bush which
    doesn't feed *that* fish and the whole thing falls apart. (Or, more likely,
    doesn't start in the first place.)

    In the tropical forest, after a fire, the grass (and crops, if you plant
    them), grow spectacularly. The first year. The second year, the grass is
    great. The third year, it's pretty good. After that, it's crap. Because
    the system isn't putting anything back into the soil.

    In the temperature rainforest, the rains come from the ocean. (Remember?)
    Even if we burned down all the trees, the rains would still come. Not in
    the tropical rainforest. Most of the rain comes from the forest itself.
    The trees are lifting tons of water into the atmosphere every day. It takes
    energy. And that's part of the reason that tropical rainforests have so
    much rain, and are four or five degrees cooler than tropical savannah.

    If we leave burned areas in the tropics alone, they might recover. But,
    whereas in the temperate rainforests it takes years, in the tropics it takes
    an equivalent number of millennia. The soil is dead, the land is in
    drought, and isolated stands of forest will probably die, unless they are
    miles in extent.

    OK, now look at a map of the world. Can you find the Amazon? Remember that
    not all of that bump is, in fact, the Amazon. Not even all of Brazil is all
    Amazon.

    And that part of that bump recycles 20% of all the oxygen in the
    atmosphere. And when we lose that oxygen recycling capacity, we lose that
    carbon sequestration capacity, all that rain, and that biodiversity (and all
    the undiscovered pharmaceuticals it contains). And it won't grow back.

    That's why a few fires in another country far away are important ...

    ------------------------------

    Date: Mon, 26 Aug 2019 09:22:31 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: A Bitter Divorce Battle on Earth Led to Claims of a Crime in Space
    (NYTimes)

    NASA is examining a claim that an astronaut improperly accessed the bank
    account of her estranged spouse from the Space Station.

    NASA Astronaut Anne McClain Accused by Spouse of Crime in Space

    ------------------------------

    Date: Mon, 26 Aug 2019 09:24:03 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Premier's office accidentally publishes name of secret agent
    (TheAge)

    https://www.theage.com.au/politics/...hes-name-of-secret-agent-20190822-p52juf.html

    ------------------------------

    Date: Mon, 26 Aug 2019 17:32:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: WeWork's Wi-Fi network is laughably easy to hack (Fast Company)

    WeWork’s laughably weak Wi-Fi password is downright dangerous

    ------------------------------

    Date: Mon, 26 Aug 2019 17:41:17 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Wake Up! Your House Is Calling (NYTimes)

    Wake Up! Your House Is Calling

    ------------------------------

    Date: Mon, 26 Aug 2019 17:57:42 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: OpenAI releases larger GPT-2 dataset. Can it write fake news better
    than a human? (Boing Boing)

    OpenAI releases larger GPT-2 dataset. Can it write fake news better than a human?

    ------------------------------

    Date: Mon, 26 Aug 2019 18:11:27 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: SecurityWatch: Backstabbing, Disinformation, and Bad Journalism:
    The State of the VPN Industry (PCMag)

    Backstabbing, Disinformation, and Bad Journalism: The State of the VPN Industry

    ------------------------------

    Date: Mon, 26 Aug 2019 19:11:38 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Security Researchers Find Several Bugs in Nest Security Cameras
    (VICE)

    Security Researchers Find Several Bugs in Nest Security Cameras

    ------------------------------

    Date: Tue, 27 Aug 2019 10:59:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Found: World-readable database used to secure buildings around the
    globe (Ars Technica)

    Found: World-readable database used to secure buildings around the globe

    ------------------------------

    Date: Wed, 28 Aug 2019 00:31:29 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Credit card privacy matters: Apple Card vs. Chase Amazon Prime
    Rewards Visa (WashPost)

    In a privacy experiment, he bought one banana with the new Apple Card -- and
    another with the Amazon Prime Rewards Visa from Chase. Here's who tracked,
    mined and shared our data.

    https://www.washingtonpost.com/tech...our-wallet-credit-cards-have-privacy-problem/

    Good luck following these details, let alone protecting yourself from being
    tracked.

    ------------------------------

    Date: Wed, 28 Aug 2019 00:49:09 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Regis University's technology systems targeted by malicious threat
    likely from outside the country (Denver Post)

    Elizabeth Hernandez, *The Denver Post*, 23 Aug 2019

    A forensic investigation at Denver's Regis University confirmed Friday that
    the private college's technology systems were attacked by a malicious
    threat, likely from outside the country.

    University officials declined to say whether the situation at Regis was a
    ransomware attack, saying the matter is still under investigation.
    ``Immediately upon discovering this issue, we quickly and intentionally took
    our information technology systems offline in an effort to protect the
    university and your information while we initiated an investigation and
    notified law enforcement. We are unfortunately only the latest entity to
    face this kind of incident.''

    Regis University technology targeted by "malicious threat"
    Regis University unplugged: Ongoing security threat forces old-school start to fall semester
    https://www.denverpost.com/2019/08/27/regis-university-cyber-attack-3/

    ------------------------------

    Date: Wed, 28 Aug 2019 08:21:03 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: A Harvard freshman says he was denied entry to the U.S. over
    social media posts made by his friends (WashPost)

    https://www.washingtonpost.com/educ...-over-social-media-posts-made-by-his-friends/

    Deanna Paul and Susan Svrluga, 27 Aug 2019

    Ismail B. Ajjawi touched down at Boston Logan International Airport on
    Friday night, prepared to begin his freshman year at Harvard
    University. The 17-year-old Palestinian student never left the airport.

    The Harvard Crimson reported that U.S. officials detained Ajjawi for eight
    hours. After interrogating the minor and searching his phone and computer,
    they revoked his visa and sent him home to Lebanon.

    Why?

    According to a statement by Ajjawi, an immigration officer claimed she
    ``found people posting political points of view that oppose the U.S.,'',
    though she discovered nothing Ajjawi had posted himself.

    ------------------------------

    Date: Wed, 28 Aug 2019 12:20:56 -0400
    From: Gabe Goldberg <ga...@gabegold.com> DUP???
    Subject: Ring, the doorbell-camera firm, has partnered with 400 police
    forces, extending surveillance reach (WashPost)

    The doorbell-camera company Ring has quietly forged video-sharing
    partnerships with more than 400 police forces across the United States,
    granting them access to homeowners' camera footage and a powerful role in
    what the company calls the nation's new neighborhood watch.

    The partnerships let police automatically request the video recorded by
    homeowners' cameras within a specific time and area, helping officers see
    footage from the company's millions of Internet-connected cameras installed
    nationwide, the company said. Officers don't receive ongoing or live-video
    access, and homeowners can decline the requests, which Ring sends via email
    thanking them for ``making your neighborhood a safer place.''

    The number of police deals, which has not previously been reported, is
    likely to fuel broader questions about privacy, surveillance and the
    expanding reach of tech giants and local police. The rapid growth of the
    program, which began in spring 2018, surprised some civil liberties
    advocates, who thought that fewer than 300 agencies had signed on.

    https://www.washingtonpost.com/tech...h-police-forces-extending-surveillance-reach/

    ------------------------------

    Date: Wed, 28 Aug 2019 10:39:09 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: FBI seeks to monitor Facebook, oversee mass social media data
    collection (Charlie Osborne)

    Charlie Osborne for Zero Day | 12 Aug 2019
    Plans to track social media activity will potentially clash with existing
    privacy policies.
    https://www.zdnet.com/article/fbi-s...ok-oversee-mass-social-media-data-collection/

    The Federal Bureau of Investigation (FBI) is planning to aggressively
    harvest information from Facebook and Twitter, a move which is likely to
    cause a clash between the agency and social media platforms.

    As reported by the Wall Street Journal, the FBI has recently sought
    proposals from third-party vendors for technological solutions able to
    harvest publicly-available information in bulk from Facebook, Twitter, and
    other social media outlets.

    ------------------------------

    Date: Wed, 28 Aug 2019 10:43:23 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Facebook's big win: Will this ruling have global impact on how
    your data is used? (Cathrin Schaer)

    Cathrin Schaer for The German View, ZDNet, 27 Aug 2019
    What was seen as one of the best ways to regulate social-media giants like
    Facebook has just fallen apart in a Düsseldorf court.
    https://www.zdnet.com/article/faceb...-have-global-impact-on-how-your-data-is-used/

    opening text:

    A decision by a regional court in Germany has derailed what many saw as the
    world's best chance to regulate the behavior of data-gobbling social-media
    giants like Facebook.

