Welcome home, fellow Gator.

The Gator Nation's oldest and most active insider community
Join today!

Risks Digest

Discussion in 'Gator Bytes' started by LakeGator, Apr 25, 2015.

  1. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.89

    RISKS List Owner

    May 27, 2020 9:54 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 27 May 2020 Volume 31 : Issue 89

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Faulty Equipment, Lapsed Training, Repeated Warnings: How a Preventable
    Disaster Killed Six Marines (Propublica)
    A Case for Cooperation Between Machines and Humans (NYTimes)
    COVID-19: 'Evidence Fiasco' (John P.A. Ioannidis)
    The Pandemic Is Exposing the Limits of Science (Bloomberg)
    COVID-19: Half of Canadians think their governments are deliberately hiding
    information (CA National Post)
    White House and Twitter (sundry sources)
    Re: Map Reveals Distrust in Health Expertise Is Winning ... (anthony)
    Re: Misinformation (Amos Shapir)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 27 May 2020 01:13:34 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Faulty Equipment, Lapsed Training, Repeated Warnings: How a
    Preventable Disaster Killed Six Marines (Propublica)

    Faulty Equipment, Lapsed Training, Repeated Warnings: How a Preventable Disaster Killed Six Marines — ProPublica

    The Navy installed touch-screen steering systems to save money.

    Ten sailors paid with their lives.

    “Usually when we have a fault with that system,” Sanchez said, “their
    resolution is to reboot the system.”

    The Navy Installed Touch-screen Steering Systems To Save Money. Ten Sailors Paid With Their Lives.
    Years of Warnings, Then Death and Disaster: How the Navy Failed Its Sailors
    The Inside Story of an American Warship Doomed by Its Own Navy

    ------------------------------

    Date: Wed, 27 May 2020 20:22:04 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A Case for Cooperation Between Machines and Humans (NYTimes)

    A computer scientist argues that the quest for fully automated robots is
    misguided, perhaps even dangerous. His decades of warnings are gaining more
    attention.

    A Case for Cooperation Between Machines and Humans

    ------------------------------

    Date: Wed, 27 May 2020 11:15:44 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: COVID-19: 'Evidence Fiasco' (John P.A. Ioannidis)

    We were warned about overreaction by an actual epidemic expert.

    Note the date on this article: the *same day* that Prof. Ferguson presented
    his Imperial model to the UK PM Boris Johnson in person -- and the infected
    Ferguson himself probably gave Boris his case of COVID-19! How ironic!
    Ferguson himself a superspreader?

    (You can't make this stuff up. Netflix writers please note this delicious
    detail.)

    In the coronavirus pandemic, we're making decisions without reliable data

    John P.A. Ioannidis, A fiasco in the making? 17 Mar 2020
    As the coronavirus pandemic takes hold, we are making decisions without
    reliable data

    The current coronavirus disease, Covid-19, has been called a
    once-in-a-century pandemic. But it may also be a once-in-a-century evidence
    fiasco.

    At a time when everyone needs better information, from disease modelers and
    governments to people quarantined or just social distancing, we lack
    reliable evidence on how many people have been infected with SARS-CoV-2 or
    who continue to become infected. Better information is needed to guide
    decisions and actions of monumental significance and to monitor their
    impact.

    Draconian countermeasures have been adopted in many countries. If the
    pandemic dissipates -- either on its own or because of these measures --
    short-term extreme social distancing and lockdowns may be bearable. How
    long, though, should measures like these be continued if the pandemic churns
    across the globe unabated? How can policymakers tell if they are doing more
    good than harm?

    Vaccines or affordable treatments take many months (or even years) to
    develop and test properly. Given such timelines, the consequences of
    long-term lockdowns are entirely unknown.

    The data collected so far on how many people are infected and how the
    epidemic is evolving are utterly unreliable. Given the limited testing to
    date, some deaths and probably the vast majority of infections due to
    SARS-CoV-2 are being missed. We don't know if we are failing to capture
    infections by a factor of three or 300. Three months after the outbreak
    emerged, most countries, including the U.S., lack the ability to test a
    large number of people and no countries have reliable data on the prevalence
    of the virus in a representative random sample of the general population.

    This evidence fiasco creates tremendous uncertainty about the risk of dying
    from Covid-19. Reported case fatality rates, like the official 3.4% rate
    from the World Health Organization, cause horror -- and are
    meaningless. Patients who have been tested for SARS-CoV-2 are
    disproportionately those with severe symptoms and bad outcomes. As most
    health systems have limited testing capacity, selection bias may even worsen
    in the near future.

    The one situation where an entire, closed population was tested was the
    Diamond Princess cruise ship and its quarantine passengers. The case
    fatality rate there was 1.0%, but this was a largely elderly population, in
    which the death rate from Covid-19 is much higher.

    Projecting the Diamond Princess mortality rate onto the age structure of the
    U.S. population, the death rate among people infected with Covid-19 would be
    0.125%. But since this estimate is based on extremely thin data -- there
    were just seven deaths among the 700 infected passengers and crew -- the
    real death rate could stretch from five times lower (0.025%) to five times
    higher (0.625%). It is also possible that some of the passengers who were
    infected might die later, and that tourists may have different frequencies
    of chronic diseases -- a risk factor for worse outcomes with SARS-CoV-2
    infection -- than the general population. Adding these extra sources of
    uncertainty, reasonable estimates for the case fatality ratio in the general
    U.S. population vary from 0.05% to 1%.

    That huge range markedly affects how severe the pandemic is and what should
    be done. A population-wide case fatality rate of 0.05% is lower than
    seasonal influenza. If that is the true rate, locking down the world with
    potentially tremendous social and financial consequences may be totally
    irrational. It's like an elephant being attacked by a house cat. Frustrated
    and trying to avoid the cat, the elephant accidentally jumps off a cliff and
    dies.

    Could the Covid-19 case fatality rate be that low? No, some say, pointing to
    the high rate in elderly people. However, even some so-called mild or
    common-cold-type coronaviruses that have been known for decades can have
    case fatality rates as high as 8% when they infect elderly people in nursing
    homes. In fact, such "mild" coronaviruses infect tens of millions of people
    every year, and account for 3% to 11% of those hospitalized in the U.S. with
    lower respiratory infections each winter.

    These "mild" coronaviruses may be implicated in several thousands of deaths
    every year worldwide, though the vast majority of them are not documented
    with precise testing. Instead, they are lost as noise among 60 million
    deaths from various causes every year.

    Although successful surveillance systems have long existed for influenza,
    the disease is confirmed by a laboratory in a tiny minority of cases. In the
    U.S., for example, so far this season 1,073,976 specimens have been tested
    and 222,552 (20.7%) have tested positive for influenza. In the same period,
    the estimated number of influenza-like illnesses is between 36,000,000 and
    51,000,000, with an estimated 22,000 to 55,000 flu deaths.

    Note the uncertainty about influenza-like illness deaths: a 2.5-fold range,
    corresponding to tens of thousands of deaths. Every year, some of these
    deaths are due to influenza and some to other viruses, like common-cold
    coronaviruses.

    In an autopsy series that tested for respiratory viruses in specimens from
    57 elderly persons who died during the 2016 to 2017 influenza season,
    influenza viruses were detected in 18% of the specimens, while any kind of
    respiratory virus was found in 47%. In some people who die from viral
    respiratory pathogens, more than one virus is found upon autopsy and
    bacteria are often superimposed. A positive test for coronavirus does not
    mean necessarily that this virus is always primarily responsible for a
    patient's demise.

    If we assume that case fatality rate among individuals infected by
    SARS-CoV-2 is 0.3% in the general population -- a mid-range guess from my
    Diamond Princess analysis -- and that 1% of the U.S. population gets
    infected (about 3.3 million people), this would translate to about 10,000
    deaths. This sounds like a huge number, but it is buried within the noise of
    the estimate of deaths from "influenza-like illness." If we had not known
    about a new virus out there, and had not checked individuals with PCR tests,
    the number of total deaths due to "influenza-like illness" would not seem
    unusual this year. At most, we might have casually noted that flu this
    season seems to be a bit worse than average. The media coverage would have
    been less than for an NBA game between the two most indifferent teams.

    Some worry that the 68 deaths from Covid-19 in the U.S. as of March 16 will
    increase exponentially to 680, 6,800, 68,000, 680,000 ... along with similar
    catastrophic patterns around the globe. Is that a realistic scenario, or bad
    science fiction? How can we tell at what point such a curve might stop?

    The most valuable piece of information for answering those questions would
    be to know the current prevalence of the infection in a random sample of a
    population and to repeat this exercise at regular time intervals to estimate
    the incidence of new infections. Sadly, that's information we don't have.

    In the absence of data, prepare-for-the-worst reasoning leads to extreme
    measures of social distancing and lockdowns. Unfortunately, we do not know
    if these measures work. School closures, for example, may reduce
    transmission rates. But they may also backfire if children socialize anyhow,
    if school closure leads children to spend more time with susceptible elderly
    family members, if children at home disrupt their parents ability to work,
    and more. School closures may also diminish the chances of developing herd
    immunity in an age group that is spared serious disease.

    This has been the perspective behind the different stance of the United
    Kingdom keeping schools open, at least until as I write this. In the absence
    of data on the real course of the epidemic, we don't know whether this
    perspective was brilliant or catastrophic.

    Flattening the curve to avoid overwhelming the health system is conceptually
    sound -- in theory. A visual that has become viral in media and social media
    shows how flattening the curve reduces the volume of the epidemic that is
    above the threshold of what the health system can handle at any moment.

    Yet if the health system does become overwhelmed, the majority of the extra
    deaths may not be due to coronavirus but to other common diseases and
    conditions such as heart attacks, strokes, trauma, bleeding, and the like
    that are not adequately treated. If the level of the epidemic does overwhelm
    the health system and extreme measures have only modest effectiveness, then
    flattening the curve may make things worse: Instead of being overwhelmed
    during a short, acute phase, the health system will remain overwhelmed for a
    more protracted period. That's another reason we need data about the exact
    level of the epidemic activity.

    One of the bottom lines is that we don't know how long social distancing
    measures and lockdowns can be maintained without major consequences to the
    economy, society, and mental health. Unpredictable evolutions may ensue,
    including financial crisis, unrest, civil strife, war, and a meltdown of the
    social fabric. At a minimum, we need unbiased prevalence and incidence data
    for the evolving infectious load to guide decision-making.

    In the most pessimistic scenario, which I do not espouse, if the new
    coronavirus infects 60% of the global population and 1% of the infected
    people die, that will translate into more than 40 million deaths globally,
    matching the 1918 influenza pandemic.

    The vast majority of this hecatomb would be people with limited life
    expectancies. That's in contrast to 1918, when many young people died.

    One can only hope that, much like in 1918, life will continue. Conversely,
    with lockdowns of months, if not years, life largely stops, short-term and
    long-term consequences are entirely unknown, and billions, not just
    millions, of lives may be eventually at stake.

    If we decide to jump off the cliff, we need some data to inform us about the
    rationale of such an action and the chances of landing somewhere safe.

    John P.A. Ioannidis is professor of medicine and professor of
    epidemiology and population health, as well as professor by courtesy
    of biomedical data science at Stanford University School of Medicine,
    professor by courtesy of statistics at Stanford University School of
    Humanities and Sciences, and co-director of the Meta-Research
    Innovation Center at Stanford (METRICS) at Stanford University.

    John P.A. Ioannidis <jioa...@stanford.edu> @METRICStanford

    ------------------------------

    Date: Wed, 27 May 2020 05:11:55 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The Pandemic Is Exposing the Limits of Science (Bloomberg)

    *The financial crisis tarnished the field of economics. Will the
    coronavirus do the same for medicine?*

    The 2008 financial crisis led the public to discover the limits of
    economics. The Covid-19 pandemic risks having the same effect on scientists
    and medical doctors.

    Since the start of the outbreak, citizens have struggled to get clear
    answers to some basic questions. Consider masks, for example: The World
    Health Organization *said
    <When and how to use masks>
    *early on that there was no point in encouraging healthy people to use them,
    but now most doctors agree that widespread mask-wearing is a good
    idea. There was also confusion around lockdowns: In the U.K., scientists
    *argued* <> for weeks
    over the merits of closing businesses and keeping people at home -- a
    quarrel that may have cost the country lives. And now that the outbreak is
    fading in Italy, there is growing debate between the country's public health
    experts and doctors over whether the virus has lost strength or remains just
    as deadly.

    These disputes are only natural since we are dealing with a novel
    coronavirus that caught most Western health-care systems off-guard.
    Meanwhile, scientists across the world have raced to share data, and a
    number of companies *have ramped up work*
    <How Close Are We to a Coronavirus Vaccine? Tracking Covid-19 Drugs, Treatments> on
    a vaccine, which could be one of the fastest-developed in human history.

    And yet, the pandemic has reminded us that science -- and medicine in
    particular -- has limits. In a way, the last few months have resembled what
    occurred in the 2008 crisis, as economists fought over the right response to
    the crash. The academic community split between those who said the U.S.
    government should save all large banks and those who said it should let
    Lehman Brothers go bust. In Europe, the controversy centered around whether
    countries should pursue austerity or run large-scale budget deficits. These
    divisions, and the ensuing policy mistakes, dented economists' reputation in
    the eyes of the general public. [...]

    The Pandemic Is Exposing the Limits of Science
    The Pandemic Is Exposing the Limits of Science

    ------------------------------

    Date: Wed, 27 May 2020 05:13:55 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: COVID-19: Half of Canadians think their governments are
    deliberately hiding information (CA National Post)

    *Some also believe conspiracy theories about where the novel coronavirus
    began*

    Half of Canadians believe they're not getting the whole truth from their
    governments about COVID-19, a new poll suggests, and some also believe
    conspiracy theories about where the novel coronavirus began.

    The most recent survey from Leger and the Association for Canadian Studies
    found 50 per cent of respondents felt governments were deliberately
    withholding information about the pandemic of the novel coronavirus, which
    has killed thousands and ground the economy to a halt.

    ``It's staggering, in a period where I believe trust has never been as
    high,'' said Leger vice-president Christian Bourque. [...]
    COVID-19: Half of Canadians think their governments are deliberately hiding information

    ------------------------------

    Date: Wed, 27 May 2020 14:53:49 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: White House and Twitter (sundry sources)

    [I have collected several related items into one. This item is clearly
    relevant in our quest for truth rather than truthiness in RISKS. PGN]

    White House urges harassment, attacks on Twitter employee
    Trump supporters target Twitter employee after fact check

    Twitter 'Deeply Sorry' about Trump's Morning Joe Tweets, Plans Policy 'Changes'
    Twitter 'Deeply Sorry' about Trump's Morning Joe Tweets, Plans New Policy ‘Changes’ to Address ‘Things Like This’ | National Review

    [OK, that's a start -- but talk and tweets are cheap. Let's see the details
    of the changes and how they are enforced. -L]

    Trump threatens to shut down social-media platforms after Twitter put a
    fact-check warning on his false tweets
    Trump threatens to shut down social-media platforms after Twitter put a fact-check warning on his false tweets

    [... the First Amendment is specifically designed to prevent such "close
    down" actions. ... L]

    Apparently for the first time, Twitter flags a tweet by Trump -- this time
    his false rants about mail-in ballets -- and added a "get the facts about
    mail-in ballots" link on his tweet.

    Trump flips out on Twitter, right after Twitter fact-checked him for the
    first time (BoingBoing)
    Trump flips out on Twitter, right after Twitter fact-checked him for the first time

    ------------------------------

    Date: Wed, 27 May 2020 11:07:33 +0100
    From: anthony <ant...@youngman.org.uk>
    Subject: Re: Map Reveals Distrust in Health Expertise Is Winning ...
    (Vilkaitis, RISKS-31.88)

    Denying "anecdata" as I call it is also a major problem. Years ago there was
    a program on Radio 4 where they said that government statistics claimed
    "no-one has died from the Rubella vaccine". The program gave an example of a
    boy who had had the vaccine, gone home, slipped in to a coma, and died 4
    weeks later. But because government guidelines state that "if it doesn't
    happen within three weeks, it's unrelated", they were adamant that it wasn't
    down to the vaccine. Likewise an example given of a girl who walked in to
    the doctor's surgery for the vaccine, left in a wheelchair, and never walked
    again. But oh no, "it can't be the vaccine's fault".

    And I have personal experience of this within my circle of friends -- a
    friend's son had his childhood vaccinations, came home and started behaving
    strangely. It took a week or two before they realised something really was
    wrong and took him to the doctor. To cut a long story short, he had Diabetes
    Insipidus, and despite it starting pretty much at the same time as his
    vaccinations the doctors were adamant that the two were unrelated.

    > Why are the doctors not pushing C?

    Things are changing, slowly ... Aspirin is now recognised as a "must do"
    first response to a heart attack. I know other people who do what you do
    with vitamin C.

    But it really doesn't help the cause of authority when they dismiss the
    vulgate's concerns, especially when those doing the dismissing probably are
    far less knowledgeable than those people who are concerned! "We know best" -
    except they rarely do.

    ------------------------------

    Date: Wed, 27 May 2020 18:26:16 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Misinformation (Maziuk, RISKS-31.88)

    With all due respect to Mr. Maziuk, Dr. Ladkin's point is about taking data
    out of context, then misrepresenting it, e.g., using a single number of
    deaths out of a model's worst case scenario, and presenting it as if that
    was a prediction of what would actually happen.

    The "elephant in the room" is that such misinformation is done for the
    explicit purpose to denigrate scientists, insinuating that "these so-called
    experts don't know what they're talking about!"

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <riskinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: The Risks Digest takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    The Risks Digest --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: The RISKS Forum Mailing List (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <Join ACM>

    ------------------------------

    End of RISKS-FORUM Digest 31.89
    ************************
     
  2. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.90

    RISKS List Owner

    May 28, 2020 7:53 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 28 May 2020 Volume 31 : Issue 90

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Let's fix 'em before they break -- or are broken (Lali-Larrauri via PGN)
    Sorry, media: You're not victims no matter how much abuse you take --
    Did you know that? (NYPost)
    Concerns as rise of connected cars coincides with sharp increase in
    cyber-attacks (Auto Express)
    How Automated Background Checks Freeze Out Renters (NYTimes)
    Riding the State Unemployment Fraud Wave (Krebs)
    Election Integrity in RISKS (PGN)
    We Don’t Even Have a COVID-19 Vaccine, and Yet the Conspiracies Are Here
    (The Atlantic)
    Re: The Pandemic Is Exposing the Limits of Science (Bob Wilson)
    Risk of Polarisation (Anthony Thorn)
    Re: Ioannidis (Martin Ward)
    Re: misinformation (Dmitri Maziuk, Henry Baker)
    More on the Tweeter and the Tweetee (PGN-pruned from LW and retitled)
    Re: Vitamin C (David Broadbeck)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 28 May 2020 14:22:08 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Let's fix 'em before they break -- or are broken

    An op-ed in *The New York Times* by Upmanu Lali and Paulina Concha Larrauri,
    28 May 2020, is titled "Dam Failures Are a Warning". RISKS for years might
    have more generally written "Damn Failures are a Warning."