    ------------------------------

    Date: Sun, 25 Aug 2019 17:23:14 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Playing God: Japan temple puts faith in robot priest (RISKS-31.38)

    I think there was a story by Isaac Asimov about an intelligent robot who
    turned religious and became a Muslim.

    ------------------------------

    Date: Sun, 25 Aug 2019 17:29:16 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Phishing spam is getting better (RISKS-31.38)

    This should be a golden rule for anyone reading email: Never click on any
    link in an unsolicited incoming message, especially not one from your bank
    (or any other service which may have access to your money).

    If your bank needs you to click a link in their email message, it's *their*
    problem.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.39
    ************************
     
  11. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.40

    RISKS List Owner

    Sep 5, 2019 5:58 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 5 September 2019 Volume 31 : Issue 40

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Avoiding a space collision (MIT Tech Review)
    Elon Musk said the satellites his company launches will avoid
    potential collisions on their own. (QZ)
    Strangelove redux: U.S. experts propose having AI control nuclear weapons
    (Bulletin of the Atomic Scientists)
    Tesla autopilot is found partly to blame for 2018 freeway crash (via GG)
    Tesla customers locked out of our cars: unknown error (Reddit)
    iPhone hacks (The Register)
    Google accused of leaking personal data to thousands of advertisers
    (Liam Tung)
    Governments Shut Down the Internet to Stifle Critics. Citizens Pay the Price
    (NYTimes)
    600,000 GPS trackers left exposed online with a default password of '123456'
    (Catalin Cimpanu)
    How Apple's HomePod turned my friends into rude troglodytes
    (Chris Matyszczyk)
    Apple is Bad at Software, says Google (Security Boulevard)
    Algorithmic Foreign Policy (Scientific American)
    Oregon Judicial Department hit by phishing attack (Bradenton)
    Cyberattacks Mar Start of Academic Year (InsideHigherEd)
    Ask Amy: Son left home, but left behind racy mementos (WashPost)
    'Dutch mole' planted Stuxnet virus in Iran nuclear site on behalf of CIA,
    Mossad (The Times of Israel)
    Frequency-sensitive trains and the lack of failure-mode analysis
    (R.G. Newbury)
    Forget email: Scammers use CEO voice 'deepfakes' to con workers into wiring
    cash (Liam Tung)
    Re: Sometimes simplicity is dangerous ... (Alexander Klimov)
    Re: Facebook's big win (Amos Shapir)
    Re: Phishing spam is getting better (Roger Bell_West)
    Re: A Harvard freshman says he was denied entry to the U.S. over social
    media posts (Dick Mills)
    Re: Contingency plan for compromised fingerprint database (Martin Ward)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 2 Sep 2019 10:14:07 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Avoiding a space collision (MIT Tech Review)

    The European Space Agency <ESA> had to move one of its
    satellites out of the way today to protect it from colliding with a SpaceX
    Starlink satellite, crashing into a mega-constellation satellite.
    Specifically, it had to fire the Aeolus satellite's thrusters in order to
    increase its altitude so it could pass over a SpaceX Starlink satellite.

    Aeolus <Aeolus>, a
    scientific satellite launched in August 2018 to improve weather forecasting,
    started returning data shortly after the time of the expected collision,
    showing it had successfully avoided a collision. ESA said it was rare that
    it has to dodge active satellites: most maneuvers of this sort are to avoid
    debris. Aeolus orbits considerably lower than the Starlink constellation's
    current orbit height so it is possible that the SpaceX satellite it had to
    dodge was one of the three that SpaceX is de-orbiting after it lost contact
    with them.
    <SpaceX has lost communication with three of its 60 Starlink satellites>

    *Subtle dig:* It's hard not to interpret the news as a criticism of
    SpaceX's plans to launch 12,000 satellites to provide broadband Internet connections. Other firms, like Telesat, OneWeb
    <OneWeb is about to launch its first internet satellites to connect the unconnected> and LeoSat, have similar
    plans. SpaceX started by launching 60 of the satellites in May 2019, but it
    plans to rapidly ramp up the numbers in the coming months.
    <https://www.technologyreview.com/f/613580/spacex-has-launched-the-first-60=
    -satellites-of-its-space-internet-system/
    >,

    *Space debris:* The ESA is far from alone in its concerns. Space debris
    experts warn that these sorts of mega constellations of satellites have the
    potential to cause far greater and longer-lasting problems than more
    eye-catching stunts like India's anti-satellite missile test It's currently
    very rare to have to dodge active satellites, the ESA said
    <Why satellite mega-constellations are a threat to the future of space>
    <India says it has just shot down a satellite in space>.
    <Space Debris>, but we can
    expect to see several hundreds of collision warnings every week before long.

    *A potential solution:* Today's manual collision avoidance processes simply
    won't work in an age of mega-constellations. There will be too many to keep
    tabs on. As a result, ESA is preparing to automate this process using
    artificial intelligence systems, which assess potential collisions and move
    satellites out of the way. Until those are up and running, we're relying on
    human observation and intervention.
    <>

    One of SpaceX’s Starlink satellites almost collided with a weather satellite

    ------------------------------

    Date: Mon, 2 Sep 2019 10:31:34 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Elon Musk said the satellites his company launches will avoid
    potential collisions on their own. (QZ)

    ``Within a year and a half, maybe two years, if things go well, SpaceX will
    probably have more satellites in orbit than all other satellites combined,''
    Elon Musk said last week.

    This is an exaggeration. There are almost 2,000 operational satellites in
    space right now. But Thursday night's launch of 60 satellites for anew
    Internet network called Starlink is the first step towards that goal. Today,
    Musk's space company said it expects to launch six more times in 2019, with
    the goal of operating 720 satellites by the end of the 2020, and eventually
    more than 4,000.
    <SpaceX is about to take the lead in the satellite internet race>

    The Federal Communications Commission -- the lead regulator for American
    satellites -- approved these satellite, among 13,000 new satellites okayed
    in the last year. That huge number has many in the space community nervous
    about the potential for collisions with other satellites or with space
    debris.
    <China’s plummeting space station is just a taste of the world’s space junk problem>
    <Photos: This is the damage that tiny space debris traveling at incredible speeds can do>

    Neither the United States nor the world has a reliable system for managing
    traffic in space, and policymakers are struggling to keep up with the
    private sector's growing ability to hurl computers into the cosmos at faster
    and faster rates.

    *Musk said the satellites his company launches will avoid potential
    collisions on their own. And Mark Juncosa, the SpaceX executive in charge of
    developing the Starlink satellites, downplayed concerns when answering press
    inquiries on the matter last week. ``It might be worth mentioning for
    people that are not in the space industry space is really big,'' he said.

    SpaceX’s new satellites will dodge collisions autonomously (and they’d better)

    ------------------------------

    Date: Wed, 4 Sep 2019 15:23:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Strangelove redux: U.S. experts propose having AI control nuclear
    weapons (Bulletin of the Atomic Scientists)

    Hypersonic missiles, stealthy cruise missiles, and weaponized artificial
    intelligence have so reduced the amount of time that decision makers in the
    United States would theoretically have to respond to a nuclear attack that,
    two military experts say, it's time for a new U.S. nuclear command, control,
    and communications system. Their solution? Give artificial intelligence
    control over the launch button.

    In an article in War on the Rocks titled, ominously, America Needs a ‘Dead
    Hand,’ U.S. deterrence experts Adam Lowther and Curtis McGiffin propose a
    nuclear command, control, and communications setup with some eerie
    similarities to the Soviet system referenced in the title to their query
    piece. The Dead Hand was a semiautomated system developed to launch the
    Soviet Union's nuclear arsenal under certain conditions, including,
    particularly, the loss of national leaders who could do so on their own.
    Given the increasing time pressure Lowther and McGiffin say U.S. nuclear
    decision makers are under, ``t may be necessary to develop a system based
    on artificial intelligence, with predetermined response decisions, that
    detects, decides, and directs strategic forces with such speed that the
    attack-time compression challenge does not place the United States in an
    impossible position.''

    https://thebulletin.org/2019/08/strangelove-redux-us-experts-propose-having-ai-control-nuclear-weapons#

    ...and pay for it with bitcoin.

    ------------------------------

    Date: Wed, 4 Sep 2019 14:02:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Tesla autopilot is found partly to blame for 2018 freeway crash

    Car on Autopilot struck parked fire truck near Los Angeles* Report is
    second concluded by NTSB on Tesla automation

    U.S. transportation safety investigators found Tesla's design of its
    automated driver-assist system was partly to blame for a crash in which an
    inattentive driver slammed into a fire truck parked on a freeway near Los
    Angeles in 2018.