    After two recent dam failures, this article notes that "about 25,000 dams
    are considered high or significant hazards if they failed." The final
    paragraph is pithy, and very relevant here:

    "We need a real plan and real money, and we need them soon. The
    coronavirus pandemic, which we are spending billions to battle, should at
    least remind us that a little bit of prevention can avert an enormous
    amount of anguish."

    This is pervisive advice, and should also apply to aging bridges, buildings,
    roads, manufacturing plants, and even computer software and networks.

    ------------------------------

    Date: Thu, 28 May 2020 05:53:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Sorry, media: You're not victims no matter how much abuse you take
    -- Did you know that?

    President John Adams signed a law making it a crime to criticize the
    government; 20 newspaper editors were imprisoned. Andrew Jackson not only
    had his own paper, edited by a member of his cabinet, but it got government
    subsidies. [...]

    https://nypost.com/2020/05/25/sorry-media-youre-not-victims-no-matter-how-much-abuse-you-take/

    ------------------------------

    Date: Thu, 28 May 2020 05:54:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Concerns as rise of connected cars coincides with sharp increase in
    cyber-attacks (Auto Express)

    Cyber-attacks on connected cars rose by 700 per cent between 2010 and 2019,
    according to new analysis, prompting experts to warn that drivers should
    clear all personal data from their cars before selling them.

    Some 67 per cent of new cars registered in the UK are `connected', meaning
    they transmit data to their manufacturer via the Internet. By 2026, it's
    thought that every single new car will be connected, according to research
    by energy comparison site Uswitch.

    The 700 per cent rise in cyber attacks on connected cars is shown by data
    from security firm Upstream. In its most recent report on the subject, the
    company analysed 367 global data-breach incidents between 2010 and 2019
    involving cars, 155 of which took place in 2019 alone - a growth of 99 per
    cent over the previous year.

    One incident in October 2019 saw a mobile phone app Mercedes drivers could
    use to locate and unlock their cars sometimes showed other people's
    accounts and vehicle information. The previous month, thieves were caught
    on camera stealing a Tesla in under 30 seconds using a keyless entry hack.
    July 2019 saw an exposed database at Honda allowing anyone to see which of
    its systems had security vulnerabilities, risking 134 million rows of
    employee data.

    Earlier in the year, Toyota suffered two separate cyber attacks in the
    space of five weeks, with the offenders accessing servers that held sales
    information related to 3.1 million customers. [...]

    https://www.autoexpress.co.uk/consu...d-cars-coincides-sharp-increase-cyber-attacks

    ------------------------------

    Date: Thu, 28 May 2020 14:44:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How automated background checks freeze out renters (NYTimes)

    Algorithms that scan everything from terror watch lists to eviction records
    spit out flawed tenant screening reports. And almost nobody is watching.

    How Automated Background Checks Freeze Out Renters

    ------------------------------

    Date: Thu, 28 May 2020 05:51:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Riding the State Unemployment Fraud Wave (Krebs)

    When a reliable method of scamming money out of people, companies or
    governments becomes widely known, underground forums and chat networks tend
    to light up with activity as more fraudsters pile on to claim their share.
    And that's exactly what appears to be going on right now as multiple U.S.
    states struggle to combat a tsunami of phony *Pandemic Unemployment
    Assistance* (PUA) claims. Meanwhile, a number of U.S. states are possibly
    making it easier for crooks by leaking their citizens' personal data from
    the very websites the unemployment scammers are using to file bogus claims.

    Last week, the U.S. Secret Service warned of *massive fraud* against state
    unemployment insurance programs
    <U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs — Krebs on Security>,
    noting that false filings from a well-organized Nigerian crime ring could
    end up costing the states and federal government hundreds of millions of
    dollars in losses.

    Since then, various online crime forums and Telegram chat channels focused
    on financial fraud have been littered with posts from people selling
    tutorials on how to siphon unemployment insurance funds from different
    states. [...]

    Riding the State Unemployment Fraud ‘Wave’ — Krebs on Security

    ------------------------------

    Date: Thu, 28 May 2020 14:22:08 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Election Integrity in RISKS

    I finally decided to update a subsection of my very out-of-date
    http://www.csl.sri.com/neumann/illustrative.pdf summary of RISKS issues, and
    have now created a version that summarizes all of the RISKS items relating
    to Election Integrity. It is 16 pages two-columned in fine print, which
    should give you an idea of how relevant this topic has been in past issues
    of RISKS:

    http://www.csl.sri.com/neumann/risks-voting.pdf

    ------------------------------

    Date: Thu, 28 May 2020 17:45:16 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: We Don’t Even Have a COVID-19 Vaccine, and Yet the Conspiracies Are
    Here (The Atlantic)

    Even as vaccines for the disease are being held up as the last hope for a
    return to normalcy, misinformation about them is spreading.

    We Don’t Even Have a COVID-19 Vaccine, and Yet the Conspiracies Are Here

    ------------------------------

    Date: Thu, 28 May 2020 13:37:03 -0500
    From: Bob Wilson <wil...@math.wisc.edu>
    Subject: Re: The Pandemic Is Exposing the Limits of Science (Bloomberg)

    In recent decades people seem to have adopted a terribly simplified, rather
    lazy, version of science. Consider the word's Latin roots, meaning just
    "knowledge", not something miraculous. One good read is /Failure/, by Stuart
    Forestein, subtitled "Why Science is so Successful".

    The scientific method hopes to approach truth, but not usually in a
    continuous way or by sudden understanding of everything that really matters.
    As a discrete process, it can't quite be described as asymptotic. But
    laymen (or women, we need a new word!) have come to expect that scientists
    have perfect knowledge: The workers themselves generally see many things in
    their results that need to be improved. Think of Newton's theory of
    gravity, and his /Principia/, which were and still are marvelous
    accomplishments: By the late 19th century it was widely recognized that his
    version of gravity was not quite right, and Einstein in both special
    relativity and then (another step forward) general relativity, took care of
    much of what had been worried about. We certainly accept Newton as
    accurately describing what happens if we drop a rock from our hands, but
    NASA needs Einstein's improvements if calculating orbits, engine burn data,
    etc. And nowadays there are discussions about how Einstein's world is still
    not quite right.

    In our current crisis we have tried to collapse the time scale to zero. The
    amount of work and the knowledge gained have both been amazing. But it is
    unreasonable to expect that complete and accurate results would be found by
    now! The population at large has been led to believe that any technology
    that requires you to think is thereby shown to be flawed. I would hope that
    /Risks/ participants would understand how this works and how we need to
    think and learn rather than to expect impossible payoffs! We can
    pray/hope/wish/... for results quickly, but those don't come with
    guarantees, and the answers probably won't be simple!

    My own field is mathematics, where it might be easier to decide that a
    result is really right than in some of the messier parts of our world that
    have to deal with outside facts. But it is really sad to see people who
    should know better seeming to misunderstand the whole way science works.

    ------------------------------

    Date: Thu, 28 May 2020 09:33:12 +0200
    From: Anthony Thorn <anthon...@atss.ch>
    Subject: Risk of Polarisation (Re: Maziuk and Ladkin)

    Regarding the contributions from Mssrs Maziuk and Ladkin; I do hope that the
    polarisation and associated symptoms which we are seeing in U.S. and UK
    politics will not infect RISKS!

    I do not think Prof. Ferguson needs defending, but I was under the
    impression that the "250'000 deaths" estimate, was based on the assumption
    that NO lockdown measures were introduced.

    "Coronavirus: UK changes course amid death toll fears"


    If this forecast contributed to the decision to implement the lockdown it
    certainly saved many lives.

    ------------------------------

    Date: Thu, 28 May 2020 11:44:44 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Ioannidis (re: Baker)

    Back on 17th March John P.A. Ioannidis wrote:

    > In the absence of data, prepare-for-the-worst reasoning leads to extreme
    > measures of social distancing and lockdowns. Unfortunately, we do not know
    > if these measures work.

    I don't know why this ten week old piece was included in comp.risks: as if
    it contained current and up-to-date information.

    The *current* situation is that we *do* know which measures work to contain
    the virus! Currently, 45 countries from around the world are winning: with
    the number new cases per day dropping towards zero. 27 countries are
    "nearly there", while 52 countries (including the UK and the USA) need to
    take action.

    The data is here:

    Countries beating Covid-19 — EndCoronavirus.org

    Back in November 2019 the USA and the UK were determined to be the two
    countries best prepared for a pandemic.
    These are the top 10 countries for pandemic preparedness Both
    countries knew that the pandemic was coming in mid February, both decided to
    take little or no action. As as result, these two countries now have the
    highest death tolls of all.

    The USA and South Korea recorded their first cases on the same day:
    South Korea immediately introduced a range of effective measures
    including lockdown, extensive testing, contact tracing and isolation.
    As a result the virus was contained with a total number of deaths,
    as of today, of just 269.

    By contrast, the USA has just passed over 100,000 deaths in the same time
    period, and is planning to ease the lockdown while in 20 states the number
    of new cases per day is still increasing.

    It is estimated that over 30,000 deaths in the UK could have been avoided by
    starting the lockdown a week earlier: such is the power of unconstrained
    exponential growth.

    Earlier US lockdown 'could have saved 36,000 lives'

    (In searching for the above article I also discovered that more than 130,000
    deaths in the UK since 2012 could have been prevented if improvements in
    public health policy had not stalled as a direct result of austerity
    cuts. Life is cheap in the UK:
    Austerity to blame for 130,000 ‘preventable’ UK deaths – report)

    ------------------------------

    Date: Thu, 28 May 2020 11:59:03 -0500
    From: dmaziuk <dmitri...@gmail.com>
    Subject: Re: misinformation (RISKS-31.89)

    "I cry wolf because I have an overly sophisticated pile of computer code
    that sometimes indicate a wolf may come"

    Perhaps we the experts should wake up and stop calling spade a small-scale
    manual earth moving implement before the sentiment becomes universal and the
    mob reaches for torches and pitchforks.

    ------------------------------

    Date: Thu, 28 May 2020 10:41:19 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: Misinformation (Ladkin, RISKS-31.84-89)

    I think that most experts are all in violent agreement that these
    epidemiological models are 'ill-conditioned', hence *any* noise in the input
    can be dramatically *amplified* in such a way that it can often overwhelm
    any 'answer'. Analogy: those screeching noises that are often heard from
    audio public address systems that have positive feedback; the screeches
    often overwhelm the person speaking.

    Re: network-simulation Monte Carlo models, e.g., the Imperial model:

    Monte Carlo models require enough iterations/runs in order to *average out*
    the sampling noise (so that the 'result' is independent of the particular
    random samples used), *which requires fully "exploring" the nether/tail
    regions of the particular probability density function*.

    The most trivial Monte Carlo model is that of estimating the *mean* of a
    distribution by computing statistics from N samples. How many samples are
    required in order to assure a reasonable estimate of the mean, where by
    'reasonable' I mean an answer good to the first digit or so, *irrespective
    of the random choices made* (one of the most substantial criticisms of the
    Imperial model) ? Answer: N ~ O(distribution variance).

    OK. Let's take an oversimplified 'superspreader' model for R0: 99% of the
    time, R0=2, and 1% of the time, R0=98. The mathematical mean of this
    bimodal distribution is 2.96, and the mathematical variance of this
    distribution is ~91. But I just ran this Monte Carlo model and it takes at
    least 15,000 random samples of this distribution just to get a reasonable
    approximation to just one number -- its mean!

    The reason why so many samples are required is that the relatively rare
    event where R0=98 has to occur often enough to average out against the
    vastly more probable R0=2 events.

    But we're only getting started. R0 appears as the *base* of an exponential
    in various epidemic models -- e.g., (R0)^(a*t), for some constant a.

    But what if we have to sample, e.g., (R0)^10, i.e., a*t=10 -- to compute its
    mean ? How many samples will we need to get a decent approximation ? (Note
    that this is the 10-fold product of independently chosen R0's, so we can't
    simply average numbers like sample^(1/10).)

    So I ran another Monte Carlo experiment to compute the mean of the product
    of 10 samples from our bimodal distribution from above. Even after sampling
    1 billion such products, I still could not converge to even *one* decimal
    digit of the mean, and the population variance was trending to O(10^15).
    (Note that the worst case product has value 98^10 ~ 10^20, but also
    probability (1/100)^10 = 10^(-20).)

    How can we better to understand the probabilities of exponentials? Often
    elementary statistics classes don't deal with *products* of random
    variables, much less *exponentials* of random variables. One simple way to
    understand such products and exponentials utilizes *lognormal*
    distributions, which are not bimodal, and have heavy but not fat tails, and
    are tractable. If X=L(m,v) is a lognormal distribution with parameters m,v,
    then the distribution for the exponential X^n is L(n*m,n*v).

    The mean of L(n*m,n*v) is exp(m+v/2)^n; the variance of L(n*m,n*v) is
    exp(2*m+v)^n*(exp(v)^n-1). If we choose m,v to match the mean and variance
    of our bimodal distribution above, then m~-0.1322 and v~2.4348, so the mean
    of X^n is (2.96)^n and the variance of X^n is (2.96)^(2n)*(11.414^n-1) ~
    100^n.

    Since the variance of our lognormal (R0)^10 is ~100^10 = 10 *billion*, it
    could take O(10 billion) random samples to get a reasonable approximation to
    the mean of (R0)^10. I'd be willing to bet that the Imperial model was not
    run 10 billion times, much less 10^15 times (for our bimodal distribution).

    But this is merely one positive feedback loop in such a Monte Carlo network
    simulation. What happens when there are multiple positive feedback loops ?
    How many runs might then be required ?

    The problem here is that our samples have to explore an incredibly wide and
    incredibly shallow distribution, and then accumulate enough weight for each
    sample to guarantee some reasonable accuracy for our result. But even if we
    performed such a computation, what would it mean when the *variance* of the
    distribution is so wide -- hence the weight of any particular value is so
    tiny -- of what practical use is *any* particular value -- e.g., the "mean"?

    This is the reason why "R0" models make no sense in the presence of
    superspreaders -- there is no single 'R0' that captures any useful aspect of
    the behavior of the epidemic.

    ------------------------------

    Date: Wed, 27 May 2020 20:21:22 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: More on the Tweeter and the Tweetee [PGN-pruned and retitled]

    On FOX News, Zuckerberg Criticizes Twitter For Fact-Checking Trump Tweets
    (Forbes)
    Zuckerberg Criticizes Twitter For Fact-Checking Trump Tweets

    A CNN item:
    Trump signs executive order targeting social media companies - CNNPolitics

    An excellent analysis of this text is online from Daphne Keller of Stanford
    CIS (Center for Internet and Society), at:
    https://docs.google.com/document/d/1JnK80wk4Smcu3lt4TCwajQNTk0_v1sNR-FGhnoMZyWM/preview?pru=AAABcn_S8qw*Hz2b7K-CMUUUEnDU7P0tIA#

    Defying Trump, Twitter Doubles Down on Labeling Tweets
    Defying Trump, Twitter Doubles Down on Labeling Tweets

    Trump's Proposed Order on Social Media Could Harm One Person in Particular:
    Trump (The NYTimes)
    Trump’s Order on Social Media Could Harm One Person in Particular: Donald Trump

    ------------------------------

    Date: Thu, 28 May 2020 15:22:52 -07David00
    From: David Broadbeck <david.m...@gmail.com>
    Subject: Re: Vitamin C

    The idea that megadoses of Vitamin C can prevent or cure disease is one of
    those zombie ideas that just keeps popping up, in spite of being refuted
    over and over. Maybe this is because it was originally pushed by Linus
    Pauling, or maybe it's because Vitamin C generally doesn't do any harm.
    Still, it's disappointing to see RISKS pushing this myth.

    While there aren't many studies yet of Vitamin C and COVID-19, for obvious
    reasons, there are lots testing its effect on the common cold. This is a
    pretty representative one:
    Mega-dose Vitamin C in Treatment of the Common Cold: A Randomised Controlled Trial - PubMed No statistical
    difference was found, with the placebo group actually showing slightly
    better outcomes than the one that got the C megadoses.

    The FDA has repeatedly warned companies against making outlandish claims
    about Vitamin C's abilities to cure tuberculosis, cancer, Ebola, etc.:
    FDA Warning Letter to The Vitamin C Foundation 4/17/17 | Quackwatch

    Just because it's "natural" doesn't mean it's better.