    The National Transportation Safety Board also cited the driver's failure to
    stop for the truck, which was parked with its emergency lights on, in the 22
    Jan 2018, collision, which caused no injuries. The driver's actions were
    ``due to inattention and overreliance on the vehicle's advanced driver
    assistance system,'' the NTSB said in a final report released Wednesday.

    The vehicle's design ``permitted the driver to disengage from the driving
    task'' the agency said, adding that the driver was using the system ``in
    ways inconsistent with guidance and warnings from the manufacturer.''

    The findings are the latest to put the coming wave of automated driving
    machines under a microscope over doubts about their safety and how they
    interact with the humans behind the wheel. In 2017 the agency cited the
    Tesla system's design as a contributor to a fatal 2016 crash in Florida,
    prompting two recommendations to the company and other manufacturers to
    improve the safety of partially autonomous driving tools. [...]

    Tesla autopilot is found partly to blame for 2018 freeway crash
    Bloomberg - Are you a robot?

    ------------------------------

    Date: Mon, 2 Sep 2019 17:34:14 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Tesla customers locked out of our cars: unknown error (Reddit)

    Customer service says they don't know root cause and are all hands on deck
    to resolve. People stranded all over the country. Key card and fob work so
    if you have that with you, you are in luck. Call center is blowing up.



    https://teslamotorsclub.com/tmc/threads/tesla-ap-down.164885/

    ------------------------------

    Date: Sun, 1 Sep 2019 11:51:42 -0400
    From: Tom Van Vleck <th...@multicians.org>
    Subject: iPhone hacks (The Register)

    There has been recent discussion of hacks of the iPhone OS. See the article
    in *The Register*, which points to the detailed article by Google Project
    Zero.
    Google security crew sheds light on long-running super-stealthy iOS spyware operation

    The complexity and subtlety of the attacks described in the Project Zero
    article is amazing. It appears that this is not done by one powerful wizard
    (like Mark Dowd) but rather a whole Ministry of Magic.

    My guess would be that there are additional, similarly elaborate, exploits
    not yet described. QA guy's rule of thumb: for every bug you found, there
    is one you haven't found yet.

    iPhones are programmed in a C-like language extended with rules,
    conventions, libraries, and frameworks. It is like making a 737 Max
    airliner out of trillions of individually glued matchsticks. It might
    fly... but the technology chosen is too delicate and vulnerable for the
    purpose intended, and there may be significant systemic weaknesses not
    addressed by choice of implementation technique.

    It seems clear that trying to write secure operating systems in C does not
    work. Very smart people have tried for 50 years, and the solution to the
    problem is not reduced to practice.

    I think we need even more powerful tools.. and by tools I mean ideas and
    approaches as well as compilers. Rust, Swift, Scala, Go. Well maybe.
    Focusing on the language is not enough. We tried that. SEL4, Haskell.
    Proof methodology. Not yet accepted as standard, the way C replaced
    assembler. When I look at the Multics B2 and Secure VMS projects, I get the
    feeling that we are still doing it wrong. Trying to build skyscrapers with
    two-by-fours and hammers.

    I used to say, ``the software is crying out to us with the only voice it
    has, failure reports. We have to listen, and figure out why, and imagine
    solutions.''

    I feel like our problem is philosophical. I'd like better clarity about what
    we require operating systems to do, and what kind of certainty we want about
    their behavior.

    We are still in the pit, and better shovels won't be enough.

    ------------------------------

    Date: Thu, 05 Sep 2019 10:41:27 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Google accused of leaking personal data to thousands of advertisers
    (Liam Tung)

    Liam Tung, ZDNet, 5 Sep 2019
    Browser maker Brave says Google is using a secret workaround to bypass EU
    data-protection laws and serve targeted ads.
    https://www.zdnet.com/article/google-accused-of-leaking-personal-data-to-thousands-of-advertisers/

    ------------------------------

    Date: Mon, 2 Sep 2019 19:03:42 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Governments Shut Down the Internet to Stifle Critics. Citizens Pay
    the Price (NYTimes)

    https://www.nytimes.com/2019/09/02/world/africa/internet-shutdown-economy.html

    Internet shutdowns have become one of the defining tools of government
    repression in the 21st century — but citizens bear the cost at work and at
    home.

    ------------------------------

    Date: Thu, 05 Sep 2019 10:47:34 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: 600,000 GPS trackers left exposed online with a default password
    of '123456' (Catalin Cimpanu)

    Catalin Cimpanu, ZDNet, 5 Sep 2019
    Default password is a danger for customers, but also for the vendor itself.
    https://www.zdnet.com/article/60000...sed-online-with-a-default-password-of-123456/

    At least 600,000 GPS trackers manufactured by a Chinese company are using
    the same default password of `123456', security researchers from Czech
    cyber-security firm Avast disclosed today.

    They say that hackers can abuse this password to hijack users' accounts,
    from where they can spy on conversations near the GPS tracker, spoof the
    tracker's real location, or get the tracker's attached SIM card phone number
    for tracking via GSM channels.

    Researchers explain that accounts on the cloud service are created as soon
    as the GPS trackers are manufactured. They said that a malicious competitor
    could hijack these accounts before the devices are sold and change their
    passwords, effectively locking accounts and creating customer support
    problems for Shenzhen i365-Tech and its resellers later down the road.

    ------------------------------

    Date: Thu, 05 Sep 2019 10:37:00 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: How Apple's HomePod turned my friends into rude troglodytes
    (Chris Matyszczyk)

    Chris Matyszczyk for Technically Incorrect, ZDNet, 5 Sep 2019
    They say technology changes human behavior. As I've found when I invite
    friends to my house. Thanks, Apple.
    https://www.zdnet.com/article/how-apples-homepod-turned-my-friends-into-rude-troglodytes/

    Still, here was a friend I'd known for some time who, after dinner, suddenly
    decided to take control.

    Take control of my HomePod that is.

    Usually, when friends come over, I ask Siri to play a little quiet music to
    add serenity to the atmosphere. Some Keith Jarrett, perhaps. Or, if I don't
    want the friends to stay too long, some Mud and Bay City Rollers hits from
    the 70s.

    Until that fateful night, though, no one had expressed unease about the
    music. Until my friend suddenly shouted across the room: ``Hey Siri, play
    some Tears For Fears.''

    Normally, this friend is politeness itself.

    There was no ``do you mind if we change the music?'' There wasn't even a
    hint of ``you know Beethoven's not cool anymore, don't you?''

    It was as if it was de rigueur to shout to Siri -- in the belief that she's
    actually your own Alexa -- and get what you feel like.

    Would anyone have behaved this way with previous technologies? Did guests
    simply walk over to the record player, the cassette player, the CD player
    and change the music whenever they felt like it?

    ------------------------------

    Date: Sat, 31 Aug 2019 23:59:31 -0400
    Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple is Bad at Software, says Google (Security Boulevard)

    https://securityboulevard.com/2019/08/apple-is-bad-at-software-says-google/

    ------------------------------

    Date: Sat, 31 Aug 2019 11:23:30 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Algorithmic Foreign Policy (Scientific American)

    https://blogs.scientificamerican.com/observations/algorithmic-foreign-policy/

    ``Last year, China unveiled its development of a new artificial intelligence
    system for its foreign policy. It's called a 'geopolitical environment
    simulation and prediction platform,' and it works by crunching huge amounts
    of data and then providing foreign policy suggestions to Chinese
    diplomats. According to one source, China has already used a similar AI
    system to vet almost every foreign investment project in the past few years.

    ``Consider what this development means: Slowly, foreign policy is moving away
    from diplomats, political-risk firms and think tanks, the 'go-to'
    organizations of the past. Slowly, foreign policy is moving toward advanced
    algorithms whose primary objective is to analyze data, predict events and
    advise governments on what to do. How will the world look when nations are
    using algorithms to predict what happens next?''

    Computer software digests human events and reactions to them. It does not
    forget the past, but assigns weights to their apparent impact on the
    governing world, regional, local or social order. Use this production system
    (ala OPS5) to simulate (extrapolate) future events.

    Risk: Coupled to an armed forces situation room, this platform seems certain
    to possess `alarm fatigue' potential.

    What ever happened to game theory and wisdom? Have these techniques and
    experts become so expensive, or their advice so easy to mistrust, that only
    a computer's recommendation can be accepted?

    See The Man Who Saved the World for a fortuitous example of human common
    sense at work.