    [There's no point arguing with a total nonbeliever. However, since
    you have goaded me, here are a few thoughts, that border on less relevance:
    1. I have been told that Linus Pauling's notion of *large* doses of
    Vitamin C was 1000 mg. It took 40 grams a day for Dr. Cathcart.
    2. Many supplements are not providing what is on the label, and some
    are laced with excipients that may be iatrogenic (such as
    polyethelene glycol -- read the labels).
    3. Who is claiming C is a CURE? Having a healthy immune system is
    likely to be one of many *preventive* measures, and a good idea here
    because of the next item.
    4. The most serious cases of the novel corona virus seem to be targeting
    people with already compromised immune systems.
    5. Some in the medical communities are of course likely to be trashing
    or ignoring many things that seem to have documented evidence of being
    helpful, but are not high-priced pharmaceuticals. That is a long-time
    battle. Not too long ago, there were many claims that there was no
    connection between diet and health, no links between smoking and
    health, and of course a former president who believed that ketchup was
    a vegetable. Don't believe everything you hear.
    PGN]

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <riskinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: The Risks Digest takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    The Risks Digest --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: The RISKS Forum Mailing List (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <Join ACM>

    ------------------------------

    End of RISKS-FORUM Digest 31.90
    ************************
     
  3. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.91

    RISKS List Owner

    May 29, 2020 11:03 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 29 May 2020 Volume 31 : Issue 91

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    The robots that can pick kiwi-fruit (bbc.com)
    Google warns against catch-all rules for high-risk AI (Politico)
    Smart home assistants have a staggering environmental cost (CBC Docs POV)
    New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps
    (The Hacker News)
    GRU aiming at root access vuln in Unix-based email servers (NSA)
    Programming Languages: Developers Reveal What They Love, Loathe, and What
    Pays Best (ZDNet)
    Politico is aggregating reports re contact tracing (Politico)
    China's Virus Apps May Outlast the Outbreak, Stirring Privacy Fears
    (NYTimes)
    Your immunity passport future begins to materialize as airlines call for
    digital ID tracking systems (activistpost)
    Temperature Checks and Desk Shields: CDC Suggests Big Changes to Offices
    (NYTimes)
    The art of the distraction (via Dave Farber)
    Executive order on social media (The White House and Rob Slade)
    Twitter hides two Trump tweets glorifying violence behind warning notice
    (CNN)
    Trump Is Doing All of This For Zuckerberg (The Atlantic)
    New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data
    (The Hacker News)
    Re: Misinformation (Andy Walker)
    Re: More on the Tweeter and the Tweetee (Amos Shapir)
    Re: The Pandemic Is Exposing the Limits of Science (R. G. Newbury)
    Re: Vitamin C (R. G. Newbury, Amos Shapir, Andre Carezia)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 30 May 2020 09:33:11 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: The robots that can pick kiwi-fruit (bbc.com)

    The robots that can pick kiwi-fruit

    "In fields around the world, ripening fruit and vegetables that should be
    getting picked, packaged and shipped to supermarkets were instead at risk of
    being left to rot in their fields. Farmers have been struggling to find the
    people they needed to harvest them."

    The essay cites numerous risks which the farmbot competes against age-old
    human harvesters: non-standardized crop growing techniques, farm
    terrain/geography, vine and fruit/crop structure, packaging produce for
    sale, etc.

    Farmbot deployment requires substantial investment to engineer, prepare, and
    maintain it. No mention of the harvest quantity destroyed or unpicked during
    operation. While substantially immune to insect infestation, software bug
    suppression remains a challenge.

    Industrial-scale farming has a rapacious for-profit appetite, be it animal
    or plant. Government subsidies may promote farmbot deployment as a means to
    suppress migrant worker populations.

    ------------------------------

    Date: Fri, 29 May 2020 8:32:55 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Google warns against catch-all rules for high-risk AI (Politico)

    The European Union should adopt its existing rules for high-risk artificial
    intelligence technology rather than create a whole new rulebook from
    scratch, U.S. tech giant Google told Brussels in its feedback to the EU=92s
    White Paper for AI. =93Creating a standalone assessment scheme for AI
    systems would risk duplicating review procedures that already govern many
    higher risk products, -- the company said in a 45-page
    response<https://www.politico.eu/wp-content/...-Googles-submission-to-EC-AI-consultation.pdf>
    sent to the European Commission yesterday, adding that this would lead to
    =93needless complexity -- and weaken the Continent=92s standing in the
    global race for AI supremacy.

    FACIAL RECOGNITION: The Center for Data Ethics and Innovation has put
    together a handy on facial recognition, looking at its uses and potential
    implications for the technology. The main thrust? That facial recognition is
    here to stay, but that there's still not enough regulatory oversight of how
    it's currently used.
    report<https://www.politico.eu/wp-content/uploads/2020/05/Snapshot-Paper-Facial-Recognition-Technology.pdf>

    ------------------------------

    Date: Fri, 29 May 2020 05:54:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Smart home assistants have a staggering environmental cost
    (CBC Docs POV)

    There are already 66 million smart assistants in US homes and the number is
    growing daily. But what are we trading for the convenience of turning the
    lights on with our voice? #CBCdocsPOV #TheInternetofEverything

    Director Brett Gaylor looks for an answer with his daughter Layla as they
    learn about the processing power involved in the machine learning powering
    Alexa and the enormous amount of energy it takes.

    Between the massive amount of non-renewable energy required to power their
    web servers and the pollution generated by its delivery service, Amazon's
    carbon footprint continues to grow. In 2019, staff protests prompted
    shareholders to confront management, to demand a plan for climate change
    and a reduction of the company's dependence on fossil fuels.

    The Internet of Everything, from CBC Docs POV is a fast, funny and
    enlightening look at what happens when we opt for the convenience of
    connected ``smart'' objects, without fully understanding the
    consequences for our health, our communities, or the planet. [...]



    ------------------------------

    Date: Fri, 29 May 2020 05:52:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: New Android Flaw Affecting Over 1 Billion Phones Let Attackers
    Hijack Apps (The Hacker News)

    Remember Strandhogg?

    A security vulnerability affecting Android
    <Unpatched Strandhogg Android Vulnerability Actively Exploited in the Wild> that
    malicious apps can exploit to masquerade as any other app installed on a
    targeted device to display fake interfaces to the users, tricking them into
    giving away sensitive information.

    Late last year, at the time of its public disclosure, researchers also
    confirmed that some attackers were already exploiting the flaw in the wild
    to steal users' banking and other login credentials, as well as to spy on
    their activities.

    The same team of Norwegian cybersecurity researchers today unveiled
    <StrandHogg 2.0 - The ‘evil twin’> details of a new critical vulnerability
    (CVE-2020-0096) affecting the Android operating system that could allow
    attackers to carry out a much more sophisticated version of Strandhogg
    attack. [...]
    New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps

    ------------------------------

    Date: Fri, 29 May 2020 8:11:04 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: GRU aiming at root access vuln in Unix-based email servers (NSA)

    NYT article:
    https://www.nytimes.com/reuters/2020/05/28/world/europe/28reuters-cyber-usa=
    -russia.html


    The U.S. National Security Agency on Thursday warned government partners and
    private companies about a Russian hacking operation that uses a special
    intrusion technique to target operating systems often used by industrial
    firms to manage computer infrastructure.
    https://media.defense.gov/2020/May/...erability in Exim Transfer Agent 20200528.pdf

    A security alert published by the NSA on Thursday explains how hackers with
    GRU, Russia's military intelligence, are leveraging a software vulnerability
    in Exim, a mail transfer agent common on Unix-based operating systems, such
    as Linux. The vulnerability was patched last year, but some users have not
    updated their systems to close the security gap.

    Quoting Cress, ``Being able to gain root access to a bridge point into a
    network gives you so much ability and capability to read email, to navigate
    across and maneuver through the network, so it's more about the danger we're
    trying to help people understand.''

    ------------------------------

    Date: Fri, 29 May 2020 12:40:40 -0400 (EDT)
    From: ACM TechNews <technew...@acm.org>
    Subject: Programming Languages: Developers Reveal What They Love, Loathe,
    and What Pays Best (ZDNet)

    Liam Tung, ZDNet, 28 May 2020 via ACM TechNews, 29 May 2020

    A survey of roughly 65,000 developers by coding question and answer website
    Stack Overflow found that that TypeScript has overtaken Python as the secod
    most-preferred programming language, behind Rust. Stack Overflow credits
    TypeScript's growth to Microsoft's adoption of open source software, and to
    bigger and more complex JavaScript and Node.js codebases. The three
    least-popular coding languages in the survey were VBA, Objective-C, and
    Perl. The survey, which also looked at average salaries for developer roles,
    identified the two highest-paid developer professions in the U.S. as
    engineering managers ($152,000 annually) and site reliability engineers
    ($140,000 annually). Data scientists and machine learning specialists earn
    an average of at least $115,000 in the U.S., according to the survey.
    Programming languages: Developers reveal what they love and loathe, and what pays best | ZDNet

    ------------------------------

    Date: Fri, 29 May 2020 8:17:11 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Politico is aggregating reports re contact tracing (Politico)

    Coronavirus Apps

    French App Update, Stats of the Day: Now that local politicians have given
    their approval, the contact-tracing tool will go live on June 2. But if
    recent polls are anything to go by, the French are still torn about whether
    to use the app. Let's leave aside the fact that almost one out of every four
    locals does not have a smartphone. But according to a survey by Data Publica
    in early May, 59 percent of those polled said that they were in
    favor of the StopCovid app. So far, so good, right?
    <SONDAGE - StopCovid : une majorité de Français inquiets de l'utilisation de leurs données par l'application

    But in the same survey, 51 percent of people said they were not prepared to
    download the app onto their mobile devices, with only 15 percent (that's a
    very small minority, if Morning Tech is keeping count) of those polled
    saying they would do so. What should we take from this? If the U.K. app
    trial is anything to go, uptake on these coronavirus apps may prove less
    than ideal, potentially hobbling them even before they really get going.
    by<>

    The U.K.'s non-app approach: While London rolled out its `track-and-trace'
    system today, the digital tracing tool was nowhere to be seen. Morning Tech
    was told the Brits still hoped to have it available sometime in June (a
    month after it was supposed to be released), but that ongoing issues about
    keeping the bluetooth on people's smartphones working when devices were in
    sleep mode was still an issue. Still, if you had any doubts about if the
    U.K. was taking the coronavirus seriously, the privacy notice in its
    `track-and-trace' system will either put your concerns to rest or make you
    even more nervous. London said it planned to hold on to people's personal
    information for 20 years -- just in case the virus came back sometime in
    the future.

    Dutch go with Google/Apple for app: The design team behind The Netherlands'
    contact-tracing app posted documents detailing their approach on software
    development sharing platform GitHub. The group -- made up of a mix of
    external consultants and government employees -- plan to build their app
    within Google and Apple's framework. The Dutch health ministry quietly
    assembled developers to work on an app after a gameshow-esque app-athon it
    livestreamed to choose a design team fell flat.
    <minvws/nl-covid19-notification-app-design>

    `Old wine in new bottles': That's how B=E9r Engels of Dutch digital rights
    NGO Bits of Freedom -- which declined to be part of an expert subgroup
    overseeing the app -- described the government's shifting approach. =93The
    Ministry of Health has taken the media uproar of the past few weeks around
    this app as a sign that 1) less transparency during the process means less
    criticism and 2) they'll need to change the public's perception of the app
    and now refers to the `contact-tracing app' as a `notification app', due to
    launch somewhere in July. -- Echoing an earlier intervention by the
    country's data protection watchdog, Engels said he thought that fundamental
    questions -- still had to be answered, such as whether contact-tracing apps
    really work.
    <Meet the Dutchman who cried foul on Europe’s tracking technology>

    ------------------------------

    Date: Fri, 29 May 2020 18:03:56 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: China's Virus Apps May Outlast the Outbreak, Stirring Privacy Fears
    (NYTimes)

    With the disease there mostly under control, officials are looking for new
    uses for the government software that’s now on many phones.

    China’s Virus Apps May Outlast the Outbreak, Stirring Privacy Fears

    [LW: As predicted. Governments never let go once they have a leash on
    their citizens. PGN]

    ------------------------------

    Date: Fri, 29 May 2020 05:51:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Your immunity passport future begins to materialize as airlines
    call for digital ID tracking systems (activistpost)

    *The world's largest airline trade group has called for immunity passports,
    thermal screening, masks, and physical distancing to be a part of the
    industry's strategy for returning to ``normal'' operations.*

    The International Air Transport Association (IATA), which represents 299
    airlines, recently
    issued their publication, Biosecurity for Air Transport A Roadmap for
    Restarting Aviation
    <Current Airline Members?>
    <https://www.iata.org/contentassets/...551013/roadmap-safely-restarting-aviation.pdf>,
    which outlines their strategy to open up air travel as governments begin to
    lift travel restrictions.

    Under a section titled, ``The passenger experience'' and ``Temporary
    biosecurity measures,'' the IATA describes their vision of post-COVID-19
    flights. The organization calls for contact tracing, a controversial method
    of tracking the civilian population to track the spread of COVID-19.
    <"We Need An Army Of Contact Tracers" - Meet The Enforcement Arm Of The "New Normal">

    ``We foresee the need to collect more detailed passenger contact information
    which can be used for tracing purposes,'' the report states. ``Where
    possible, the data should be collected in electronic form, and in advance
    of the passenger arriving at the airport including through eVisa and
    electronic travel authorization platforms.''

    Interestingly, this call for pre-boarding check-in using ``electronic travel
    authorization platforms'' coincides with the recent announcement of the
    Covi-Pass <https://www.covipass.com/> and the Health Pass from Clear
    <https://www.clearme.com/healthpass>, both of which call for a digital ID
    system using biometrics and storing travel, health, and identification data.

    Alexandre de Juniac, IATA's CEO, told Arabian Industry
    that ``a layered approach'' combining multiple measures which are ``globally
    implemented and mutually recognized by governments'' are ``the way forward
    for biosecurity.'' [...]

    <Airlines call for ‘immunity passports’ ahead of industry’s restart>
    Your “Immunity Passport” Future Begins To Materialize As Airlines Call For Digital ID Tracking Systems - Activist Post

    ------------------------------

    Date: Thu, 28 May 2020 21:47:51 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Temperature Checks and Desk Shields: CDC Suggests Big Changes
    to Offices (NYTimes)

    If followed, the guidelines would transform the everyday experience of
    employees across the country, from executives to clerical workers.

    C.D.C. Recommends Sweeping Changes to American Offices

    ------------------------------

    Date: May 29, 2020 at 20:19:19 GMT+9
    From: Bloomberg Technology <nor...@mail.bloombergbusiness.com>
    Subject: The art of the distraction (via Dave Farber)

    Hi all, it's Eric. Donald Trump loves political theater. The president's
    tendency to chase drama first and foremost is obvious even what he's
    ostensibly trying to do is overhaul decades-old communications regulations.

    For most of the week, Trump has been raging about Twitter Inc.'s decision to
    attach fact-checking disclaimers to messages of his that make baseless
    arguments about voter fraud. On Thursday, the president signed an executive
    order designed to stop social media companies from taking any action against
    misleading or otherwise offensive posts. Such a move was needed, according
    to Trump, ``to protect and uphold the free speech rights of the American
    people.''

    This was the administration's most substantial attack on Section 230 of the
    1996 Communications Decency Act, a law it has had in its sights for quite
    some time. Section 230 provides some legal protections for companies from
    being sued over content their users post to their websites. The law has its
    critics from across the political spectrum; conservatives have been
    increasingly interested in stripping the protections as a way to punish
    companies for allegedly disfavoring political right. Trump's order would
    potentially narrow the Section 230's protections, and increase scrutiny of
    perceived political bias. [...]

    ------------------------------

    Date: Fri, 29 May 2020 10:12:08 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Executive order on social media (The White House)

    Original text:
    https://www.whitehouse.gov/presidential-actions/executive-order-preventing-
    online-censorship/
    or
    CNN - Breaking News, Latest News and Videos

    Text with annotations and translations below:

    > EXECUTIVE ORDER
    > - - - - - - -
    > PREVENTING ONLINE CENSORSHIP

    In view of the whole situation, this is more than somewhat ironic ...

    > By the authority vested in me as President by the Constitution and the laws
    > of the United States of America, it is hereby ordered as follows:

    > Section 1. Policy. Free speech is the bedrock of American democracy. Our
    > Founding Fathers protected this sacred right with the First Amendment to
    > the Constitution. The freedom to express and debate ideas is the
    > foundation for all of our rights as a free people.

    No problem.

    > In a country that has long cherished the freedom of expression, we cannot
    > allow a limited number of online platforms to hand pick the speech that
    > Americans may access and convey on the internet. This practice is
    > fundamentally un-American and anti-democratic. When large, powerful social
    > media companies censor opinions with which they disagree, they exercise a
    > dangerous power. They cease functioning as passive bulletin boards, and
    > ought to be viewed and treated as content creators.

    "In America, freedom of the press is largely reserved for those who own one."
    - A. J. Liebling

    > The growth of online platforms in recent years raises important questions
    > about applying the ideals of the First Amendment to modern communications
    > technology. Today, many Americans follow the news, stay in touch with
    > friends and family, and share their views on current events through social
    > media and other online platforms. As a result, these platforms function in
    > many ways as a 21st century equivalent of the public square.

    Ah, my beloved Internet, filled with pointless drivel ...

    > Twitter, Facebook, Instagram, and YouTube wield immense, if not
    > unprecedented, power to shape the interpretation of public events; to
    > censor, delete, or disappear information; and to control what people see or
    > do not see.

    "You must use this power only for good, never for evil ..."

    > As President, I have made clear my commitment to free and open debate on the
    > internet. Such debate is just as important online as it is in our
    > universities, our town halls, and our homes. It is essential to sustaining
    > our democracy.

    It's always good to throw in some humour in a tense situation.

    > Online platforms are engaging in selective censorship that is harming our
    > national discourse. Tens of thousands of Americans have reported, among
    > other troubling behaviors, online platforms "flagging" content as
    > inappropriate, even though it does not violate any stated terms of service;
    > making unannounced and unexplained changes to company policies that have the
    > effect of disfavoring certain viewpoints; and deleting content and entire
    > accounts with no warning, no rationale, and no recourse.

    a) There is, of course, no evidence for this assertion, but I feel in my gut
    that it's right.
    b) Those who write their names on bathroom stalls also want laws against wall
    cleansers.

    > Twitter now selectively decides to place a warning label on certain tweets
    > in a manner that clearly reflects political bias. As has been reported,
    > Twitter seems never to have placed such a label on another politician's
    > tweet. As recently as last week, Representative Adam Schiff was continuing
    > to mislead his followers by peddling the long-disproved Russian Collusion
    > Hoax, and Twitter did not flag those tweets. Unsurprisingly, its officer
    > in charge of so-called "Site Integrity" has flaunted his political bias in
    > his own tweets.

    "I want to be able to spread outright lies like these without retrictions."

    > At the same time online platforms are invoking inconsistent, irrational,
    > and groundless justifications to censor or otherwise restrict Americans'
    > speech here at home, several online platforms are profiting from and
    > promoting the aggression and disinformation spread by foreign governments
    > like China. One United States company, for example, created a search
    > engine for the Chinese Communist Party that would have blacklisted
    > searches for "human rights," hid data unfavorable to the Chinese Communist
    > Party, and tracked users determined appropriate for surveillance. It also
    > established research partnerships in China that provide direct benefits to
    > the Chinese military. Other companies have accepted advertisements paid
    > for by the Chinese government that spread false information about China's
    > mass imprisonment of religious minorities, thereby enabling these abuses
    > of human rights. They have also amplified China's propaganda abroad,
    > including by allowing Chinese government officials to use their platforms
    > to spread misinformation regarding the origins of the COVID-19 pandemic,
    > and to undermine pro-democracy protests in Hong Kong.

    SQUIRREL!

    > As a Nation, we must foster and protect diverse viewpoints in today's
    > digital communications environment where all Americans can and should have
    > a voice. We must seek transparency and accountability from online
    > platforms, and encourage standards and tools to protect and preserve the
    > integrity and openness of American discourse and freedom of expression.

    But only for our side.

    > Sec. 2. Protections Against Online Censorship. (a) It is the policy of the
    > United States to foster clear ground rules promoting free and open debate
    > on the internet. Prominent among the ground rules governing that debate is
    > the immunity from liability created by section 230(c) of the
    > Communications Decency Act (section 230(c)). 47 U.S.C. 230(c). It is the
    > policy of the United States that the scope of that immunity should be
    > clarified: the immunity should not extend beyond its text and purpose to
    > provide protection for those who purport to provide users a forum for free
    > and open speech, but in reality use their power over a vital means of
    > communication to engage in deceptive or pretextual actions stifling free
    > and open debate by censoring certain viewpoints.

    "We already have a law."

    > Section 230(c) was designed to address early court decisions holding that,
    > if an online platform restricted access to some content posted by others,
    > it would thereby become a "publisher" of all the content posted on its
    > site for purposes of torts such as defamation. As the title of section
    > 230(c) makes clear, the provision provides limited liability "protection"
    > to a provider of an interactive computer service (such as an online
    > platform) that engages in "'Good Samaritan' blocking" of harmful
    > content. In particular, the Congress sought to provide protections for
    > online platforms that attempted to protect minors from harmful content and
    > intended to ensure that such providers would not be discouraged from
    > taking down harmful material. The provision was also intended to further
    > the express vision of the Congress that the internet is a "forum for a
    > true diversity of political discourse." 47 U.S.C. 230(a)(3). The limited
    > protections provided by the statute should be construed with these
    > purposes in mind.

    "We already have a law."

    > In particular, subparagraph (c)(2) expressly addresses protections from
    > "civil liability" and specifies that an interactive computer service
    > provider may not be made liable "on account of" its decision in "good
    > faith" to restrict access to content that it considers to be "obscene,
    > lewd, lascivious, filthy, excessively violent, harassing or otherwise
    > objectionable." It is the policy of the United States to ensure that, to
    > the maximum extent permissible under the law, this provision is not
    > distorted to provide liability protection for online platforms that -- far
    > from acting in "good faith" to remove objectionable content -- instead
    > engage in deceptive or pretextual actions (often contrary to their stated
    > terms of service) to stifle viewpoints with which they disagree. Section
    > 230 was not intended to allow a handful of companies to grow into titans
    > controlling vital avenues for our national discourse under the guise of
    > promoting open forums for debate, and then to provide those behemoths
    > blanket immunity when they use their power to censor content and silence
    > viewpoints that they dislike. When an interactive computer service
    > provider removes or restricts access to content and its actions do not
    > meet the criteria of subparagraph (c)(2)(A), it is engaged in editorial
    > conduct. It is the policy of the United States that such a provider should
    > properly lose the limited liability shield of subparagraph (c)(2)(A) and
    > be exposed to liability like any traditional editor and publisher that is
    > not an online provider.

    "We'd like to modify that law, without actually getting Congress to change it."

    > (b) To advance the policy described in subsection (a) of this section, all
    > executive departments and agencies should ensure that their application of
    > section 230(c) properly reflects the narrow purpose of the section and
    > take all appropriate actions in this regard. In addition, within 60 days
    > of the date of this order, the Secretary of Commerce (Secretary), in
    > consultation with the Attorney General, and acting through the National
    > Telecommunications and Information Administration (NTIA), shall file a
    > petition for rulemaking with the Federal Communications Commission (FCC)
    > requesting that the FCC expeditiously propose regulations to clarify:

    "We'd like to modify that law, without actually getting Congress to change it."

    > (i) the interaction between subparagraphs (c)(1) and (c)(2) of section 230,
    > in particular to clarify and determine the circumstances under which a
    > provider of an interactive computer service that restricts access to content
    > in a manner not specifically protected by subparagraph (c)(2)(A) may also
    > not be able to claim protection under subparagraph (c)(1), which merely
    > states that a provider shall not be treated as a publisher or speaker for
    > making third-party content available and does not address the provider's
    > responsibility for its own editorial decisions;

    "We'd like to modify that law, without actually getting Congress to change it."

    > (ii) the conditions under which an action restricting access to or
    > availability of material is not "taken in good faith" within the meaning
    > of subparagraph (c)(2)(A) of section 230, particularly whether actions can
    > be "taken in good faith" if they are:

    > (A) deceptive, pretextual, or inconsistent with a provider's terms of
    > service; or

    > (B) taken after failing to provide adequate notice, reasoned explanation,
    > or a meaningful opportunity to be heard; and

    > (iii) any other proposed regulations that the NTIA concludes may be
    > appropriate to advance the policy described in subsection (a) of this
    > section.

    "We'd like to modify that law, without actually getting Congress to change it."

    > Sec. 3. Protecting Federal Taxpayer Dollars from Financing Online
    > Platforms That Restrict Free Speech. (a) The head of each executive
    > department and agency (agency) shall review its agency's Federal spending
    > on advertising and marketing paid to online platforms. Such review shall
    > include the amount of money spent, the online platforms that receive
    > Federal dollars, and the statutory authorities available to restrict their
    > receipt of advertising dollars.

    > (b) Within 30 days of the date of this order, the head of each agency shall
    > report its findings to the Director of the Office of Management and Budget.

    > (c) The Department of Justice shall review the viewpoint-based speech
    > restrictions imposed by each online platform identified in the report
    > described in subsection (b) of this section and assess whether any online
    > platforms are problematic vehicles for government speech due to viewpoint
    > discrimination, deception to consumers, or other bad practices.

    "If we can't change the law, we'll try and hit them in the pocketbook."

    > Sec. 4. Federal Review of Unfair or Deceptive Acts or Practices. (a) It is
    > the policy of the United States that large online platforms, such as
    > Twitter and Facebook, as the critical means of promoting the free flow of
    > speech and ideas today, should not restrict protected speech. The Supreme
    > Court has noted that social media sites, as the modern public square, "can
    > provide perhaps the most powerful mechanisms available to a private
    > citizen to make his or her voice heard." Packingham v. North Carolina, 137
    > S. Ct. 1730, 1737 (2017). Communication through these channels has become
    > important for meaningful participation in American democracy, including to
    > petition elected leaders. These sites are providing an important forum to
    > the public for others to engage in free expression and
    > debate. Cf. PruneYard Shopping Center v. Robins, 447 U.S. 74, 85-89
    > (1980).

    "We've got lots more high-sounding verbiage."

    > (b) In May of 2019, the White House launched a Tech Bias Reporting tool to
    > allow Americans to report incidents of online censorship. In just weeks,
    > the White House received over 16,000 complaints of online platforms
    > censoring or otherwise taking action against users based on their
    > political viewpoints. The White House will submit such complaints
    > received to the Department of Justice and the Federal Trade Commission
    > (FTC).

    "I'm going to tell my base on you!"

    > (c) The FTC shall consider taking action, as appropriate and consistent
    > with applicable law, to prohibit unfair or deceptive acts or practices in
    > or affecting commerce, pursuant to section 45 of title 15, United States
    > Code. Such unfair or deceptive acts or practice may include practices by
    > entities covered by section 230 that restrict speech in ways that do not
    > align with those entities' public representations about those practices.

    "I've got lots of random complaints that we can use to tie up your lawyers!"

    > (d) For large online platforms that are vast arenas for public debate,
    > including the social media platform Twitter, the FTC shall also,
    > consistent with its legal authority, consider whether complaints allege
    > violations of law that implicate the policies set forth in section 4(a) of
    > this order. The FTC shall consider developing a report describing such
    > complaints and making the report publicly available, consistent with
    > applicable law.

    "We'd like to modify that law, without actually getting Congress to change it."

    > Sec. 5. State Review of Unfair or Deceptive Acts or Practices and
    > Anti-Discrimination Laws. (a) The Attorney General shall establish a
    > working group regarding the potential enforcement of State statutes that
    > prohibit online platforms from engaging in unfair or deceptive acts or
    > practices. The working group shall also develop model legislation for
    > consideration by legislatures in States where existing statutes do not
    > protect Americans from such unfair and deceptive acts and practices. The
    > working group shall invite State Attorneys General for discussion and
    > consultation, as appropriate and consistent with applicable law.

    "We'd like to modify that law, without actually getting Congress to change it."

    > (b) Complaints described in section 4(b) of this order will be shared with
    > the working group, consistent with applicable law. The working group shall
    > also collect publicly available information regarding the following:

    > (i) increased scrutiny of users based on the other users they choose to
    > follow, or their interactions with other users;

    > (ii) algorithms to suppress content or users based on indications of
    > political alignment or viewpoint;

    > (iii) differential policies allowing for otherwise impermissible
    > behavior, when committed by accounts associated with the Chinese
    > Communist Party or other anti-democratic associations or governments;

    "I've got lots of random complaints that we can use to tie up your lawyers!"

    > (iv) reliance on third-party entities, including contractors, media
    > organizations, and individuals, with indicia of bias to review content;
    > and

    See "pocketbook," above.

    > (v) acts that limit the ability of users with particular viewpoints to
    > earn money on the platform compared with other users similarly situated.

    "We'll get you in the pocketbook, my pretty, and your little users, too!"

    > Sec. 6. Legislation. The Attorney General shall develop a proposal for
    > Federal legislation that would be useful to promote the policy objectives
    > of this order.

    "We'd like to modify that law, without actually getting Congress to change it."

    > Sec. 7. Definition. For purposes of this order, the term "online platform"
    > means any website or application that allows users to create and share
    > content or engage in social networking, or any general search engine.

    No problem.

    > Sec. 8. General Provisions. (a) Nothing in this order shall be construed to
    > impair or otherwise affect:

    > (i) the authority granted by law to an executive department or agency,
    > or the head thereof; or

    > (ii) the functions of the Director of the Office of Management and
    > Budget relating to budgetary, administrative, or legislative proposals.

    > (b) This order shall be implemented consistent with applicable law and
    > subject to the availability of appropriations.

    > (c) This order is not intended to, and does not, create any right or
    > benefit, substantive or procedural, enforceable at law or in equity by any
    > party against the United States, its departments, agencies, or entities,
    > its officers, employees, or agents, or any other person.

    "They told me I had to put this in, but I don't have to like it ..."

    > DONALD J. TRUMP
    > THE WHITE HOUSE,
    > May 28, 2020.

    ------------------------------

    Date: Fri, 29 May 2020 08:23:15 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Twitter hides two Trump tweets glorifying violence behind warning
    notice (CNN)

    Trump tweets threat that 'looting' will lead to 'shooting.' Twitter put a warning label on it - CNN

    [I fully support Twitter in these actions.]

    ------------------------------

    Date: Fri, 29 May 2020 15:24:48 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Trump Is Doing All of This For Zuckerberg (The Atlantic)

    Trump Is Doing All of This for Zuckerberg

    ------------------------------

    Date: Fri, 29 May 2020 05:53:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate
    Data (The Hacker News)

    Cybersecurity researchers today uncovered a new advanced version of ComRAT
    backdoor, one of the earliest known backdoors used by the Turla APT group,
    that leverages Gmail's web interface to covertly receive commands and
    exfiltrate sensitive data.

    "ComRAT v4 was first seen in 2017 and known still to be in use as recently
    as January 2020," cybersecurity firm ESET said in a report
    <From Agent.BTZ to ComRAT v4: A ten‑year journey | WeLiveSecurity>
    shared with The Hacker News. "We identified at least three targets: two
    Ministries of Foreign Affairs in Eastern Europe and a national parliament in
    the Caucasus region."

    Turla <https://attack.mitre.org/groups/G0010/>, also known as Snake, has
    been active for over a decade with a long history of the watering hole and
    spear-phishing campaigns against embassies and military organizations at
    least since 2004.

    The group's espionage platform started off as Agent.BTZ
    <https://attack.mitre.org/software/S0092/>, in 2007, before it evolved to
    ComRAT <https://attack.mitre.org/software/S0126/>, in addition to gaining
    additional capabilities to achieve persistence and to steal data from a
    local network. [...]

    https://thehackernews.com/2020/05/gmail-malware-hacker.html

    ------------------------------

    Date: Fri, 29 May 2020 13:34:21 +0100
    From: Andy Walker <a...@cuboid.me.uk>
    Subject: Re: Misinformation (Baker, RISKS-31.90)

    Yes, but the response to this has been known for at least 60 years, and
    consists of biasing the samples so that the rare event occurs much more
    frequently but is given less weight. I expect that HB's code that requires
    "at least 15000 samples" includes something rather like

    if random() > 0.99 then sum += 98 else sum += 2 fi

    so that counting 98 occurs roughly 1% of the time. If he replaces that
    by something like

    if random() > x then sum += a else sum += b fi

    where a = 98*0.01/(1-x), b = 2*0.99/x, then for suitable values of x
    [eg x = 2/3] it converges much more quickly. Indeed, for x = 198/296
    it converges immediately. The value x = 0.99 recovers the original.

    " A general Monte Carlo tenet is: never sample from a distribution
    " merely because it arises in the physical context of a problem, for
    " we may be able to use a better distribution in the computations
    " and still get the right answer. "
    [Monte Carlo Methods, Hammersley and Handscomb, Methuen, 1956]

    I'm sure that those making professional use of MC methods know
    all about "importance sampling", "antithetic variables" and the other
    tools of the trade.

    I don't expect anyone to be able to predict [e.g.,] the total number of
    deaths to any great accuracy in advance, but ...

    > This is the reason why "R0" models make no sense in the presence of
    > superspreaders -- there is no single 'R0' that captures any useful aspect of
    > the behavior of the epidemic.

    ... I don't believe that this follows. R0 captures, in a way that can be
    explained to the general population, whether the pandemic is showing
    exponential growth or exponential decay. If there were only one or two
    superspreaders in the world, there might be a problem depending on whether
    or not those very rare people caught the virus and each infected millions.
    In reality, even if they are only one in a thousand, their effects can be
    spread out over the model and estimated to sufficient accuracy. But not in
    naive ways that assume uniformity.

    ------------------------------

    Date: Fri, 29 May 2020 13:36:20 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: More on the Tweeter and the Tweetee (RISKS-31.90)

    The NYT article notes about the proposed Trump order "lawyers quickly said
    ... that he was claiming power to do something he does not have the power to
    do".

    Isn't that the very definition of Trump's presidency?

    ------------------------------

    Date: Fri, 29 May 2020 00:29:19 -0400
    From: "R. G. Newbury" <new...@mandamus.org>
    Subject: Re: The Pandemic Is Exposing the Limits of Science (Wilson,
    R 31 90)

    It is also sad to see people who should know better, using models,
    calculated from spurious data using who knows what functions, as definitive
    proof of anything. As someone said: "all models are wrong. Some models are
    useful"

    The definitive explanation of models and calculations continues to be
    xjcd. I will be nit-picky in pointing out that I think the 7th item should
    be labelled 'Average garbage' and not 'Better Garbage'.

    https://xkcd.com/2295/

    ------------------------------

    Date: Fri, 29 May 2020 00:43:06 -0400
    From: "R. G. Newbury" <new...@mandamus.org>
    Subject: Re: Vitamin C (RISKS-31.90)

    Re: Having a healthy immune system: A retrospective study in Indonesia
    strongly implies that having a healthy immune system w lots of free Vitamin
    D, is a good indicator of the prognosis and outcome of suffering from Whuhan
    Flu. April 26, 2020.

    Money quote: When controlling for age, sex, and comorbidity, Vitamin D
    status is strongly associated with COVID-19 mortality outcome of cases.

    Patterns of COVID-19 Mortality and Vitamin D: An Indonesian Study
    https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3585561

    Extract:

    98.9% of Vitamin D deficient cases died while only 1.1% of them were active
    cases. 87.8% of Vitamin D insufficient cases died while only 12.2% of them
    were active cases. Only 4.1% of cases with normal Vitamin D levels died
    while 95.9% of them were active cases.

    [This makes sense. Having a strong immune system allows the infected to
    fight off the virus while viral load is low. Vitamin D is not a "cure" for
    anything, but it can be a good defence. Probably true for Vitamin C too.
    RGN]

    ------------------------------

    Date: Fri, 29 May 2020 13:13:59 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Vitamin C (RISKS-31.90)

    The main reason doctors are not keen on prescribing vitamin C in large
    quantities, is not just the lack of benefits by drug companies. IMHO, it
    has more to do with the risk of malpractice suits. Can you imagine what a
    lawyer can do about a prescription, whose main promoter himself describes as
    "an overdose"?

    ------------------------------

    Date: Fri, 29 May 2020 19:49:23 -0300
    From: =?UTF-8?B?QW5kcsOp?= Carezia <an...@carezia.srv.br>
    Subject: Re: Vitamin C (RISKS-31.90)

    July, 1949 SOUTHERN MEDICINE & SURGERY 209

    The Treatment of Poliomyelitis and Other Virus Diseases with
    Vitamin C

    Fred R. Klenner, M.D., Reidsville, North Carolina

    IN A PREVIOUS REPORT dealing with the antagonistic properties of ascorbic
    acid to the virus of atypical pneumonia, mention was made of the fact that
    other types of virus infections had responded favorably to vitamin C. This
    paper is to present these findings as well as the results of subsequent
    studies on the virus of poliomyelitis, the viruses causing measles, mumps,
    chickenpox, herpes zoster, herpes simplex and influenza. Further studies
    with the virus of atypical pneumonia will also be discussed.

    These observations of the action of ascorbic acid on virus diseases were
    made independently of any knowledge of previous studies using vitamin C on
    virus pathology, except for the negative report of Sabin after treating
    Rhesus monkeys experimentally infected with the poliomyelitis virus. A
    review of the literature in preparation of this paper, however, presented an
    almost unbelievable record of such studies. The years of labor in animal
    experimentation, the cost in human effort and in "grants," and the volumes
    written, make it difficult to understand how so many investigators could
    have failed in comprehending the one thing that would have given positive
    results a decade ago. This one thing was the size of the dose of vitamin C
    employed and the frequency of its administration. In all fairness it must be
    said that Jungeblut noted on several occasions that he attributed his
    failure of results to the possibility that the strength of his injectable
    "C" was inadequate. It was he who unequivocally said that ''vitamin C can
    truthfully be designated as the antitoxic and antiviral vitamin."