    ------------------------------

    Date: Fri, 30 Aug 2019 10:47:58 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Oregon Judicial Department hit by phishing attack (Bradenton)

    https://www.bradenton.com/news/business/technology/article234530047.html

    ------------------------------

    Date: Fri, 30 Aug 2019 10:54:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Cyberattacks Mar Start of Academic Year (InsideHigherEd)

    https://www.insidehighered.com/news...rsities-targeted-hackers-just-new-school-year

    ------------------------------

    Date: Fri, 30 Aug 2019 00:35:18 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Ask Amy: Son left home, but left behind racy mementos (WashPost)

    Ask Amy: Son left home, but left behind racy mementos
    Parent opened files on home computer to find nude photos.

    https://www.washingtonpost.com/life...b661f4-c04c-11e9-a5c6-1e74f7ec4a93_story.html

    ------------------------------

    Date: Thu, 5 Sep 2019 00:03:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: 'Dutch mole' planted Stuxnet virus in Iran nuclear site on behalf
    of CIA, Mossad (The Times of Israel)

    https://www.timesofisrael.com/dutch-mole-planted-infamous-stuxnet-virus-in-iran-nuclear-site-report/

    ------------------------------

    Date: Tue, 3 Sep 2019 13:28:17 -0400
    From: "R. G. Newbury" <new...@mandamus.org>
    Subject: Frequency-sensitive trains and the lack of failure-mode analysis
    (Re: RISKS-31.39)

    > Identifying all these failure modes in advance obviously takes more
    > expertise and foresight -- but is that really too much to ask of the
    > relevant experts?

    It is a lack of imagination. The 'relevant experts' are often what Nassim
    Taleb calls Intelligent Yet Idiot. The experts transgress beyond their
    expertise and wrongly (and disastrously) believe that NOTHING CAN GO WRONG,
    beyond what they have considered. They lack the imagination to see other
    scenarios. In Taleb's words, they cannot see black swans, therefore no black
    swan can exist.

    What is actually needed in the planning/design stage is to present the
    unexpected scenario to people who face the real situation every day, and ask
    them ``X has just failed. What can happen next? What do you do? What can
    happen then?'' And present it to *lots of people in the relevant
    field*. Some one of them will likely have experienced it, or recognized it
    lurking just out of sight, and *not gone there*.

    The ultimate underlying cause of the crash of AF447 was that there was NO
    FEEDBACK between the two flight controls. There was during the design stage
    *and thereafter*, a total lack of imagination that the two pilots would do
    or even WANT TO DO, different things. And, most importantly, no feedback to
    tell the pilots that they *were* doing different things.

    The pilot was unaware that the co-pilot had `frozen' with the stick full
    aft. If he had known that, he would have called 'my plane' and whacked the
    co-pilot across the face if necessary to regain control.

    There was a complete lack of imagination of the human factor by 'the
    experts'. That can happen even in hindsight: compare the 'investigation'
    scenes in the movie Sully, where the 'experts' are utterly convinced that
    Sullenberger 'ought to have turned back'. But they wanted him to do so
    *instantly*. They pointed to the fact that, in simulations, pilots were able
    to land safely. Not particularly noticeable in the scene, is the revelation
    that it took the 'expert' pilots 17 attempts to land at Teterboro, even
    though they knew exactly what was going to happen and could react instantly
    in their *simulation*. Only when Sully forced a recognition of the human
    factor was reality made real. The scenes are a great example of the power of
    tunnel vision and how it can blind the best of the experts. Add politics or
    money (but I repeat myself) and the mixture is toxic.

    The other underlying causes of FA447 are also due to a lack of imagination
    of *what could happen next*. The autopilot shut off when it lost air-speed
    data. Why was it not commanded to cross-check with GPS data? Why was there
    no *explicit* error message, followed by an automatic over-ride command to
    turn on pitot heat, (as pitot icing is the most likely reason for a loss of
    airspeed data and it cannot hurt), and to *turn off the stall warning* as it
    was misleading. And an announcement. Moreover, if the airspeed data is
    suspect, the warning should refer to a transfer to GPS data, and adjust the
    displays accordingly so to not be misleading.

    As it was, iirc, the autopilot silently disconnected itself, without
    announcement, and suddenly, the stall warning started blaring *which caused
    the copilot to panic*. What really should have happened was an announcement
    along the lines of: ``Warning: airspeed indication does not agree with GPS
    data. Autopilot changing to use of GPS data. Turning on pitot heat. Stall
    warning deactivated.''

    Note that a similar cross-check of airspeed v GPS could have prevented the
    737 disasters. If the plane were commanded to use the higher of the two
    inputs (and warn accordingly) it is quite possible that neither disaster
    would have occurred. (I presume that a non-operating GPS is now 'do not fly'
    checkbox for commercial flights). (But of course, that might have actually
    cost more money and the airlines did not request an upgrade being unaware of
    the actual danger.)

    Another example of lack of imagination is the Fukushima disaster. None of
    'the experts' considered what would happen if a tsunami did overflow the
    sea-wall: But, but, but you will never, ever, get 10 feet of water on the
    site!

    I am reasonably certain that any graduates of the U.S. Navy's reactor school
    would have instantly recognized that having the 'emergency' generator, AND
    its fuel at the lowest level of the site was a major mistake. The generator
    and its fuel should have been some distance away, and placed in an elevated
    location, such as the top of a berm a couple of miles inland from the
    reactors.

    As another point, why was there no vent in the roof to disperse the
    hydrogen? We know that a meltdown will release hydrogen. The great majority
    of the damage to the building was not from the tsunami, it was from the
    explosion of the (contained) hydrogen. This also destroyed a large amount of
    the piping which could have been used for remediation/reduction of the
    meltdown.

    Putting the used reactor fuel storage in a pool six stories up, was just
    plain stupid, especially in an earthquake prone site. It was apparently not
    damaged by the tsunami, but *by the explosion*! They had to bring in
    concrete pumpers to replenish the water in the fuel pool, which was now
    leaking. But due to the damage to the building they had no way to remove the
    fuel bundles, nor easily fix the leaks. All a failure of imagination. What
    could go wrong next? How do we avoid that event?

    Lack of imagination is a widespread failure. I am sure that no engineer in
    Minneapolis ever thought to consider what happens to the bridge if acid from
    pigeon poop reduces that tie-plate from 1" down to a half inch? Or put
    another way, what is the minimum allowed thickness of the structural
    components before repair is necessary. Possibly that should be required in
    the as-designed blue-prints, as instructions for upkeep.

    ------------------------------

    Date: Wed, 04 Sep 2019 10:53:20 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Forget email: Scammers use CEO voice 'deepfakes' to con workers
    into wiring cash (Liam Tung)

    Liam Tung, ZDNet, 4 Sep 2019
    AI-generated audio was used to trick a CEO into wiring $243,000 to a
    scammer's bank account.
    https://www.zdnet.com/article/forge...ce-deepfakes-to-con-workers-into-wiring-cash/

    ------------------------------

    Date: Tue, 3 Sep 2019 10:39:24 +0000
    From: Alexander Klimov <alse...@inbox.ru>
    Subject: Re: Sometimes simplicity is dangerous ... (RISKS-31.390

    > And that part of that bump recycles 20% of all the oxygen in the
    > atmosphere.

    It is unclear what `recycle' is supposed to mean, but if this phrase was
    supposed to say that a mature forest produces oxygen, then it is not the
    case. While the forest takes in carbon dioxide from the atmosphere during
    photosynthesis and converts it to oxygen to support new growth, it also
    gives off comparable levels of carbon dioxide when old trees die. To really
    `produce' oxygen one needs to sink the produced carbon, for example, in a
    swamp.

    ------------------------------

    Date: Sat, 31 Aug 2019 14:02:29 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Facebook's big win (RISKS-31.39)

    This court decision is not really that important. Even if there were a
    ruling which would require Facebook to get the consent of users for sharing
    their data among its apps, it is easy to imagine what could happen:

    Immediately afterward, every user in a country where such legislation is in
    effect, would not be able to post anything on any of these apps, without
    encountering a VERY LONG message of convoluted legalese, with an `I agree'
    button at the end.

    You can bet that 99.99% of them would click the button within 1 second.
    Voila! There you have it: consent.

    ------------------------------

    Date: Fri, 30 Aug 2019 10:11:24 +0100
    From: Roger Bell_West <ro...@nospam.firedrake.org>
    Subject: Re: Phishing spam is getting better (Shapir, RISKS-31.39)

    > This should be a golden rule for anyone reading email: Never click on any
    > link in an unsolicited incoming message, especially not one from your bank
    > (or any other service which may have access to your money).

    Can you tell whether a message is unsolicited? Can you _really_?

    This reduces easily to ``Never click on any link in an incoming message.''
    and from that we can quickly reach ``Never trust any message's text/html
    part.''

    Alas, banks and others believe that their customers NEED to see the
    corporate logo and the custom layout and the tracking bugs, and are
    increasingly prone to have a fake text/plain part, usually along the lines
    of ``your client can't display this message.''

    (I would remind them, if they cared, that RFC2046 5.1.4 requires that 'Each
    part of a *multipart/alternative* entity represents the same data'.)

    ------------------------------

    Date: Sat, 31 Aug 2019 13:11:23 -0400
    From: Dick Mills <dickandl...@gmail.com>
    Subject: Re: A Harvard freshman says he was denied entry to the U.S. over
    social media posts (RISKS-31.39)

    For years I have heard similar anecdotes from Canadian friends. They say
    that U.S. Customs and Immigration employees seem to not know the rules.
    Agents just make up rules as they go along. Every agent has a different
    idea of what the rules are.

    That might be the real story in the Harvard student case. Just a civil
    servant doing security checks by ad hoc methods, and without adequate
    training.

    If there really were specific rules and procedures governing who is and is
    not allowed in the country, it would be as thick as an old fashioned phone
    book, and it would have been leaked to the press long ago.

    ------------------------------

    Date: Thu, 29 Aug 2019 09:41:45 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Contingency plan for compromised fingerprint database
    (Slonim, RISKS-31.37)

    If the access control locks out after n tries (where << 10), then anyone can
    carry out a denial of service attack (or at least: anyone who has n or more
    fingers).

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.40
    ************************
     
  12. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.41

    RISKS List Owner

    Sep 9, 2019 5:44 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 9 September 2019 Volume 31 : Issue 41

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    An Op-Ed from the Future on Election Security (Alex Stamos)
    French air traffic control 'outage' hits UK flights (BBC)
    Voice-mimicking software used in major theft (WashPost)
    Robot hires human being in world first as AI conducts job interview
    (Daily Star)
    Bright Idea --Can't stop... (from New of the Weird, The Guardian)
    Voice-mimicking software used in heist -- in AI first
    (The Straits Times)
    Evading Machine-Learning Malware Classifiers (William Fleshman)
    No, this AI hasn't mastered eighth-grade science (Tiernan Ray)
    Stina Ehrensvärd is creating "a seatbelt for the Internet." (Fortune)
    Apple Finally Breaks Its Silence on iOS Hacking Campaign (WiReD)
    Convicted hacker called to testify to grand jury in Virginia (WashPost)
    Re: How Apple's HomePod turned my friends into rude troglodytes
    (Amos Shapir)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 5 Sep 2019 09:17:15 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: An Op-Ed from the Future on Election Security (Alex Stamos)

    [This is a poignant delicious wonderful RISKS-worthy satirical item
    (truncated here, because you really should read the original on Alex's
    website). Alex apparently wrote it for a less-techie audience that does
    not understand many of the past election fiascoes covered in RISKS and
    elsewhere. Many of them actually appear in the context of Alex's piece --
    which is more than timely (in that it is dated 1 Jan 2021!). Some of the
    URLs have strangely disappeared from my conversion of pdf to ascii here,
    so I urge you to go to the complete text in this URL:
    Election Security PGN]

    Alex's indroduction (excerpted):

    Below is a potential *Lawfare* piece from New Year's Day 2021, following a
    not-quite-worst-case scenario of election interference using real
    vulnerabilities in U.S. electoral systems, as well as social media,
    traditional media and the political sphere. For a more thorough discussion
    of weaknesses and recommended mitigations, please see the *election
    security report* <FSI | Cyber - Securing Our Cyber Future>
    from my colleagues and me at Stanford's *Cyber Policy Center*
    <https://cyber.fsi.stanford.edu>. [Alex]

    1 Jan 2021

    New Year' Day is traditionally spent recovering from the previous night's
    revelry. This year, the United States awakens to the greatest New Year's
    hangover in the country's almost 245-year history: a crisis of
    constitutional legitimacy as all three branches of government continue to
    battle over who will take the presidential oath of office later this
    month. This coming Wednesday, Jan. 6, a joint session of Congress will meet
    for what is a *traditionally perfunctory counting*
    <3 U.S. Code § 15 - Counting electoral votes in Congress> of the Electoral College
    votes. With lawsuits still pending in seven states, both major-party
    candidates claiming victory via massive advertising campaigns and the
    president hinting that he might not accept the outcome of the vote, it's
    time to reflect on how everything went so very wrong.

    The first signs of external interference were seen in the spring of 2020.
    As the Democratic primary field narrowed, a group of social media accounts
    that had voiced strong support for particular candidates early on pivoted
    from supporting their first-choice candidates to alleging that the
    Democratic National Committee (DNC) had unfairly rigged the primary. The
    uniform nature of these complaints raised eyebrows, and an investigation by
    Twitter, Google and Facebook *traced the accounts back to American employees
    of a subsidiary of the Sputnik News Agency*
    <https://www.nytimes.com/2019/01/17/business/facebook-misinformation-russia.htm\l>
    -- an English-language media entity owned by the Russian state. Yet as these
    groups were careful not to run political ads and to use U.S. citizens to
    post the content, there was no criminal predicate for deeper law enforcement
    investigations.

    The activity around the election intensified in the summer, when medical
    records for the son of the presumptive Democratic nominee were stolen from
    an addiction treatment center and seeded to the partisan online media. But
    that wasn't all: Less than 24 hours later, *embarrassing photos*
    <https://www.nbcnews.com/tech/tech-news/pennsylvania-man-arrested-will-plead-gu\ilty-celebrity-hacking-n539166>
    from the phone of the incumbent president's single, Manhattanite daughter
    were released on the dark web. While the FBI has remained silent on the
    matter, citing an ongoing investigation, the New York Times recently quoted
    anonymous NSA officials attributing the first leak to Russia's SVR
    intelligence service and the latter to the Chinese Ministry of State
    Security. As to why Russia and China appear to be backing opposing
    candidates, America's adversaries do not necessarily share the same
    geopolitical goals, and it is clear that the Chinese are no longer willing
    to sit on the sidelines of U.S. politics while the Russians interfere.

    This multi-sided foreign interference dominated the headlines throughout the
    last half of the campaign, drawing the media's attention away from
    substantive policy debates and priming the U.S. electorate for the coming
    catastrophe. Election Day 2020 started quietly, with the familiar
    television spots showing images of early lines at polling places, interviews
    with proud citizens wearing `I Voted' footage of volunteers canvassing
    neighborhoods. The first signs of trouble appeared in Miami,
    Ft. Lauderdale, Akron and Cleveland, as poll workers were surprised by the
    unusually large number of mismatches between the voting rolls they had been
    provided and the ID shown by people intending to vote. [...]

    [The rest of this keeps getting better, and ever more scary. It is highly
    recommended. The pithy final paragraph cuts to the chase:

    ``We couldn't have known,'' voices on Capitol Hill have argued again and
    again in the months since the election -- including the Senate majority
    leader. If only there was a way to go back in time and help them
    understand the risks of their inaction.

    Remember, this is a visionary perspective from January 2021.
    It really seems like 20-20 foresight. PGN]

    ------------------------------

    Date: Fri, 6 Sep 2019 13:51:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: French air traffic control 'outage' hits UK flights (BBC)

    UK flights hit by French air control 'outage'

    ------------------------------

    Date: Mon, 9 Sep 2019 09:19:53 +0200
    From: Peter Houppermans <not.f...@houppermans.net>
    Subject: Voice-mimicking software used in major theft (WashPost)

    Source: https://www.washingtonpost.com/tech...micking-software-reportedly-used-major-theft/

    "Thieves used voice-mimicking software to imitate a company executive's
    speech and dupe his subordinate into sending hundreds of thousands of
    dollars to a secret account, the company's insurer said, in a remarkable
    case that some researchers are calling one of the world's first publicly
    reported artificial-intelligence heists.

    The managing director of a British energy company, believing his boss was on
    the phone, followed orders one Friday afternoon in March to wire more than
    $240,000 to an account in Hungary, said representatives from the French
    insurance giant Euler Hermes, which declined to name the company."

    Hmmm. And no other feedback channel was used to verify this - especially
    since the request was deemed "rather strange"?

    ------------------------------

    Date: Thu, 5 Sep 2019 12:39:21 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Robot hires human being in world first as AI conducts job interview
    (Daily Star)

    *Tengai is said to be "bias free" and will only hire the best person for
    the job regardless of ethnicity, age or gender*

    A robot has hired a human being for the first time in history as an AI was
    left to do job interviews. Robotic head Tengai has been commissioned to
    carry out recruitment in the Upplands Bro Municipality, Sweden. Tengai
    resembles a head on a stick, with a friendly looking face beamed onto a
    screen which wraps around his plastic skull.