    In developing this paper it was felt that, since all virus infections were
    more or less akin, only one of this family would be considered in
    detail. Poliomyelitis, because of its prevalence and the seriousness of the
    problem it presents, was chosen as the disease to be so treated.

    Poliomyelitis is in most instances an acute febrile disease of sudden onset,
    with symptoms of a systemic infection which either abruptly abort or develop
    to hyperesthesia, asymmetry of reflexes and flaccid paralysis or palsies of
    muscle groups. It affects individuals of all ages, but mainly children, as
    do more common childhood diseases to which class it most likely
    belongs. Only slight contact between the carrier of the virus and the
    susceptible person suffices in some cases for the transfer of the causative
    organism. In this respect and also in that the virus can be demonstrated in
    the nasal washings as early as six days before onset of symptoms,
    poliomyelitis resembles measles. We never have an epidemic of poliomyelitis
    preceding an epidemic of measles; the opposite is frequently true. This
    grouping of the virus organisms is too often repeated not .to carry some
    significance. For example, atypical pneumonia and influenza are caused by
    closely allied viruses; so are chickenpox, herpes zoster and herpes simplex;
    so are measles, mumps and poliomyelitis. The incubation period depends on
    the mode of entry. In experimental animals. Fraser and others showed that
    the average was 6.6 days with intracerebral inoculation and ten days when
    the intravenous route was used. Howitt mentions that the virus reaches the
    nervous system sooner after intranasal than after intravenous installations.
    Transmission (Brodie, 1934) is by means of droplets from the mucous membrane
    of the upper respiratory tract. Infection by means of raw milk, human feces
    and house flies is highly improbable.

    The research of Flexner, Dark and Amoss in 1914 proved that poliomyelitis is
    a disease of the entire nervous system, that the sensory ganglia are the
    seats of early and profound histological changes. The disease is significant
    mainly for the paralysis produced through injury to the motor neurons of the
    spinal cord and brain. This is caused by a special affinity of the virus for
    a certain type of nerve tissue. Experiments show the cerebral cortex to be
    the most unsatisfactory site for growth, that large amounts of the virus
    placed in this area are apt to disappear in a short time. Observations in
    monkeys and in man show that the anterior horn cells, particularly those of
    the lumbar cord, are the most favorable sites for proliferation of the
    virus.

    In all clinically ill patients the virus eventually travels in the course of
    its invasion by several channels. The virus can make a direct assault
    through the olfactory bulb, to the brain, medulla and spinal cord. The virus
    can enter the blood stream directly or through the lymph channels. Following
    damage to the natural protective barrier, the choroid plexus, it can make
    its way to the central nervous system, or it can be excreted back onto the
    nasal mucous membrane where it will pick up the direct route of the
    olfactory bulb.

    Clark, Turner and Reynolds (1926, 1927, 1929) concluded that the virus
    chiefly travels by the direct route to the brain. Lennette and Hudson (
    1935) confirmed this theory and reported their studies indicating that human
    infection is chiefly through the nasopharynx. Brodi and others showed that
    by section of the olfactory tracts in monkeys infection by the direct route
    was prevented. It is of more than mere academic interest that while the
    nasal mucosa of the monkey contains branches of the 5th and 7th cranial
    nerves and that in addition, since the virus can readily gravitate from the
    nasopharynx to the tonsil bed with its nerve supply, if the olfactory tracts
    are cut no infection will occur. The most likely explanation is that the
    olfactory is non-medullated, the neurons lie in the nasal mucosa and are
    thus exposed to the virus. The sciatic nerve (Brodi) will transport the
    virus only when it has been injured, suggesting that lack of myelin may
    render the healthy olfactory nerve vulnerable to the virus.

    The most important of the secondary routes of infection is by the excretion
    of the virus from the blood stream onto the nasal mucosa. Lennette and
    Hudson (1934, 1935) demonstrated in monkeys that by sectioning the olfactory
    tracts and then inoculating by the intravenous route with the virus of
    poliomyelitis, they could prevent infection.

    This would fit in with the work of Jungeblut and others that the spread of
    the virus through the central nervous system is along nerve tracts, rather
    than by means of the cerebrospinal fluid, the infection to become manifest
    when the first cell group is reached, and by relays of fibers, reaches the
    mid-brain. Here numerous fiber-paths run in all directions and the virus is
    carried by both motor and sensory axons, causing disease at many levels of
    the brain and cord.

    Since there is always a period of septicemia in the first few days of
    poliomyelitis, it might be that this is the all-important route and that the
    virus is grown on a living tissue, the blood, and then is deposited out on
    the surface of the olfactory bulb. From this we conclude that the time to
    destroy the virus is during this incubation period which varies more with
    virulence and power of multiplication than with size of initial dose.

    The second flanking maneuver of importance is through the choroid plexus. It
    is the function of the choroid plexus and the pial lymphatic vessels to
    exclude the virus present in the blood from the nervous system. Once these
    protective structures are injured, however, the exclusion ceases and
    infection can follow readily. Changes in the structure or function of the
    meningeal choroid plexus complex, too slight to be detected in the
    cerebrospinal fluid or as morphological alterations, materially diminish its
    protective power. Flexner and Amoss injected large doses of the virus
    intravenously, then tested the cerebrospinal fluid and found no virus after
    the first 48 hours; virus in small amounts at the end of 72 hours; after 96
    hours evidence of free access to this system. The virus was still present 19
    days later when paralysis was beginning.

    Poliomyelitis in man is always more severe if exercise is taken at time of
    the infection. Here one must consider the factor of filtration of the virus
    through the choroid plexus as being increased due to the elevation of the
    vascular bed pressure. Also, that, by the acceleration of the blood flow
    caused by greater oxygen demand in physical effort, a marked increase in the
    percentage of the virus deposited on the nasal mucosa would result.

    We must agree with Fairbrother and Hurst that too little consideration
    has been given to the pathology of the nervous system and in particular
    to the drainage of the tissue fluids. These men confirmed the earlier
    work of Schroder, who stressed that the normal flow of these fluids is
    along the perivascular spaces from the center of the cord outward, and
    that any inflammatory exudate occupying these spaces must be swept into
    the pial meshes; further that meningeal infiltration may seem nothing
    more than a drainage of cells from the interior of the cord.
    Fairbrother and Hurst found that meningeal infiltration does not occur
    in monkeys until the perivascular infiltration beginning in the deeper
    vessels reaches the surface.

    The presence of the filterable microorganism or virus of poliomyelitis upon
    the mucous membrane of the nose and throat does not necessarily lead to
    infection. It may give rise to a class of healthy carriers who are
    themselves immune. Amoss and Taylor found a secretion of the mucous membrane
    capable of neutralizing or inactivating the virus, this property absent
    altogether from the secretions of some persons, in those of others present
    at one time and not at another. It is probable that in actively immune
    animals the passage of the neutralizing substance from the blood into the
    cerebrospinal fluid would continue as long as the inflammation present in
    the meninges rendered the structures easily permeable to the protein
    constituents of the blood. This secretion X could not have the properties
    of a true antibody. The virus of poliomyelitis is intracellular from the
    time it invades the terminal cells of the olfactory system until the end of
    the disease, except when crossing the synaptic junctions between cells. This
    explains why the virus cannot be neutralized by antibodies in the
    serum. Further protection is afforded the virus by the functional barrier
    between the circulating blood and the central nervous system.

    Since immunization against poliomyelitis comparable to that against other
    bacterial diseases is still a matter of the future, it suggested itself that
    some antibiotic could be found that would destroy this scourge while in the
    phase of blood-stream invasion. Sabin's negative report on the value of
    ascorbic acid on the poliomyelitis virus stopped Jungeblut's work, but we
    were cognizant of its dramatic effect on the virus causing atypical
    pneumonia, and so kept up hope. These results were so consistently positive
    that we did not hesitate to try its effectiveness against all type of virus
    infections. The frequent administration of massive doses of vitamin C was so
    encouraging in the early days of the 1948 epidemic of poliomyelitis that a
    review of the literature was begun. Heaslip, in the Australian Journal of
    Experimental Biology & Medicine reported a mean urinary output of vitamin C
    under a load test of 19.9 per cent in 60 poliomyelitis cases, as contrasted
    with a mean figure of 44.3 per cent in 45 healthy contacts. This was
    suggestive of some relationship between the degree of vitamin C saturation
    and the infectious and non-infectious state. He was also able to show a
    correlation between the severity of the attack and the level of urinary
    excretion of the vitamin. This would indicate that a deficiency of vitamin C
    in the diet predisposed to infection and to severity of attack. Sabin
    reported no appreciable difference in infectivity of poliomyelitis in
    monkeys with much or no vitamin C in the diet. Many others, however, have
    reported that a "deficient vitamin C nutrition increases susceptibility to
    infection," and many others that animals dying from the effects of the
    poliomyelitis virus show a reduction of vitamin C in the tissues. Heaslip
    found a definite relationship between the severity of the infection and the
    level of vitamin C nutrition. It is consistent with accepted physiological
    action of vitamin C to expect and anti-edema effect in any given affected
    area. It is worthy of note that bacterial toxins can cause losses of from 50
    to 85 per cent of the vitamin C normally contained in the
    adrenals. Jungeblut's investigations seemed to justify the conclusion that
    vitamin C was the "antibiotic" that would destroy the virus organism. He
    stated that the prophylactic and therapeutic administration of synthetic or
    natural vitamin C had given evidence of having distinct therapeutic
    properties in experimental poliomyelitis, and that the proper injection dose
    was directly proportional to the speed of the infection and the stage at
    which the process had arrived. Jungeblut stated in 1937 that the parental
    administration of natural vitamin C during its incubation period of
    poliomyelitis in monkeys is always followed by a distinct change in the
    severity of the disease; that after the fifth day of the disease distinctly
    larger doses are required. He realized, at that early date, that for a fast
    progressing infection such as results from the R. M. V. strain, very large
    doses -— 400 mg. crystalline C maximum in a 24-hour period -- of vitamin C
    would be required; for the Aycock virus with its slower infection potential
    small amounts of the vitamin would suffice. Even with almost infinitesimal
    amounts -— 100 mg. ascorbic acid for each 24-hour period—he was able to
    demonstrate that the non-paralytic survivors in one series was six times as
    great as in the controls. In our work we shall speak of six, ten and 20
    thousand mg. in a similar time period.

    Harde et al. reported that diphtheria toxin is inactivated by vitamin C
    in vitro and to a lesser extent in vivo. I have confirmed this finding,
    indeed extended it. Diphtheria can be cured in man by the
    administration of massive frequent doses of hexuronic acid (vitamin C)
    given intravenously and/or intramuscularly. To the synthetic drug, by
    mouth, there is little response, even when 1000 to 2000 mg. is used
    every two hours. This cure in diphtheria is brought about in half the
    time required to remove the membrane and give negative smears by
    antitoxin. This membrane is removed by lysis when "C" is given, rather
    than by sloughing as results with the use of the antitoxin. An
    advantage of this form of therapy is that the danger of serum reaction
    is eliminated. The only disadvantage of the ascorbic acid therapy is
    the inconvenience of the multiple injections. This concept of the
    action of vitamin C against certain toxins has led to treating other
    diseases producing exotoxins. For years it has been our knowledge that
    vitamin C in 500 to 1000 mg. doses injected I. M. would cure bacillary
    dysentery of the Shiga type. Children having 10 to 15 bloody stools per
    day have cleared in 48 hours under this schedule while at the same time
    reverting to normal feedings. This dual action of vitamin C against
    certain toxins and the virus organism becomes more intelligible with
    the work of Kligler, Warburg and others who believed that the
    detoxification effected by hexuronic acid is brought about by a direct
    combination of the vitamin with the toxin or virus, this followed by
    oxidation of the new compound which destroys both the virus or toxin
    and the vitamin. Borsook et al. decided that the main chemical action
    of ascorbic acid is as a powerful reducing agent, and the virus causing
    poliomyelitis is known to be susceptible to the oxidizing action of
    various agents. It is in point here to remark that vitamin C is an
    integral part of the oxidation-reduction system of the body, thus
    playing a definite part in natural resistance.

    In the poliomyelitis epidemic in North Carolina in 1948, 60 cases of this
    disease came under our care. These patients presented all or almost all of
    these signs and symptoms: Fever of 101 to 104.6°, headache, pain at the back
    of the eyes, conjunctivitis, scarlet throat; pain between the shoulders, the
    back of the neck, one or more extremity, the lumbar back; nausea, vomiting
    and constipation. In I5 of these cases the diagnosis was confirmed by lumbar
    puncture; the cell count ranging from 33 to 125. Eight had been in contact
    with a proven case; two of this group received spinal taps. Examination of
    the spinal fluid was not carried out in others for the reasons: (1) Flexner
    and Amoss had warned that "simple lumbar puncture attended with even very
    slight hemorrhage opens the way for the passage of the virus from the blood
    into the central nervous system and thus promotes infection." (2) A patient
    presenting all or almost all of the above signs and symptoms during an
    epidemic of poliomyelitis must be considered infected with this virus. (3)
    Routine lumbar puncture would have made it obligatory to report each case as
    diagnosed to the health authorities. This would have deprived myself of
    valuable clinical material and the patients of most valuable therapy, since
    they would have been removed to a receiving center in a nearby town.

    The treatment employed was vitamin C in massive doses. It was given like any
    other antibiotic every two to four hours. The initial dose was 1000 to 2000
    mg., depending on age. Children up to four years received the injections
    intramuscularly. Since laboratory facilitates for whole blood and urine
    determinations of the concentration of vitamin C were not available, the
    temperature curve was adopted as the guide for additional medication. The
    rectal temperature was recorded every two hours. No temperature response
    after the second hour was taken to indicate the second 1000 or 2000 mg. If
    there was a drop in fever after two hours, two more hours was allowed before
    the second dose. This schedule was followed for 24 hours. After this time
    the fever was consistently down, so the drug was given 1000 to 2000
    mg. every six hours for the next 48 hours. All patients were clinically well
    after 72 hours. After three patients had a relapse the drug was continued
    for at least 48 hours longer -— 1000 to 2000 mg. every eight to 12
    hours. Where spinal taps were performed, it was the rule to find a reversion
    of the fluid to normal after the second day of treatment.

    For patients treated in the home the dose schedule was 2000 mg. by needle
    every six hours, supplemented by 1000 to 2000 mg. every two hours by
    mouth. The tablet was crushed and dissolved in fruit juice. All of the
    natural "C" in fruit juice is taken up by the body; this made us expect
    catalytic action from this medium. Ruin, 20 mg., was used with vitamin C by
    mouth in a few cases, instead of the fruit juice. Hawley and others have
    shown that vitamin C taken by mouth will show its peak of excretion in the
    urine in from four to six hours. Intravenous administration produces this
    peak in from one to three hours. By this route however, the concentration in
    the blood is raised so suddenly that a transitory overflow into the urine
    results before the tissues are saturated. Some authorities suggest that the
    subcutaneous method is the most conservative in terms of vitamin C loss but
    this factor is overwhelmingly neutralized by the factor of pain inflicted.

    Two patients in this series of 60 regurgitated fluid through the nose.
    This was interpreted as representing the dangerous bulbar type. For a
    patient in this category postural drainage, oxygen administration, in
    some cases tracheotomy, needs to be instituted, until the vitamin C has
    had sufficient time to work—in our experience 36 hours. Failure to
    recognize this factor might sacrifice the chance of recovery. With
    these precautions taken, every patient of this series recovered
    uneventfully within three to five days.

    In the treatment of other types of virus infections the same "fluid" dose
    schedule was adopted. In herpes zoster 2000 to 3000 mg. of vitamin C was
    given every 12 hours, this supplemented by 3 000 mg. in fruit juice by mouth
    every two hours. Eight cases were treated in this series, all of
    adults. Seven experienced cessation of pain within two hours of the first
    injection and remained so without the use of any other analgesic
    medication. Seven of these cases showed drying of the vesicles within 24
    hours and were clear of lesions within 72 hours. They received from five to
    seven injections. One patient; a diabetic, stated that she was always
    conscious of an uncomfortable feeling, but that it was not an actual
    pain. Although nine-tenths of the vesicles cleared in the usual 72-hour
    period, she was given 14 injections, the last seven of only 1000 mg. This
    extra therapy was given because of a small ulceration, an inch in diameter,
    secondarily infected by rupture of the vesicles by a corset stave prior to
    the first visit. Vitamin C apparently had no effect on this lesion, which
    was healed in two weeks under compound tincture of benzoin locally and
    penicillin and sulfadiazine by mouth. (The patient objected to taking
    penicillin by needle.) One of the patients, a man of 65, came to the office
    doubled up with abdominal pain and with a history of having taken opiates
    for the preceding 36 hours. He gave the impression of having an acute
    surgical condition. A massive array of vesicles extended from the dorsal
    nerve roots to the umbilicus, a hand's breadth wide. He was given 3000
    mg. of vitamin C intravenously and directed to return to the office in four
    to five hours. It was difficult to convince him that his abdominal pain was
    the result of his having "shingles." He returned in four hours completely
    free of pain. He was given an additional 2000 mg. of vitamin C, and
    following the schedule given above he recovered completely in three days.

    In herpes simplex it is important to continue the treatment for at least 72
    hours. We have seen "fever blisters" that appeared healed after two
    injections recur when therapy was discontinued after 24 hours. Vitamin C in
    a strength of 1000 mg. per 10 c.c. of buffered solution gave no response
    when applied locally. This was true no matter how often the applications
    were made. In several cases 10 mg. of riboflavin by mouth t.i.d. in
    conjunction with the vitamin C injections appeared to cause faster healing.

    Chickenpox gave equally good response, the vesicles responding in the same
    manner as did those of herpes. These vesicles were crusted after the first
    24 hours, and the patient well in three to four cays. We interpreted this
    similarity of response in these three diseases to suggest that the viruses
    responsible were closely related to one another.

    Many cases of influenza were treated with vitamin C. The size of the
    dose and the number of Injections required were in direct proportion to
    the fever curve and to the duration of the illness. Forcing of fruit
    juice was always recommended, because of the frequency and ease of
    reinfection during certain periods of the year.