    The robot was developed by recruitment company TNG together with the tech
    firm Furhat Robotics. He is reported to have hired a man called Anders
    Ornhed, from Jarfalla. Anders has the honour of becoming the first person
    ever to hired by an AI. Swedish radio reported Anders got through the
    interview process with Tengai. He was given the job as digital coordinator
    at the municipality office.

    Tengai is boasted to be `bias free'.

    The robot is not affected by the jobseeker=E2=80=99s age, gender of
    ethnicity -- he just wants the best person for the job. [...]

    https://www.dailystar.co.uk/news/world-news/robot-hires-human-being-world-1=
    9572551

    ------------------------------

    Date: Sun, 8 Sep 2019 23:32:01 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Bright Idea --Can't stop... (from New of the Weird, The Guardian)

    A Twitter user known only as "Dorothy," 15, was banned from her phone by her
    mom in early August after becoming distracted while cooking and starting a
    fire, but that didn't stop her, reported The Guardian. First she tweeted
    from a Nintendo 3DS gaming device, but Mom caught on quickly and posted that
    the account would be shut down. The next day, Dorothy tweeted from her Wii
    U, assuring followers that while Mom was at work, she'd be looking for her
    phone. Finally, on Aug. 8, with no other options left, Dorothy reached out
    to Twitter from an unlikely source: her family's LG smart refrigerator. "I
    am talking to my fridge what the heck my Mom confiscated all of my
    electronics again," she posted. The post went viral, even prompting LG to
    tweet about it with the hashtag #FreeDorothy. [The Guardian, 8/13/2019]

    ------------------------------

    Date: Sun, 8 Sep 2019 18:33:13 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Voice-mimicking software used in heist -- in AI first
    (The Straits Times)

    Voice-mimicking software used in heist - in AI first

    The precise voice impersonation synthesis method is not identified. The
    incident affirms an emerging business risk, supplementing the ever-growing
    list of CxO fraud techniques and exploits.

    Voice impersonation might be thwarted by multi-factor authentication,
    including face-to-face verification, before payment approval authorization
    completes.

    Each authentication factor introduced into the payment approval life cycle
    adds transactional friction to business effectiveness.

    Business fraud losses rise as technologically-enabled theft becomes more
    sophisticated than carbon-based operators can detect and deter. Can a
    silicon-based operator successfully replace humans at fraud detection with
    an superior AUCROC (area-under-curve, receiver operating characteristic)
    false-positive/negative result?

    Insurance companies are noticing these incidents, and will raise premiums as
    various fraud losses accrue.

    The Risks Digest identifies one voice
    simulator. The Risks Digest affirms the risk
    magnitude to business and government operations.

    ------------------------------

    Date: Mon, 9 Sep 2019 13:18:28 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Evading Machine-Learning Malware Classifiers (William Fleshman)

    [Thanks to Ray Perrault. PGN]

    William Fleshman, 3 Sep 2019
    Evading Machine Learning Malware Classifiers for fun and profit!
    Evading Machine Learning Malware Classifiers

    In this post, I¢m going to detail the techniques I used to win the Machine
    Learning Static Evasion Competition announced at this year¢s DEFCON AI
    Village. The goal of the competition was to get 50 malicious Windows
    Portable Executable (PE) files to evade detection by three machine learning
    malware classifiers. Not only did the files need to evade detection, but
    they also had to maintain their exact original functionality and behavior.
    [...]

    [Nice Work. Beautifully presented. This is indeed a winner! PGN]

    ------------------------------

    Date: Fri, 06 Sep 2019 10:32:01 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: No, this AI hasn't mastered eighth-grade science (Tiernan Ray)

    [I thought these "learning" systems were rather more sophisticated than
    what appears to be the case presented here. Is this actually a house of
    cards?]

    Tiernan Ray, ZDNet, 5 Sep 2019

    Researchers at the Allen Institute for AI have engineered a brilliant
    mash-up of natural language processing techniques that gets high scores on
    Regents exam questions for high school science, but the software is not
    really learning science in the sense most people would think, it's just
    counting words.
    https://www.zdnet.com/article/no-this-ai-hasnt-mastered-eighth-grade-science/

    One of the most mindless features of modern education are standardized
    tests, which require pupils to regurgitate information usually committed to
    memory in rote fashion. Fortunately, a machine has now been made that can
    complete questions on a test about as well as the average student, perhaps
    freeing humans for more worthwhile types of learning.

    Just don't be confused that it has anything to do with learning as you
    typically think of it.

    ------------------------------

    Date: Sat, 7 Sep 2019 22:02:24 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Stina Ehrensvärd is creating "a seatbelt for the Internet."

    The CEO and founder of Yubico, a startup that designs online
    account-securing fobs, says as much as she enthusiastically slaps a package
    on a table at Fortune's offices. Inside the plastic container: Her latest
    product. It's the first Lightning-port compatible hardware security
    key. Translation: the first security fob that works with Apple's latest
    iPhones, generations 5 and later.

    Hardware security keys come highly recommended by security experts. They
    offer an additional layer of protection -- a second-factor, in the parlance
    -- over passwords alone. They're generally more secure than sending a
    one-time code to your phone, or using a random number generating application
    to produce the codes. Services such as Twitter, Facebook, and Dropbox
    support the keys.

    Before one dismisses the notion -- why am I going to stick this dongle into
    my phone every time I want to log into one of my accounts? -- Stina
    anticipates the objection. You only have to stick in the key every so
    often. Google lets you have a 30-day grace period. Other services give you
    more leniency. Besides: What's a minor inconvenience for so much peace of
    mind?

    https://fortune.com/2019/09/07/hardware-security-keys-a-seatbelt-for-the-internet-cyber-saturday/

    ------------------------------

    Date: Sat, 7 Sep 2019 16:40:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple Finally Breaks Its Silence on iOS Hacking Campaign (WiReD)

    https://www.wired.com/story/ios-hacks-apple-response/

    ------------------------------

    Date: Fri, 6 Sep 2019 15:15:32 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Convicted hacker called to testify to grand jury in Virginia
    (WashPost)

    FALLS CHURCH, Va. -- A convicted hacker who's serving 10 years in prison for
    breaking into computer systems of security firms and law-enforcement
    agencies has been called to testify to a federal grand jury in Virginia.

    Supporters of Jeremy Hammond, part of the Anonymous hacking group, say he's
    been summoned to testify against his will to a grand jury in Alexandria on
    Tuesday. Hammond, who admitted leaking hacked data to WikiLeaks, believes
    the subpoena is related to the investigation of WikiLeaks and its founder
    Julian Assange. Assange is under indictment in Alexandria and the U.S. is
    seeking extradition.

    Prosecutors declined comment.

    Former Army intelligence analyst Chelsea Manning was also called to testify
    to the WikiLeaks grand jury. She refused and is now serving a jail sentence
    of up to 18 months for civil contempt.

    Hammond's supports say he'll also refuse to testify.

    https://www.washingtonpost.com/nati...7a7596-ce5f-11e9-a620-0a91656d7db6_story.html

    ------------------------------

    Date: Mon, 9 Sep 2019 18:13:39 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: How Apple's HomePod turned my friends into rude troglodytes
    (Wirchenko, RISKS-31.40)

    This seems to be a cultural thing. In Israel (and I guess many other
    countries) this is quite acceptable behavior, especially among good old
    friends.

    Technology just seems to bring the world together in many ways.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.41
    ************************
     
  13. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,612
    513
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.42

    RISKS List Owner

    Sep 13, 2019 6:59 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 13 September 2019 Volume 31 : Issue 42

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    CIA source pulled from Russia had confirmed Putin ordered 2016 meddling
    (Zack Budryk/The Hill)
    Open Privacy discovers unencrypted patient medical information
    broadcast across Vancouver (Open Privacy Research Society)
    Blockchains and Cryptocurrency (Nick Weaver)
    Bank of America less than charitable to charity that says it was hacked
    (BostonGlobe)
    Sysadmins Scramble to Secure 5M Exim Email Servers (Security Boulevard)
    3-D Printers Could Help Spread Weapons of Mass Destruction
    (Scientific American)
    The Next Generation of Airbus Aircraft Will Track Your Bathroom Visits
    (Time)
    Why a cup of coffee forced a plane to make an unplanned landing (WashPost)
    Chinese police sniff out a fugitive —- literally -— in the case of the
    telltale hot pot (WashPost)
    Apple makes changes to kids app guidelines after criticism from developers
    (WashPost)
    Alabama is penalizing students for leaving football games early.
    Is that normal? (WashPost)
    Sorry, general AI is still a long, long way off (Mary Branscombe)
    Re: Russia-Ukraine power-grid blackout (Gabe Goldberg)
    Re: Robot hires human being in world first as AI conducts job interview
    (Amos Shapir)
    Re: Hackers short-change themselves; 21st century UK NHS (Chris Drewe)
    Re: Tweet from Fridge: possible but probably not in this case
    (Anthony Thorn)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 10 Sep 2019 14:52:01 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: CIA source pulled from Russia had confirmed Putin ordered 2016
    meddling (Zack Budryk/The Hill)

    The Voting News Daily, a news service of Verified Voting

    A CIA asset reportedly pulled from Russia in 2017 played a major role in the
    agency's determination that Russian President Vladimir Putin personally
    ordered Moscow's meddling in the 2016 election, according to *The New York
    Times*. The informant, while not in Putin's inner circle, interacted with
    him regularly and was privy to decision-making at high levels of the Russian
    government, according to The Times. Information on the informant's identity
    was so carefully guarded that it was kept out of then-President Obama's
    daily security briefings in 2016, instead transmitted in separate sealed
    envelopes. In 2016, high-level CIA officials ordered a full review of the
    source's record and grew suspicious he might have become a double agent
    after he rejected an offer of exfiltration from the agency, according to the
    Times. Other officials said these concerns were alleviated when the source
    was offered a second time and accepted.

    [The original source is this:
    Julian E. Barnes, Adam Goldman and David E. Sanger
    CIA Informant Extracted From Russia Had Sent Secrets to U.S. for Decades
    *The New York Times*, 10 Sep 2019 (updated from the previous day)
    Also of related interest are op-ed pieces by Michelle Goldberg and Paul
    Krugman in The NYT on 10 Sep 2019. PGN]

    ------------------------------

    Date: Tue, 10 Sep 2019 08:08:08 -0400
    From: José María /Chema/ Mateos <ch...@rinzewind.org>
    Subject: Open Privacy discovers unencrypted patient medical information
    broadcast across Vancouver (Open Privacy Research Society)

    Press Release: Open Privacy discovers unencrypted patient medical information broadcast across Vancouver

    The Open Privacy Research Society has discovered that the sensitive medical
    information of patients being admitted to certain hospitals across the
    Greater Vancouver Area is being broadcast, unencrypted, by hospital paging
    systems, and that these broadcasts are trivially interceptable by anyone in
    the Greater Vancouver Area.

    The data being broadcast includes the patients name, age, gender marker,
    diagnosis, their attending doctor and room number. Other broadcasts
    regarding medical tests such as x-rays are often associated with a patients
    last name or medical number, exposing their progression through hospital
    departments. Some broadcasts appear to contain freeform text, allowing other
    sensitive information to be entered as well. We have been able to confirm
    the authenticity of this data by cross-referencing records with public
    obituaries.

    ------------------------------

    Date: Tue, 10 Sep 2019 13:51:26 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Blockchains and Cryptocurrency (Nick Weaver)

    Nick Weaver has been an occasional contributor to RISKS over the past 23
    years, and is the author of the CACM Inside Risks article #244,

    Risks of Cryptocurrencies, CACM June 2018
    http://www.csl.sri.com/neumann/insiderisks.html -- or directly at
    http://www.csl.sri.com/neumann/cacm244.pdf

    This month's IEEE Computer Society *edge* magazine (September 2019, pp
    23-26, www.computer.org/computingedge) condenses Nick's Silver Bullet
    podcast interview with Gary McGraw, and succinctly updates the
    above-mentioned Inside Risks article. I recommend the *edge* interview for
    anyone unclear about the RISKS-related issues are associated with
    blockchains and cryptocurrencies.

    PGN

    ------------------------------

    Date: Tue, 10 Sep 2019 20:39:31 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Bank of America less than charitable to charity that says it was
    hacked (BostonGlobe)

    Bank of America less than charitable to charity that says it was hacked - The Boston Globe

    ------------------------------

    Date: Tue, 10 Sep 2019 20:14:17 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Sysadmins Scramble to Secure 5M Exim Email Servers
    (Security Boulevard)

    Sysadmins Scramble to Secure 5M Exim Email Servers - Security Boulevard

    ------------------------------

    Date: Wed, 11 Sep 2019 17:00:06 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: 3-D Printers Could Help Spread Weapons of Mass Destruction
    (Scientific American)

    3-D Printers Could Help Spread Weapons of Mass Destruction

    ``In the mid-1990s boy scout David Hahn used household objects and his
    scientific knowledge to start building a nuclear reactor in his
    backyard. Police and the Environmental Protection Agency stopped him before
    he could finish. Twenty years later, revolutions in manufacturing and
    computing have made projects such as Hahn's a lot more feasible; if he had
    access to a 3-D printer, for example, he might have finished his reactor
    before authorities intervened. Modern technologies also mean one does not
    need to be as smart as Hahn to create at least some kinds of DIY
    weapons. With the right machine and blueprints anyone can build a handgun in
    their living room -- and firearms are just the beginning. Researchers fear
    that artificial intelligence and 3-D printing might one day create, on
    demand, weapons of mass destruction.''

    The WMD Do-It-Yourself kit is a frightening possibility. Can a 3-D printer
    enable WMD deployment of a chemical or biological device?

    Thanks to Graham Allison's efforts, and the Nunn-Lugar Cooperative Threat
    Reduction legislation of 1991, WMD material (enriched uranium and plutonium,
    biological/chemical) became more difficult to acquire as the Soviet Union
    disintegrated. Threat reduction implementation tapered substantially after
    Russia annexed Crimea.
    Nunn–Lugar Cooperative Threat Reduction - Wikipedia,

    ------------------------------

    Date: Fri, 13 Sep 2019 21:42:13 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: The Next Generation of Airbus Aircraft Will Track Your Bathroom
    Visits (Time)

    The Next Generation of Airbus Aircraft Will Track Your Bathroom Visits

    ``The Airbus Connected Experience aims to give flight attendants a more
    detailed survey of the cabin, with sensors for such critical data as when
    bathroom soap is running low and how much toilet paper remains in each
    bathroom. But the rethinking of the passenger environment doesn't just stop
    with the lavatory. At each seat, your belt will signal red for unbuckled and
    green when fastened. The goal is faster boarding and departure, dispensing
    with those lap-scrutinizing walk-throughs flight attendants must
    perform. The crew will also have access to information on what's onboard and
    where, like which galley carts contain specific meals, such as pre-orders or
    vegetarian selections.''

    What happens if there's a faulty or intermittent seat belt lock/unlock
    sensor? Will each flier be required to wear an RFID tag that is scanned when
    entering and exiting the toilet? Will airlines compile a passenger
    `compliance score' and use it to raise or lower ticket prices, or deny
    purchase, based on profiled compliance history?

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Fri, 13 Sep 2019 11:18:48 -0400
    Subject: Why a cup of coffee forced a plane to make an unplanned landing
    (WashPost)

    A new safety bulletin from the British government shows that an unplanned
    landing in Ireland was caused by coffee that spilled on a control panel in
    the cockpit. The airline says it is now providing lids for coffee.

    https://www.washingtonpost.com/trav...offee-forced-plane-make-an-unplanned-landing/

    ------------------------------

    Date: Fri, 13 Sep 2019 11:35:07 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Chinese police sniff out a fugitive —- literally -— in the case of
    the telltale hot pot (WashPost)

    China leads the world in facial recognition tech but sometimes police just
    use their noses as well.

    https://www.washingtonpost.com/worl...db31a8-d521-11e9-ab26-e6dbebac45d3_story.html

    ------------------------------

    Date: Fri, 13 Sep 2019 11:36:51 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Apple makes changes to kids app guidelines after criticism from
    developers (WashPost)

    https://www.washingtonpost.com/tech...pp-guidelines-following-criticism-developers/

    ------------------------------

    Date: Fri, 13 Sep 2019 11:37:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Alabama is penalizing students for leaving football games early.
    Is that normal? (WashPost)

    Plenty of schools have incentive programs for students who attend games, but
    ones who give demerits for early exits are harder to find.

    https://www.washingtonpost.com/spor...-leaving-football-games-early-is-that-normal/

    ------------------------------

    Date: Thu, 12 Sep 2019 10:09:19 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Sorry, general AI is still a long, long way off (Mary Branscombe)

    [On the limits of computer searching:]

    Mary Branscombe for 500 words into the future, ZDNet, 12 Sep 2019

    Artificial intelligence might have passed a school science test but when
    everyday tasks are still well beyond it's ability, we can't even talk about
    building general purpose AI.
    https://www.zdnet.com/article/sorry-general-ai-is-still-a-long-long-way-off/

    opening text:

    For the last few weeks, we've been watching a plant grow on our windowsill.
    A seed blew into the window box and took root, and started to shoot up.