    The response of virus encephalitis to ascorbic acid therapy was
    dramatic. Six cases of virus encephalitis were treated and cured with
    vitamin C injections. Two cases were associated with virus pneumonia; one
    followed chickenpox, one mumps, one measles and one a combination of measles
    and mumps. In the case that followed the measles-mumps complex, definite
    evidence was found to confirm the belief that massive, frequent injections
    are necessary in treating virus infections with vitamin C. This lad of eight
    years was first seen with a temperature of 104°. He was lethargic, very
    irritable when molested. His mother said he had gradually developed his
    present clinical picture over the preceding four or five days. His first
    symptom was anorexia which became complete 36 hours before his first
    examination. He next complained of a generalized headache, later be became
    stuporous. Although very athletic and active, he voluntarily took to his
    bed. He was given 2000 mg. of vitamin C intravenously and allowed to return
    home because there were no available hospital accommodations. His mother was
    asked to make an hourly memorandum of his conduct until his visit set for
    the following day. Seen 18 hours after the initial injection of vitamin C,
    the memorandum revealed a quick response to the antibiotic -- after two
    hours he asked for food and ate a hearty supper, then played about the house
    as usual and then, for .several hours, he appeared to have completely
    recovered. Six hours following the initial injection, he began to revert to
    the condition of his first visit. When seen the second time temperature was
    101.6°, he was sleepy but he would respond to questions. The rude
    irritability shown prior to the first injection was strikingly absent. A
    second injection of 2000 mg. vitamin C was given intravenously and 1000
    mg. of "C" prescribed every two hours by mouth. The next day he was fever
    and symptom-free. As a precautionary measure a third 2000 mg. was given with
    direction to continue the drug by mouth for at least 48 hours. He has
    remained well since. A lad of 12 years had generalized headache a week after
    having mumps, this followed by malaise, and in 12 hours a lethargic state
    and a fever of 105°. Admitted to hospital he was given 2000 mg. of vitamin C
    then, and 1000 mg. every two hours. Following the third injection he was
    sitting up in bed, laughing, talking, begging for food and completely
    without pain. He was discharged 24 hours following admission clinically
    well. Since relapses do occur if the drug is discontinued too soon, he was
    given 2000 mg. of vitamin C every 12 hours for two additional days.

    The use of vitamin C in measles proved to be a medical curiosity. During an
    epidemic vitamin C was used prophylactically and all those who received as
    much as 1000 mg. every six hours, by vein or muscle, were protected from the
    virus. Given by mouth, 1000 mg. in fruit juice every two hours was not
    protective unless it was given around the clock. It was further found that
    1000 mg. by mouth, four to six times each day, would modify the attack; with
    the appearance of Koplik's spots and fever, if the administration was
    increased to 12 doses each 24 hours, all signs and symptoms would disappear
    in 48 hours. If the drug was discontinued or reduced to three or four doses
    each 24 hours following the disappearance of Koplik's spots, within another
    48-hour period the fever, the conjunctivitis and Koplik's spots would be
    back.

    It was our privilege to observe this picture over and over in two little
    volunteer girls for 30 days. These "research helpers" were my own little
    daughters. The measles virus was eventually destroyed in this instance by
    continuing 12,000 mg. by mouth each 24 hours for four days. We interpreted
    this result to indicate that on withdrawing the drug with the cessation of
    signs and symptoms, a small quantity of the virus remained, which after
    another incubation period produced anew the first stage of measles; when the
    drug was continued beyond the clearing stage the virus was destroyed in
    toto. No case of post-measles bronchopneumonia was seen. The "measles-cough"
    of measles bronchitis was over with after three or four 1000 mg. injections
    of "C" at 6-hour intervals. This was true even when other medications well
    above the calculated dose range for cough had had no effect. Whenever a
    patient presented a mixed-virus infection, such as receding mumps and
    developing measles, it was found that double the calculated dose of vitamin
    C was necessary to obtain the usual results.

    Of mumps, 33 cases were treated with ascorbic acid. When vitamin C was given
    at the peak of the infection the fever was gone within 24 hours, the pain
    within 36 hours, the swelling in 48 to 72 hours. Two cases were complicated
    with orchitis. A young man of 23 years developed bilateral orchitis one
    Friday morning, by seven o'clock that night he was in severe pain, had a
    fever of 105" and was nursing testicles the size of tennis balls. Vitamin C
    was started at this time—1000 mg. every two hours, intravenously. The pain
    began to subside following the first injection and ceased in 12 hours. There
    was no fever after 36 hours. The patient was out of bed feeling his old
    self after 60 hours. He had received 25,000 mg. of "C" in this 60-hour
    period. An experiment involving three cousins: One, a boy of seven, had the
    old routine of bed rest, aspirin, and warm camphor oil applications and
    iodex to the swollen glands. This child had a rough time for a week. A
    second boy, aged 11, was allowed to develop mumps to the point of maximum
    swelling without any therapy, then given vitamin C, 1000
    mg. intramuscularly, every two to four hours. This lad was entirely well in
    48 hours. To the third patient, a girl of 9, vitamin C was given on the up
    curve when the swellings were 60 per cent of the expected, and the
    temperature recorded at 102.3°. The dose was 1000 mg. of vitamin C given
    intravenously every four hours. This child was well and remained so from the
    third day of treatment.

    Further studies on virus pneumonia showed that the clinical response was
    better when vitamin C was given to these patients according to the dose
    schedule outlined for poliomyelitis. Where pneumonitis was demonstrated, the
    clearing of the chest film was parallel with the clinical recovery. In cases
    of consolidation of entire lobes the x-ray clearing lagged days behind the
    clinical response. In these cases 1000 mg. of "C" should be given every 12
    hours for at least a week after the patient is apparently well. There was no
    change in the results as given in a previous paper; the patients were well
    in the third day of treatment.

    In using vitamin C as an antibiotic no factor of toxicity need be
    considered. To confirm this observation 200 consecutive hospital patients
    were given ascorbic acid, 500 to 1000 mg. every four to six hours, for five
    to ten days. One volunteer received 100,000 mg. in a 12-day period. It must
    be remembered that 90 per cent of these patients did not have a virus
    infection to assist in destroying the vitamin. In no instance did
    examination of the blood or urine indicate any toxic reaction, and at no
    time were there any clinical manifestations of a reaction to the drug. When
    vitamin C was given by mouth one per cent of these patients vomited shortly
    after taking the drug. In half of these cases the vomiting was controlled by
    increasing the carbohydrate content of the mixture. This reaction was not
    interpreted as representing a toxic manifestation; rather it was thought to
    be due to a hypersensitive gastric mucosa. The dose was reduced from 1000 to
    100 mg. in young children showing this complex; vomiting occurred as
    before. However, in these same patients administration of massive, frequent
    doses of vitamin C by needle affected a cure of the infection without
    causing vomiting.

    >From a review of the literature one can safely state that in all instances
    of experimental work with ascorbic acid on the virus organism the amount of
    virus used was beyond the range of the administered dose of this vitamin. No
    one would expect to relieve kidney colic with a five-grain aspirin tablet;
    by the same logic we cannot hope to destroy the virus organism with doses of
    vitamin C of 10 to 400 mg. The results which we have reported in virus
    diseases using vitamin C as the antibiotic may seem fantastic. These
    results, however, are no different from the results we see when
    administering the sulfa, or the mold-derived drugs against many other kinds
    of infections. In these latter instances we expect and usually get 48- to
    72-hour cures; it is laying no claim to miracle-working then, when we say
    that many virus infections can be cleared within a similar time limit.

    Comment by R Cathcart: This paper repeatedly refers to intramuscular vitamin
    C. My personal experience, my talking with Klenner, and with his wife,
    Annie Klenner, who served as his nurse, would indicate that he used sodium
    ascorbate. Vitamin C as ascorbic acid is too acid for intramuscular
    injections or intravenous injections. Commercially prepared vitamin C
    solutions for injection may be labeled ascorbic acid but are buffered.
    Unfortunately, these may still be somewhat acid. They should never contain
    preservatives. See my article on how to make intravenous C solutions. These
    are also appropriate for intramuscular injections. The vitamin C when used
    orally is best in the ascorbic acid form if tolerated by the patient. I am
    especially indebted to Annie Klenner for her descriptions of how Fred made
    the sodium ascorbate solutions for .intravenous and intramuscular use.

    André Carezia, Eng. de Telecomunicações,
    Carezia Consultoria - www.carezia.srv.br

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.91
    ************************
     
    Last edited by a moderator: May 31, 2020
  4. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.92

    RISKS List Owner

    May 30, 2020 8:28 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 30 May 2020 Volume 31 : Issue 92

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Russian hackers exploiting bug that gives control of U.S. servers
    (Ars Technica)
    Google cautions EU on AI rule-making (techxplore)
    Walmart Employees Are Out to Show Its Anti-Shoplifting AI Doesn't
    Work (WiReD)
    The GitHub Arctic Code Vault (Archiveprogram via Dan Jacobson)
    The mobile testing gotchas you need to know about (Functionize)
    You're sold on load testing. But for what "unreasonable" load should you
    test? (Functionize)
    SaltStack authorization bypass (f-secure)
    Dangerous SHA-1 crypto function will die in SSH linking millions of
    computers (Ars Technica)
    Choosing 2FA authenticator apps can be hard. Ars did it so you don't have to
    (Ars Technica)
    Twitter's decision to label Trump's tweets was two years in the making
    (WashPost)
    The Underground Nuclear Test That Didn't Stay Underground (Atlas Obscura)
    Re: Misinformation (Henry Baker, Andy Walker)
    Re: Zoom security / updates / crypto (Monty Solomon)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 30 May 2020 09:43:38 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Russian hackers exploiting bug that gives control of U.S. servers
    (Ars Technica)

    Sandworm group uses emails to send root commands to buggy Exim servers.

    Russian hackers are exploiting bug that gives control of US servers

    ------------------------------

    Date: Sat, 30 May 2020 01:12:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Google cautions EU on AI rule-making (techxplore)

    Google warned on Thursday that the EU's definition of artificial
    intelligence was too broad and that Brussels must refrain from
    over-regulating a crucial technology.

    The search and advertising giant made its argument in feedback to the
    European Commission, the EU's powerful regulator that has reached out to big
    tech as it draws up ways to set new rules for AI.

    The EU has not decided yet on how to regulate AI, but is putting most of its
    focus on what it calls "high risk" sectors, such as healthcare and
    transport.

    It's plans, to be spearheaded by EU commissioners Margrethe Vestager and
    Thierry Breton, are not expected until the end of the year.

    "A clear and widely understood definition of AI will be a critical
    foundational element for an effective AI regulatory framework," the company
    said in its 45-page submission.

    The EU's own definition of AI was so broad that it "effectively puts all
    contemporary software potentially in scope," it said. [...]
    https://techxplore.com/news/2020-05-google-cautions-eu-ai-rule-making.html

    ------------------------------

    Date: Sat, 30 May 2020 19:08:07 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Walmart Employees Are Out to Show Its Anti-Shoplifting AI Doesn't
    Work (WiReD)

    The retailer denies there is any widespread issue with the software, but
    a group expressed frustration -- and public health concerns.

    Walmart Employees Are Out to Show Its Anti-Shoplifting AI Doesn't Work

    AI to the ... rescue?

    ------------------------------

    Date: Sun, 31 May 2020 04:50:28 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: The GitHub Arctic Code Vault (Archiveprogram)

    GitHub Archive Program

    "The GitHub Arctic Code Vault is a data repository preserved in the Arctic
    World Archive (AWA), a very-long-term archival facility 250 meters deep in
    the permafrost of an Arctic mountain. The archive is located in a
    decommissioned coal mine in the Svalbard archipelago, closer to the North
    Pole than the Arctic Circle. GitHub will capture a snapshot of every active
    public repository on 02/02/2020 and preserve that data in the Arctic Code
    Vault."

    Skeptical Perspective...

    https://linuxinsider.com/story/gith...e-apocalypse-proof-in-arctic-vault-86367.html
    The odds aren't terribly good that GitHub's plan will actually work, he suggested.

    First, someone would have to look for, find, and gain access to the
    repository. Then there is the matter of the discoverers decoding
    instructions, starting up power supplies, getting systems up and running,
    and learning to code.

    "The farther away you get from the day the materials are stored, the less
    likely that the rosy outcome GitHub envisions is likely to occur," King told
    LinuxInsider.

    GitHub's plan is almost certainly a public relations play designed to
    generate buzz for the company, said Phil Strazzulla, founder of Select
    Software Reviews.

    "Think about all of the servers that are stored around the world that hold
    repositories of this code. The only way the Arctic vault would be useful is
    if the entire human civilization was essentially wiped out, and then somehow
    another form of life eventually figured out how to find and analyze this
    code," he told LinuxInsider.

    He sees the bottom line as the absence of any scenario in the future in
    which saving open source technology would become useful, even if you believe
    there is a high likelihood of doomsday scenarios.

    "This is more a calculus of how much the effort will cost relative to the
    amount of press that it will generate," Strazzulla said.

    [OK, great. But what if the lock gets frozen?

    And what if some court order orders all copies of Jamie R. Junioropolis's
    paragraph 3 of his 37th comment to removed from all archives worldwide, as
    it contains sensitive government info? -DJ]

    ------------------------------

    Date: Fri, 29 May 2020 23:52:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The mobile testing gotchas you need to know about (Functionize)

    Testing applications on mobile devices has its own set of perils. For how
    many of these are you prepared?

    https://www.functionize.com/blog/the-mobile-testing-gotchas-you-need-to-know-about/

    ------------------------------

    Date: Fri, 29 May 2020 23:46:22 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: You're sold on load testing. But for what "unreasonable" load
    should you test? (Functionize)

    Load testing --– where you discover the point at which a computer system
    fails -– is based on preparing for (graceful) failure by knowing its
    breaking point. Successful load testers anticipate high demand -- but at
    what point do you pass from *high demand* to *ridiculous*? The guideline:
    Expect the unexpected.

    https://www.functionize.com/blog/yo...t-for-what-unreasonable-load-should-you-test/

    ------------------------------

    Date: Sat, 30 May 2020 09:42:16 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: SaltStack authorization bypass (f-secure)

    The vulnerabilities described in this advisory allow an attacker who can
    connect to the "request server" port to bypass all authentication and
    authorization controls and publish arbitrary control messages, read and
    write files anywhere on the "master" server filesystem and steal the secret
    key used to authenticate to the master as root. The impact is full remote
    command execution as root on both the master and all minions that connect to
    it.

    The vulnerabilities, allocated CVE ids CVE-2020-11651 CVE-2020-11652, are of
    two different classes. One being authentication bypass where functionality
    was unintentionally exposed to unauthenticated network clients, the other
    being directory traversal where untrusted input (i.e. parameters in network
    requests) was not sanitized correctly allowing unconstrained access to the
    entire filesystem of the master server.

    SaltStack authorization bypass

    ------------------------------

    Date: Sat, 30 May 2020 10:12:59 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Dangerous SHA-1 crypto function will die in SSH linking millions
    of computers (Ars Technica)

    Lagging far behind others, SSH developers finally deprecate aging hash
    function.

    Dangerous SHA-1 crypto function will die in SSH linking millions of computers

    ------------------------------

    Date: Sat, 30 May 2020 10:21:33 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Choosing 2FA authenticator apps can be hard. Ars did it so you
    don't have to (Ars Technica)

    Losing your 2FA codes can be bad. Having backups stolen can be worse. What
    to do?

    Choosing 2FA authenticator apps can be hard. Ars did it so you don’t have to

    ------------------------------

    Date: Fri, 29 May 2020 23:50:37 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Twitter's decision to label Trump's tweets was two years in the making
    (WashPost)

    The social media giant for the first time this week labeled three of the
    president's tweets

    https://www.washingtonpost.com/technology/2020/05/29/inside-twitter-trump-label/

    Also,

    Twitter Had Been Drawing a Line for Months When Trump Crossed It
    Inside the company, one faction wanted Jack Dorsey, Twitter's chief, to take
    a hard line against the president’s tweets while another urged him to remain
    hands-off.
    https://www.nytimes.com/2020/05/30/technology/twitter-trump-dorsey.html

    ------------------------------

    Date: Fri, 29 May 2020 23:21:33 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Underground Nuclear Test That Didn't Stay Underground
    (Atlas Obscura)

    [Old item, but a reminder that we don't know what we don't know,
    and when we think we know it, we still don't. PGN]

    Three and half minutes into the test, it was clear that something had gone
    wrong.

    At 7:30 a.m. on 18 Dec 1970, the Baneberry test began at the Nevada Test
    Site. A nuclear bomb had been lowered into a hole a little more than seven
    feet in diameter. More than 900 feet underground, the bomb -- relatively
    small for a nuclear bomb -- was detonated.

    Less than a decade before, after the U.S. signed onto the Partial Test Ban
    Treaty, nuclear testing had gone underground. The treaty was meant to stop
    the venting of nuclear materials into the atmosphere and limit human
    exposure to radioactive fallout. But the Baneberry test, named for a desert
    shrub, did not go as planned.

    https://www.atlasobscura.com/articles/do-underground-nuclear-tests-have-fallout

    ------------------------------

    Date: Sat, 30 May 2020 09:30:06 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: Misinformation (Walker, RISKS-31.91)

    Re: "I'm sure that those making professional use of MC methods know all
    about ..."

    Andy Walker is certainly correct that slow convergence of Monte Carlo
    methods can be improved through various mitigation techniques, including
    "biasing" techniques.

    However, his assumption that those behind the Imperial model "know all about
    ..." may be unreasonably generous, as the Imperial model has already been
    shown to produce dramatically varying results depending upon the random
    numbers used. If these mitigation techniques had worked well in the
    Imperial model, this dependence on the particular sequence of random numbers
    should have averaged out over enough runs, but they didn't.

    Both my toy "Bernoulli" model and my toy lognormal model for the *product*
    of independent random samples have closed form solutions, so toy systems can
    often be mathematically tractable when a more "realistic" model such as the
    Imperial model cannot be. I claim that attempting Walker's mitigations for
    the Imperial model would require a proof that the mitigations only improve
    convergence and would not change the eventual answers.

    Walker has still not addressed the basic mathematical fact that
    distributions with gigantic variances have no useful predictive value, and
    hence do not fit the definition of 'science'.

    E.g., my toy Bernoulli product model can be represented exactly with a
    *probability generating function*:

    [PGN has inserted "|" at the beginning of lines that might break old
    digest undigestifiers. PLEASE IGNORE EACH "|".]

    G(z,p,q,a,b,n):

    n
    ==== k i n-i
    \ i n-i a b
    > binomial(n, i) p q z
    /
    ====
    i = 0

    where p=1/100,q=99/100,a=98,b=2,n=10.

    Mean(G):
    10
    (b q + a p)

    I.e., mean^10 of a single Bernoulli sample, as
    expected.

    With p=1/100,q=99/100,a=98,b=2, this mean is:

    4923990397355877376
    | ------------------- ~ 51631.78154897835
    95367431640625

    Var(G),p=1/100,q=99/100,a=98,b=2:

    909494701748682556481786171327006234749251354624
    | ------------------------------------------------
    9094947017729282379150390625

    rounded to an integer is:

    99999999997334159134 ~ 10^20

    This is an astoundingly high variance, which indicates that the probability
    density is almost zero almost everywhere.

    Similarly, my toy lognormal distribution L(m,v):

    2
    (log(x) - m n)
    - -------------
    2 n v
    %e
    | -----------------------------
    sqrt(2) sqrt(%pi) sqrt(n v) x

    has mean:

    n v
    --- + m n
    2
    %e ~ 51631.78154897708

    and variance:

    n v n v + 2 m n
    (%e - 1) %e ~ 9.9999999997E+19

    The value of the lognormal pdf at the mean is:

    5 n v
    - ----- - m n
    8
    %e
    | --------------------------- ~ 7.4643385877E-8
    sqrt(2) sqrt(%pi) sqrt(n v)

    i.e., 1/13397034, a probability density of 1 in ~14 million.

    Thus, the pdf is almost *flat*, as well as almost infinitesimal, from some
    small fraction of the mean to some large multiple of the mean.

    Thus, there is nothing to particularly choose the 'mean' over any other
    'nearby' (or in this case, no-so-nearby) value as 'the answer'.

    This is a generic problem with exploding variances, which cannot be
    mitigated, because it is an essential feature/bug resulting from
    exponentiating large variance random variables.

    ------------------------------

    Date: Fri, 29 May 2020 23:55:37 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Re: Zoom security / updates / crypto

    Reminder on Zoom 5.0 — update your clients before May 30

    Zoom 5.0 became generally available on April 27, and a system-wide account
    enablement to AES 256-bit GCM encryption will occur on May 30, 2020. Only
    Zoom clients on version 5.0 or later, including Zoom Rooms, will be able to
    join Zoom Meetings starting that day. We urge all users to update to Zoom
    5.0 or higher today, if you have not done so already.

    ------------------------------

    Date: Sat, 30 May 2020 22:44:07 +0100
    From: Andy Walker <a...@cuboid.me.uk>
    Subject: Re: Misinformation (Baker, RISKS-31.91)

    On 30/05/2020 17:30, Henry Baker wrote:
    > Walker has still not addressed the basic mathematical fact that
    > distributions with gigantic variances have no useful predictive value, and
    > hence do not fit the definition of 'science'.

    That, surely, depends on what you are trying to predict? Many of the
    properties of the current pandemic can be modeled with a pencil and the
    back of an envelope -- as indeed we have almost been doing in this thread.

    > Thus, the pdf is almost *flat*, as well as almost infinitesimal, from some
    > small fraction of the mean to some large multiple of the mean.

    In the real world, this is, rather, evidence that the model has broken down.

    > This is a generic problem with exploding variances, which cannot be
    > mitigated, because it is an essential feature/bug resulting from
    > exponentiating large variance random variables.

    OK, but that still doesn't mean that we can't do anything useful with the
    result. It just means that you have an unstable or even chaotic model in
    terms of predicting means and variances; there may be other properties of
    the model that are relatively easy to get at. In addition, if the theory of
    "superspreaders" is anything like correct, then that gives us a target --
    viz to identify them and/or the situations in which they superspread [such
    as schools, restaurants, prisons, care homes or football matches], which is
    a first step towards doing something about it other than locking down the
    entire population.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.92
    ************************
     
  5. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.93

    RISKS List Owner

    Jun 1, 2020 8:42 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 1 May 2020 Volume 31 : Issue 93

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Dealing with the Internet's split personality (WashPost)
    In virus-hit South Korea, AI monitors lonely elders (WashPost)
    How to Protest Safely in the Age of Surveillance (WiReD)
    Resuscitate The Internet Fairness Doctrine (The Hill)
    An advanced and unconventional hack is targeting industrial firms
    (Ars Technica)
    Minnesota is now using contact tracing to track protestors, as
    demonstrations escalate (BGR)
    Do Not Install/Use Centralized Server COVID-19 Contact Tracing Apps
    (Lauren Weinstein)
    Critical 'Sign in with Apple' Bug Could Have Let Attackers Hijack Anyone's
    Account (The Hacker News)
    Erik Prince Recruits Ex-Spies to Help Infiltrate Liberal Groups (NYTimes)
    Anonymous is back (PGN)
    How To Create A Culture of Kick-Ass #DevSecOps Engineers That Advocates
    Security Automation & Monitoring Throughout the #Software Development
    Life-cycle (The Hacker News)
    Live EPIC online policy panel: Privacy and the Pandemic (Diego Latella)
    Risks to Elections in the COVID-19 Era (Diana Neuman)
    Death or Utopia in the Next Three Decades (Brian Berg)
    New Research Paper: "Privacy Threats in Intimate Relationships
    (Bruce Schneier)
    Re: Tesla owner locked thief in car with his iPhone app (Carlos Villalpando)
    Re: The GitHub Arctic Code Vault (Amos Shapir)
    Re: Choosing 2FA authenticator apps can be hard. Ars did it so you don't
    have to (John Levine)
    Re: Vitamin C (R. G. Newbury)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 1 Jun 2020 13:17:03 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Dealing with the Internet's split personality (WashPost)

    https://www.washingtonpost.com/opin...82b08e-a1b8-11ea-81bb-c2f70f01034b_story.html

    "There must be a price to pay for misusing the Internet. New 'norms' of
    behavior must be nourished. Bad behavior must be punished. Up to a point,
    that's fine. But the commission never really explains how this is to
    work. One practical problem is the difficulty in identifying the source of a
    cyberattack."

    Environment drives evolution. Genomes react to environmental stimulus over
    generations; they adapt enable survival. The Internet's predominate genome
    suggests business governance is an ideal adaptation candidate.

    Each data breach, computer malfunction, viral infection, botnet, bent or
    malicious insider, and DDoS incurs at least inconvenience, threatens
    business mortality, and routinely compromises personal privacy. Weak digital
    hygiene, inadequate training, ineffective content controls, and professional
    shirking contribute to these chronic conditions. Elevating and enforcing
    business conduct standards has never been more urgent.

    Classified data loss is vigorously prosecuted under Federal law
    Ex-C.I.A. Analyst Faces Trial in Biggest Leak of Agency’s History,
    Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core)

    Businesses entrusted to manage customer data suffer public brand outrage
    when bulk content is lost through negligence. However, business governance
    teams and employees are inconstantly found liable in civil courts.

    Cyber-liability insurance compensates organizations and customers when
    justice determines necessity; usually, a settlement is reached before trial
    commences. Repeat incidents elevate premiums, and insurers mandate enhanced
    internal remediation to suppress recurrence. Despite repairs, comprehensive
    efforts to harden infrastructure, train employees, and build resilient
    processes appears ineffective given their industrial frequency.

    Governance "skin in the game" can compel organizational behavior to
    prioritize customer interests that include data protection and privacy
    maintenance practices.

    Privileges accompany corporate rank. Why not balance them with legally
    enforceable penalties? Would legislation that establishes financial
    penalties for business governance teams, including possible imprisonment,
    accelerate effective digital hygiene hardening and operational deployment?

    Enforcement practices can compel business compliance rigor. The Financial
    crisis of 2007-2008 (see
    Financial crisis of 2007–08 - Wikipedia) forced
    revisions to the Investment Advisors Act of 1940. Regulations were
    introduced that required financial advisors to put customer interests
    first. Rule violators were disciplined. However, regulations have been
    recently softened to favor business interests. (See
    SEC.gov | SEC Adopts Rules and Interpretations to Enhance Protections and Preserve Choice for Retail Investors in Their Relationships With Financial Professionals and
    How to Find Reliable Financial Advice as Regulations Change).

    The Cyberspace Solarium Commission (Cyberspace Solarium Commission - Report) "urges
    Congress to give the Cybersecurity and Infrastructure Security Agency (CISA)
    significantly more resources and additional authorities as the agency works
    to ensure critical networks can recover quickly from cyberattacks and serves
    as the 'central coordinating element to support and integrate federal, state
    and local, and private-sector cybersecurity efforts.'" This recovery
    mechanism can facilitate post-attack remediation, but does not expedite
    proactive and effective deterrence by Internet-based businesses.

    Establishing a fair, reliable, and vigilant Internet "cop on the beat,"
    funded in part from commercial and government data breach/malware fines,
    could motivate a fundamental change in how Internet-dependent businesses
    operate custodial data management practices. It is difficult to estimate
    business enforcement expenses. Operational expenses are usually factored
    into product prices. Consumers may experience certain pocketbook impact.

    For Internet business models that advertise application access as a quid pro
    quo for consumer data, there's likely very small revenue impact. Other
    industrial sectors: power distribution, healthcare, chemical, transportation
    etc. may need to proactively pool revenue (or self-insure).

    Government agency executives and employees should be subject to these
    regulations. They are in business to safeguard public interests, which
    includes oversight of significant personal identifying information and
    commercial data.

    Mandatory penalties derived from data loss or malware incidents would
    effectively serve as an "Internet Tax" chartered by government to offset
    materialized business risks that burden public confidence. A
    politically-independent, enforceable regulatory structure is necessary to
    restore the Internet's balance toward public interest.

    ------------------------------

    Date: Mon, 1 Jun 2020 14:15:52 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: In virus-hit South Korea, AI monitors lonely elders (WashPost)

    https://www.washingtonpost.com/busi...45c38370-a2ec-11ea-be06-af5514ee038story.html

    South Korea's elderly population volunteers for home digital assistant
    monitoring of searches and voice commands. Suicide, and unattended death
    generally, is a grave concern for this aging cohort.

    SK Telecom is a state-sanctioned surveillance economy titan. Weak consumer
    privacy protections fuel business thirst for data. Significant government
    and business embarrassments from largely unrestricted public data
    exploitation.

    ------------------------------

    Date: Mon, 1 Jun 2020 06:31:47 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How to Protest Safely in the Age of Surveillance (WiReD)

    Law enforcement has more tools than ever to track your movements and access your communications. Here's how to protect your privacy if you plan to protest.

    https://www.wired.com/story/how-to-protest-safely-surveillance-digital-privacy/

    ------------------------------

    Date: Mon, 1 Jun 2020 21:56:47 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Resuscitate The Internet Fairness Doctrine (The Hill)

    https://thehill.com/policy/technolo...ness-doctrine-in-response-controversial-trump

    "Let's say the President is tweeting out conspiracy theories about Joe
    Scarborough," Khanna said, referring to Trump's tweets earlier this week
    about an unsubstantiated conspiracy theory regarding the death of an aide
    that worked for the former Florida congressman.

    "Well why not allow the widower who doesn't want the president tweeting
    about his deceased wife, why not give him the opportunity to send a response
    and that response Twitter could send to every person who clicks on the
    President's tweets?" Khanna suggested.

    "Or why not allow someone to respond to the President's claims about ballot
    fraud?"

    "What I would say is, you defeat speech with speech. But you didn't give one
    person a huge megaphone and not allow a fair response," he added.

    In 1987, under President Reagan, the Fairness Act was abolished. An updated
    Fairness Act, tabled for legislative debate, appears overdue.

    If Khanna's solution is adopted, tag-tweeted publication latency accrues
    until rebuttal content materializes. A timer might be established to
    incentivize response. The tag-tweet process appears to be viable when
    applied to a single political office.

    The labor expense to oversee political content might become significant if
    the resuscitated Act applied to all levels of government (federal, state,
    local).

    Should a media company be required to sponsor this activity as a public
    service? Who pays for the speech/rebuttal oversight process? Who defines the
    rules governing the speech/rebuttal process? Who arbitrates disputes over
    what is/is-not political speech?

    ------------------------------

    Date: Mon, 1 Jun 2020 09:58:29 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: An advanced and unconventional hack is targeting industrial firms
    (Ars Technica)

    Steganography? Check. Living off the land? Yep. Triple-encoded payloads?
    Uh-huh.

    https://arstechnica.com/information...ventional-hack-is-targeting-industrial-firms/

    ------------------------------

    Date: Sun, 31 May 2020 14:39:10 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Minnesota is now using contact tracing to track protestors, as
    demonstrations escalate (BGR)o

    https://bgr.com/2020/05/30/minnesota-protest-contact-tracing-used-to-track-demonstrators/

    In some cities like Minneapolis, though, officials are starting to turn to a
    familiar tool to investigate networks of protestors. The tool is
    contact-tracing, and it's a familiar tool in that people have been hearing
    about it frequently in recent weeks as an important component of a
    comprehensive coronavirus pandemic response. According to Minnesota Public
    Safety Commissioner John Harringon, officials there have been using what
    they describe, without going into much detail, as contact-tracing in order
    to build out a picture of protestor affiliations — a process that
    officials in the state say has led them to conclude that much of the protest
    activity there is being fueled by people from outside coming in.

    ------------------------------

    Date: Sun, 31 May 2020 12:05:06 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Do Not Install/Use Centralized Server COVID-19 Contact Tracing Apps

    https://lauren.vortex.com/2020/04/2...ver-coronavirus-covid-19-contact-tracing-apps

    ------------------------------

    Date: Sun, 31 May 2020 22:43:25 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Critical 'Sign in with Apple' Bug Could Have Let Attackers
    Hijack Anyone's Account (The Hacker News)

    The now-patched vulnerability could have allowed remote attackers to bypass
    authentication and take over targeted users' accounts on third-party
    services and apps that have been registered using 'Sign in with Apple'
    option.

    https://thehackernews.com/2020/05/sign-in-with-apple-hacking.html

    ------------------------------

    Date: Mon, 1 Jun 2020 11:16:20 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Erik Prince Recruits Ex-Spies to Help Infiltrate Liberal Groups

    https://www.nytimes.com/2020/03/07/us/politics/erik-prince-project-veritas.html

    [Old news, but still timely. PGN]

    ------------------------------

    Date: Mon, 1 Jun 2020 11:56:46 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Anonymous is back

    George Floyd: Anonymous hackers re-emerge amid US unrest (BBC News)


    ------------------------------

    Date: Mon, 1 Jun 2020 09:10:31 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: How To Create A Culture of Kick-Ass #DevSecOps Engineers
    That Advocates Security Automation & Monitoring Throughout the
    #Software Development Life-cycle.

    https://thehackernews.com/2020/06/devsecops-engineers.html

    ------------------------------

    Date: Mon, 01 Jun 2020 22:24:28 +0200
    From: "Diego.Latella" <diego....@isti.cnr.it>
    Subject: Live EPIC online policy panel: Privacy and the Pandemic

    PRIVACY AND THE PANDEMIC (https://epic.org/events/June3/)
    3 JUNE 2020, 1 PM - 2 PM EDT

    The COVID-19 pandemic is a global health emergency of unprecedented scale,
    and countries are deploying a wide range of techniques to respond. EPIC is
    advocating for greater privacy protection to ensure that the public health
    response protects individuals. These systems should be lawful and
    voluntary. There should be minimal collection of personally identifiable
    information. The techniques should be robust, scalable, and provable. And
    they should only be used during the pandemic emergency.

    Our panelists will discuss ways in which governments can protect both public
    health and privacy, the technology behind digital contact tracing apps, and
    the Congressional response to privacy and the pandemic.

    PANELISTS:
    Jane Bambauer, Professor of Law at the University of Arizona
    Alan Butler, Interim Executive Director and General Counsel, EPIC
    Asad Ramzanali, Legislative Director, Representative Anna Eshoo [D-CA-18]
    Bruce Schneier, Internationally renowned security technologist

    MODERATOR:
    Anita Allen, Professor of Law and Professor of Philosophy, University of
    Pennsylvania Law School; Chair, EPIC Board of Directors

    ABOUT EPIC:
    https://epic.org/epic/about.html

    ------------------------------

    Date: Wed, 27 May 2020 08:08:29 -0700
    From: Diana Neuman <diana...@bacesecurity.org>
    Subject: Risks to Elections in the COVID-19 Era

    A Fireside Chat with Peter G. Neumann and Rebecca T. Mercuri
    Wednesday 3 June 2020 11am PDT
    Hosted by the (Becky) Bace Cybersecurity Institute

    Flyer and Website
    https://www.bacesecurity.org/page/2686

    Diana Neuman, Executive Director, Bace Cybersecurity Institute
    diana...@bacesecurity.org

    ------------------------------

    Date: Mon, 1 Jun 2020 12:09:56 PDT
    From: Brian Berg via AMW <a...@berglist.com>
    Subject: Death or Utopia in the Next Three Decades

    Special EE380/Asilomar Joint Event (Thu, June 4, 11am-1pm PDT)

    Register at http://ee380.stanford.edu/register.html to receive a URL to
    access the live virtual presentation

    *Presentation will be published to YouTube shortly after the live event.*

    Today the data suggests that we are near the beginning of a chaotic mess of
    global proportions. Things are fairly simple: a global pandemic with no
    tools to fight the virus, a global economy in disarray, climate change and
    other existential risks beginning to intrude into our daily lives, and a
    total lack of a plan as to what to do.

    On the other hand, we are at the pinnacle of human capabilities and have, if
    we so choose, the capability to create a Utopian egalitarian world without
    conflict or want.

    In this 2-hour program, a group of experts will explore the future, focusing
    on 2030 and 2050.

    Where are we now? What is trending? What if anything can be done about it?

    You are invited to participate in a virtual conference live using Zoom
    (version 5.0 or greater), or watch the recorded version when it is
    published on YouTube. You must REGISTER (

    http://ee380.stanford.edu/register.html) to receive a URL to access the
    live virtual presentation and find the YouTube video of the presentation

    *The Panel*

    John Markoff* Stanford Institute for Human Centered AI, ex-NY
    Times (Moderator)

    Garrett Banning* Washington-based strategic thinker and analyst

    Joy Buolamwini Algorithmic Justice League | Poet of Code ; Harvard

    Carole Dumaine Consultant, NIC, CIA; Co-founder of Futures.org.

    John Hennessy Stanford University professor, past President; Alphabet
    BoD Chair

    Michael Mann Earth System Science Center and Professor, Penn State

    Carmine Medina Former CIA Deputy Director, Author of Rebels At Work

    Paul Saffo Forecaster of technology change, Stanford Engineering Adjunct

    Megan Smith CEO shift7, MIT Board, ex-CIO of the US under Obama

    *Sponsors*

    The Asilomar Microcomputer Workshop is one of the iconic gatherings which
    supported the growth of computing. This is the first mini-conference which
    replaces the 46th Asilomar Microcomputer Workshop, which was canceled due to
    the COVID-19 pandemic. http://www.amw.org.