    There was nothing growing in that end-of-the-window box, so we left it until
    we could see whether it was a weed or a nice plant.

    The seed had been long and black, and the stem grew tall and spindly. Once
    we could see a few leaves, I started searching the web for a plant with a
    long, hairy stem and long, pointed leaves springing alternately from the
    stem, that grow in the UK from long black seeds, that are pointy at one end
    and round at the other.

    If you described that to a botanist or a gardener, they would tell you
    immediately that it was probably a sunflower, but I didn't get any useful
    results from searching by the description. In fact, none of the lists of UK
    plants with hairy stems or alternate leaf-growth patterns that I did find
    included the sunflower.

    It wasn't until we could see the flower forming and looking very like a
    sunflower that I could search for 'sunflower hairy stem' and get a
    description telling me that sunflowers have long, hairy stems and leaves
    growing alternately from the stem. Once I knew what I wanted, the machine
    learning behind the search engine could tell me about it, but it couldn't
    take my description and tell me what I was looking at.

    ------------------------------

    Date: Thu, 12 Sep 2019 18:58:53 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Russia-Ukraine power-grid blackout (WiReD)

    A fresh look at the 2016 blackout in Ukraine suggests that the cyberattack
    behind it was intended to cause far more damage.

    https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/

    ------------------------------

    Date: Tue, 10 Sep 2019 17:32:47 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Robot hires human being in world first as AI conducts job
    interview (RISKS-31.41)

    For the past 20 years or so, many large companies have tried to match
    candidates with positions by automatic processes to scan CV's for keywords;
    this method may be faster, but may miss candidates who would do an excellent
    job, but whose CV does not contain *exactly* the same keywords a manager had
    to come up with to describe the job.

    Thus, much of the interview process is already done by robots; however the
    new method misses an even more important aspect: getting a candidate
    acquainted with the people s/he's going to be working with. (Though in this
    case, the job's description seems to indicate that the newly hired employee
    would be working mainly with robots anyway)

    ------------------------------

    Date: Thu, 12 Sep 2019 22:21:47 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: Hackers short-change themselves; 21st century UK NHS (R 21 41)

    1. The theft of British Airways's customer payment card details in 2018 was
    widely reported, but it seems that the hackers also lost out due to the
    sudden abundance of saleable information reducing the black-market value
    of these details...

    Summary follows. The full article [not included] gives typical black-market
    values for personal details; the title comes from a comment that ``the
    typical profile of cyber-crime victims are well-off, middle-aged
    professionals aged 35-44 with an income above 50,000 pounds [$65,000] in
    managerial positions.''

    https://www.telegraph.co.uk/technology/2019/09/10/rich-smart-sensibly-grown-up-hackers-dream/

    Rich, smart and sensibly grown-up? You're the hackers? dream
    Harry de Quetteville, 10 Sep 2019

    Poor hackers. British Airways?s aircraft may be grounded again, but at least
    this time the company knows why: its pilots are on strike. Too often in
    recent years the company has stranded passengers because of mysterious IT
    foul-ups.

    The cost of some of those failures was not always immediately apparent.
    In 2018 half a million BA customers had their payment card details
    stolen.

    It was only later BA was hit was hit with a huge ?183m fine for the breach.
    And it now turns out it wasn?t just BA and its passengers who suffered.
    Hackers did too.

    So many fraudulent cards hit the market after the data breach at BA (as well
    as others at Marriott, and Ticketmaster) that black market prices collapsed.

    2. RISKS often features the problems of the latest technology, but here's an
    item on the problems of *not* using this. The UK's National Health
    Service (`the envy of the world') still uses fax machines, pagers,
    land-line telephones, etc. for communications, which are obviously not
    ideal for a large organisation dealing with a huge throughput of
    patients, especially as much information is time- and life-critical.
    Some staff unofficially use social networking sites like WhatsApp, but
    there are big RISKS here with patient confidentiality, possibility of
    confusion between personal and work information, no way of sorting
    incoming messages, and so forth.

    Working in health is quite a high-pressure job in general of course, but if
    it's difficult to make contact with other people this just raises stress
    levels and wastes valuable time. This article features a junior doctor,
    Lydia Yarlott, who has come up with a fix (summary follows):

    https://www.cityam.com/wp-content/uploads/2019/09/CITYAM_20190910_NEW.pdf

    > With WhatsApp being seen as a sort of sticking plaster to the
    > communication problem, in true doctor fashion, Yarlott started concocting
    > a cure. With the help of a team of technologists, she has built a secure
    > instant messaging service called Forward Health designed for doctors,
    > nurses, midwives, and other clinicians. Through the app, NHS staff can
    > search by name or role in a hospital or clinic, share patient notes and
    > photos, with everyone working off the same list. On average, the app
    > saves each clinician 43 minutes per shift, which is time that would
    > usually wasted waiting for a colleague to call them back. It means that
    > doctors can access the info they need anywhere in the hospital, ultimately
    > allowing them to move away from paper notes. It?s a simple idea, and
    > remarkable that nothing like this existed in the NHS already, which just
    > goes to show how far behind official hospital technology ? still heavily
    > reliant on pagers ? really is. And it?s worrying that old-fashioned and
    > counterintuitive tech is exacerbating existing issues in the NHS, making
    > the working lives of staff even harder. While bringing NHS tech into the
    > modern era is vital, the organisation is such a vast and complex web that
    > updating the system is painfully difficult ? not to mention the fact that
    > [NHS] trusts tend to make standalone decisions, rather than learning from
    > each other.

    ------------------------------

    Date: Fri, 13 Sep 2019 00:33:35 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject Re: *a seatbelt for the Internet* (Fortune, RISKS-31.41)

    A serious issue is [that] your phone's precious single USB socket is rated
    for only a limited amount of plugging in and out, after which it will start
    to fail (bad connection, not all metal plates properly in contact).

    Meaning you won't be able to charge your phone anymore -- spelling the
    certain demise of your phone completely, as it would make more sense to get
    a fast new phone rather than repair an old slow one.

    Mom was right. See what happens after too much `phone s*x'.

    ``Avoid multiple partners'' they say. Well even to much plugging in and out
    'action' with the same partner will lead to `terminal' illness, as was my
    experience with MicroUSB. And I'm not going to increase my `libido' and RISK
    it with my new Type C phone. I'm just not in the mood, OK?

    ------------------------------

    Date: Tue, 10 Sep 2019 10:06:21 +0200
    From: Anthony Thorn <anthon...@atss.ch>
    Subject: Re: Tweet from Fridge: possible but probably not in this case
    (RISKS-31.41)

    Re: "Bright Idea --Can't stop..." (RISKS-31.41)

    This raised some questions in my mind, so here is a little follow-up, from:
    https://www.theguardian.com/technology/2019/aug/13/teen-smart-fridge-twitter-grounded

    "After reports emerged questioning Dorothy's account, LG confirmed that some
    of its fridge models have social media capabilities, but the company could
    not confirm whether Dorothy’s tweet was sent from one.

    ``We don't know if Dorothy actually used an LG smart refrigerator to tweet,
    but yes – it is possible to access Twitter via the web browser on select LG
    smart refrigerator models,'' an LG spokeswoman, Taryn Brucha, said.

    Igor Brigadir, a computer researcher at University College Dublin, reviewed
    the tweets for the Guardian and said that the metadata for Dorothy's Wii U
    and Nintendo tweets showed that the tweets were legitimate. He said others
    had used the devices to post on Twitter in the past.

    But the refrigerator tweet, Brigadir said, most likely did not come from the
    fridge. ``The LG fridge [tweet] was definitely manually created,'' he said.

    Brigadir examined the metadata of the tweets and discovered that they were
    sent through a custom Twitter app. If Dorothy had tweeted from the fridge,
    Brigadir continued, the metadata would probably have said the tweet was sent
    through a browser, not from a fridge.

    Dorothy was able to make it look like she tweeted from the fridge because
    custom apps can be renamed on Twitter to make tweets appear as though they
    were sent from different devices.

    ``For me, the think that seals it is the fact that nobody else ever made any
    other tweets from that fridge, whereas, for the Wii U and Nintendo clients,
    there's fresh tweets daily,'' Brigadir added.

    [Amos Shapir notes that this is rather old news -- and probably fake:
    https://www.buzzfeednews.com/article/stephaniemcneal/dorothy-fridge-tweets
    PGN]

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.42
    ************************