    The Stanford EE Colloquium on Computer Systems, EE380, will present the
    mini-conference as one of its offerings for Spring Quarter 2020.
    http://ee380.stanford.edu

    *Organizers*
    Dennis Allison Program conception and organization
    Robert Kennedy III Asilomar Microcomputer Workshop General Chair

    ------------------------------

    Date: Mon, 01 Jun 2020 14:32:54 -0500
    From: "Bruce Schneier <schn...@schneier.com>
    Subject: New Research Paper: "Privacy Threats in Intimate Relationships

    Just published:

    "Privacy Threats in Intimate Relationships"
    Karen Levy and Bruce Schneier
    Journal of Cybersecurity, Volume 6, Issue 1, 2020,.

    Abstract: This article provides an overview of intimate threats: a class of
    privacy threats that can arise within our families, romantic partnerships,
    close friendships, and caregiving relationships. Many common assumptions
    about privacy are upended in the context of these relationships, and many
    otherwise effective protective measures fail when applied to intimate
    threats. Those closest to us know the answers to our secret questions, have
    access to our devices, and can exercise coercive power over us. We survey a
    range of intimate relationships and describe their common features. Based
    on these features, we explore implications for both technical privacy design
    and policy, and offer design recommendations for ameliorating intimate
    privacy risks.

    https://academic.oup.com/cybersecurity/article/6/1/tyaa006/5849222

    ------------------------------

    Date: Sat, 30 May 2020 18:11:52 -0700
    From: Carlos Villalpando <unbe...@gmail.com>
    Subject: Re: Tesla owner locked thief in car with his iPhone app (R 31 87)

    > How long will it be before we see: "iPhone app bug allows anyone to lock
    > Tesla owners into their cars"?

    Never, I suspect. When I saw the original report in 31.87 I was suspect in
    that Teslas don't have a "remote off" and there is no physical locking
    mechanism. All "locking" the car does is tell the car to ignore the
    exterior door handle microswitches. Attempting to duplicate this on my own
    Tesla Model 3, the interior driver door button always obeyed, but even if I
    locked it with my phone, and on top of that, there's the mechanical door
    release which bypasses the electronic lock. And the mechanical release is
    most like all other vehicle door releases, and is used often by passengers
    unfamiliar with the vehicle.

    I suspect this was a case of someone not knowing how to deal with the
    differences of how to operate the vehicle. The car has a non-standard way
    of shifting into drive modes, and will not shift into drive mode without
    without detecting the phone key/keyfob inside the vehicle. I suspect the
    carjacker was confused enough for the owner to get out of phone Bluetooth
    range, and was too impaired to deal with what to do next.

    [Thanks for that. I had problems with the original story, because it
    did not make sense. PGN]

    ------------------------------

    Date: Sun, 31 May 2020 12:43:37 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: The GitHub Arctic Code Vault (RISKS-31.92)

    > "Think about all of the servers that are stored around the world that
    hold repositories of this code. The only way the Arctic vault would be
    useful is if the entire human civilization was essentially wiped out"

    That's what Mersk had thought, before all their servers were hit by NotPetya
    at once; they were saved only by a server in Ghana which happened to be
    offline at the time.

    The point is, it's not unthinkable that all repositories which belong to the
    same owner, or relate to the same subject, or contain some specific
    information, are hit at the same time by a carefully directed attack.

    ------------------------------

    Date: 31 May 2020 16:17:08 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Choosing 2FA authenticator apps can be hard. Ars did it so you
    don't have to (Ars Technica)

    >Losing your 2FA codes can be bad. Having backups stolen can be worse. What
    to do?

    My, what a gratuitous mess. The TOTP codes used by 2FA apps are in fact
    base32 character strings to be hashed with a timestamp to produce the
    six-digit codes used for authentication. The QR codes also contain the name
    of the service and sometimes an image of its logo, but the base32 string is
    all that matters. Whenever something shows you the QR code, there is
    invariably a way to get it to show you the string, in case you can't scan
    the QR code, and the apps have a way to enter the string manually.

    Keeping this in mind I can suggest a variety of lowish-tech ways to avoid
    losing your TOTP strings:

    Scan them into more than one app when you get them.

    Scan them into apps on more than one device. I use my phone, my tablet, and
    a python script on my laptop.

    Put the strings in a file on a device you leave at home, perhaps a USB stick
    in a drawer. Print the strings out on a piece of paper and put it in your
    wallet, with hints that make sense to you about which string goes with which
    service. (The hints and the strings need not be in the same order so long as
    you remember the mapping.)

    It would take an extremely unusual bad guy to first steal your wallet and
    then figure out what the scribbles on the paper mean. On the other hand if
    you lose your phone, you can enter the strings into an app on your new phone
    by hand and you're ready to go.

    ------------------------------

    Date: Mon, 1 Jun 2020 00:52:59 -0400
    From: "R. G. Newbury" <new...@mandamus.org>
    Subject: Re: Vitamin C (RISKS-31.91)

    This awesome news about Vitamin C is breaking as we .... oh, wait! 71 years
    old, next month. Clearly it was ignored if not anathematized as impossible
    by the medical establishment. (I am reminded of heliobacter pylori being
    'unpossible'.)

    Dr. Klenner got amazing results against all sorts of viral diseases. The
    results point to the importance of a healthy immune system as the first line
    of defence.

    Interesting to see that the bureaucracy was already in full force and power
    back in 1949:

    (3) Routine lumbar puncture would have made it obligatory to report each
    case as diagnosed to the health authorities. This would have deprived myself
    of valuable clinical material and the patients of most valuable therapy,
    since they would have been removed to a receiving center in a nearby town.

    I had to use some web-fu: 1000 mg of Vitamin C is 20,000 IU. So these
    were not small doses and delivery seemed to require injection to be useful.

    Interesting that it works on shingles.
    Thanks to Andre Carezia for finding this and passing it on.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.93
    ************************
     
  6. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.94

    RISKS List Owner

    Jun 3, 2020 8:40 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 3 June 2020 Volume 31 : Issue 94

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    REvil Ransomware Gang Starts Auctioning Victim Data (Krebs)
    Misinformation About George Floyd Protests Surges on Social Media (NYTimes)
    America is awash in cameras, a double-edged sword for protesters and police
    (WashPost)
    Australian Federal Government's automated debt recovery 'Robodebt' was
    illegal. A$721M to be refunded and compensation case underway. (ABC)
    Just Stop the Superspreading (NYTimes)
    The Militarization of Artificial Intelligence (UNODA, Stanley Center,
    Stimson Center)
    Limits on Autonomy in Weapon Systems (SIPRI)
    White nationalist group posing as antifa called for violence on twitter
    (NBC News)
    Re: Minnesota is now using contact tracing to track protestors, as
    demonstrations escalate (Vox)
    Re: Resuscitate The Internet Fairness Doctrine (Richard Stein)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: June 3, 2020 12:20:04 JST
    From: geoff goodfellow <ge...@iconia.com>
    Subject: REvil Ransomware Gang Starts Auctioning Victim Data (Krebs)

    The criminal group behind the REvil ransomware enterprise has begun
    auctioning off sensitive data stolen from companies hit by its malicious
    software. The move marks an escalation in tactics aimed at coercing victims
    to pay up -- and publicly shaming those who don't. But it may also signal
    that ransomware purveyors are searching for new ways to profit from their
    crimes as victim businesses struggle just to keep the lights on during the
    unprecedented economic slowdown caused by the COVID-19 pandemic.

    Over the past 24 hours, the crooks responsible for spreading the ransom
    malware *CREvil* (a.k.a. Sodin and Sodinokibi) used their Dark Web Happy
    Blog to announce its first ever stolen data auction, allegedly selling files
    taken from a Canadian agricultural production company that REvil says has so
    far declined its extortion demands...

    https://krebsonsecurity.com/2020/06/revil-ransomware-gang-starts-auctioning-victim-data/

    ------------------------------

    Date: Tue, 2 Jun 2020 00:39:49 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Misinformation About George Floyd Protests Surges on Social Media
    (NYTimes)

    In the universe of false online information, Mr. Floyd remains alive and
    George Soros is to blame for the protests.

    Misinformation About George Floyd Protests Surges on Social Media

    ------------------------------

    Date: Wed, 3 Jun 2020 13:37:11 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: America is awash in cameras, a double-edged sword for protesters
    and police (WashPost)

    Smartphone cameras, home security cameras, traffic cameras — digital eyes
    are a boon and danger to protesters.

    https://www.washingtonpost.com/technology/2020/06/03/cameras-surveillance-police-protesters/

    ------------------------------

    Date: Tue, 2 Jun 2020 15:38:33 +1000
    From: Ian Hayden <ian8h...@gmail.com>
    Subject: Australian Federal Government's automated debt recovery 'Robodebt'
    was illegal. A$721M to be refunded and compensation case underway. (ABC)

    Despite its name, Robodebt was a failure of human intelligence

    "A more targeted approach to managing people" is how the now Prime Minister
    had described it in mid-2016.

    The story of how the data-matching scheme was invented with vim by a coterie
    of high-powered bureaucrats and sold to starry-eyed ministers is fabled in
    Canberra. "Give our Department some extra money, and we'll get you an extra
    $2 billion" was the pitch.

    Never mind that in their zeal, the Human Services Department would actually
    remove humans entirely from the process of identifying alleged debts and
    mailing what amounted to letters of demand to more than 370,000 people. Nor
    had anyone evidently stopped to take rigorous legal advice on whether the
    brave new world of data-matched welfare recovery actually stood up to the
    laws of the land, which stand as the barrier between Government excess and
    the protection of the people.

    Although it's almost never released, we now know that subsequent legal
    advice to the Government warned its chances of defending numerous court
    actions would be close to zero.

    ------------------------------

    Date: Tue, 02 Jun 2020 08:02:17 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Just Stop the Superspreading (NYTimes)

    The NYTimes article below attributes the bulk of COVID19 spread to
    "superspreaders" and "superspreading events".

    Unfortunately, we're going to get an unplanned full-scale test of this
    theory due to the large-scale protests in almost every hot spot of COVID19
    in the country. Even worse, many of those protesting are at much higher
    risk of serious complications from the disease.

    We can only hope that Santayana was wrong this time (see 1918 flu below).

    Will Protests Set Off a Second Viral Wave?

    Will Protests Set Off a Second Viral Wave?

    "People of color have been particularly hard hit, with rates of
    hospitalizations and deaths among black Americans far exceeding those of
    whites."

    Philadelphia Threw a WWI Parade That Gave Thousands of Onlookers the Flu | History | Smithsonian Magazine

    Philadelphia Threw a WWI Parade That Gave Thousands of Onlookers the Flu

    "Within 72 hours of the parade, every bed in Philadelphia's 31 hospitals was
    filled. In the week ending October 5, some 2,600 people in Philadelphia had
    died from the flu or its complications. A week later, that number rose to
    more than 4,500. With many of the city's health professionals pressed into
    military service, Philadelphia was unprepared for this deluge of death."

    "On a single October day, 759 people died in the city and more than 12,000
    Philadelphians would die in a matter of weeks."

    Opinion | Just Stop the Superspreading

    Just Stop the Superspreading

    In our study, 20 percent of Covid-19 cases accounted for 80 percent of
    transmissions.

    By Dillon C. Adam and Benjamin J. Cowling June 2, 2020, 6:35 a.m. ET
    Mr. Adam and Prof. Cowling are epidemiologists.

    HONG KONG -- You must have heard about some of these outbreaks; they're
    almost emblematic of the Covid-19 pandemic by now: that megachurch in South
    Korea, meatpacking plants in the United States, a wedding in Jordan,
    funerals around the world.

    You've also probably heard of SARS-CoV-2's R0 (R-naught), or basic
    reproductive number, the average number of people to whom an infected
    person passes on a new virus when no measures to contain it have been
    taken. This coronavirus's R0 is thought to range between 2 and 3; an
    epidemic is curbed when that figure drops below 1, the replacement
    rate.

    But that figure has limitations: It doesn't convey the vast range between
    how much some infected people transmit the virus and how little others do.

    This is why epidemiologists also look at a virus's dispersion factor, known
    as "k," which captures that range and so, too, the potential for
    superspreading events. To simplify: The fewer the number of cases of
    infection responsible for all transmissions, the lower k generally is
    (though other factors, like the R0, also are relevant).

    Why do some COVID-19 patients infect many others, whereas most don’t spread the virus at all?

    In the case of SARS-CoV-2, evidence is growing that superspreading is a
    hugely significant factor of total transmission.

    Take Hong Kong, which as of June 2 had 1,088 confirmed or probable cases
    (and four deaths), for a population of about 7.5 million. The city has
    managed to largely suppress local outbreaks of Covid-19 without a lockdown
    or mandatory blanket stay-at-home orders, favoring instead a strategy of
    testing people suspected of being infected, tracing and quarantining their
    contacts and isolating confirmed cases in the hospital -- coupled with
    outright bans or other restrictions on large social gatherings.

    After these measures were progressively relaxed in recent weeks, a new
    outbreak of seven cases, possibly a superspreading event, has been reported
    over the past few days: Three are employees of a food-packing company; the
    other four live in the same housing estate as one of the employees.

    We recently published a preprint (a preliminary paper, still to be
    peer-reviewed) about 1,038 cases of SARS-CoV-2 in Hong Kong between Jan. 23
    and April 28 that, using contact-tracing data, identified all local clusters
    of infection.

    Clustering and superspreading potential of severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) infections in Hong Kong

    We found that superspreading has overwhelmingly contributed to the
    transmission of SARS-CoV-2 in the city overall.

    Of the 349 local cases we identified -- the remaining 689 cases were
    imported from other territories -- 196 were linked to just six
    superspreading events. One person alone appears to have infected 73
    individuals after frequenting several bars in late March. Weddings, temples,
    hot-pot dinners, work parties and karaoke venues featured in the other
    clusters.

    In our study, just 20 percent of cases, all of them involving social
    gatherings, accounted for an astonishing 80 percent of transmissions.
    (That, along with other things, suggests that the dispersion factor, k, of
    SARS-CoV-2 is about 0.45).

    Another 10 percent of cases accounted for the remaining 20 percent of
    transmissions -- with each of these infected people on average spreading the
    virus to only one other person, maybe two people. This mostly occurred
    within households.

    No less astonishing was this corollary finding: Seventy percent of the
    people infected did not pass on the virus to anyone.

    Now you might be wondering if our study, or the experience of Hong Kong,
    with its small number of total infections, is more broadly
    representative. We think so.

    An analysis of early cases in the city of Wuhan, China, the site of the
    original outbreak, published by researchers in Switzerland in late January,
    was inconclusive about the frequency of superspreading. But more and more
    studies support the conclusion that in places other than Hong Kong, too,
    superspreading is a major driver of overall transmission.

    A study published in The Lancet in late April, based on data from Shenzhen,
    southern China, about suspected cases among travelers from around Wuhan,
    concluded that 80 percent of transmissions were caused by 8-9 percent of
    cases.

    Another (also peer-reviewed) paper from late April found that 94 out of 216
    employees on the 11th floor of a crowded call center in South Korea likely
    were infected by a single index case in late February and early March.

    A recent preprint (not yet peer-reviewed) about 212 Covid-19 cases in Israel
    between late February and late April traced 80 percent of the transmissions
    back to just 1-10 percent of cases.

    According to mathematical modeling by Akira Endo, of the London School of
    Hygiene and Tropical Medicine, and others, about 10 percent of SARS-CoV-2
    cases might account for 80 percent of transmissions worldwide (and the virus
    might have a dispersion factor, k, of about 0.1).

    With other coronaviruses like SARS and MERS as well, a small group of
    superspreaders was responsible for a large majority of all transmissions.

    During the SARS outbreak of 2002-03, hospitals, airplanes and densely
    populated housing complexes were all implicated in large superspreading
    events.

    A 2005 study of SARS cases in Singapore -- considered seminal in the field
    -- found that just 6 percent of cases accounted for 80 percent of all
    transmissions, while 73 percent of infected people appeared not to have
    spread the infection. The k factor seemed to be about 0.16.

    In Hong Kong, one patient is thought to have infected 138 people in a single
    hospital during two to three weeks in March 2003; a cluster of 331
    infections was traced back to a single resident in the Amoy Gardens housing
    complex.

    For MERS, which first surfaced in Saudi Arabia in 2012, about 14 percent of
    cases are thought to have accounted for 80 percent of transmissions, with
    k=0.26, and most MERS superspreading events have been linked to hospitals.

    This data in turn raise this crucial question: Why are some cases
    superspreaders and others not?

    Superspreading is a complex phenomenon, and it depends on several factors:
    an infected person's degree of infectiousness, the length of other people's
    exposure to them, the setting of that exposure.

    We are not aware of any study having been published that identifies
    individual characteristics that might account for an infected person's
    degree of infectiousness or could otherwise help predict who may be a
    superspreader.

    This much, though, is known: The infectiousness of SARS-CoV-2 appears to
    peak within the first few days of the onset of Covid-19 symptoms and then
    decrease with time. That said, one can be contagious before displaying
    symptoms or without ever displaying any symptoms. (Hence the importance of
    face masks.)

    It stands to reason, too, that a highly contagious person is more likely to
    spread the infection in a crowd (at a wedding, in a bar, during a sporting
    event) than in a small group (within their household), and when contact is
    extensive or repeated.

    Transmission is more likely during gatherings indoors than outdoors. Simply
    ventilating a room can help. We believe that with the South Korean
    call-center cluster, the essential factor of transmission was the extent of
    time spent in a crowded office area.

    Also consider this counterexample: Japan. The government recently lifted a
    state of emergency after controlling its epidemic without having put in
    place any stringent social distancing measures or even doing much
    testing. Instead, it relied on largely voluntary measures encouraging people
    to stay at home and advice to avoid overcrowding in public venues.

    In essence, Japan adopted an anti-superspreading strategy. The approach was
    targeted at limiting what some researchers from Tohoku University have
    called the "three Cs": closed spaces, crowds and close contacts.

    We believe that despite Japan's success so far, Hong Kong's suppression
    strategy, which includes testing and contact-tracing as well, is preferable
    in the long run, if only because it's better preparation for any future
    outbreaks.

    But the record in both places, and elsewhere, points to the same conclusion:
    It's not just that superspreading events are happening with SARS-CoV-2; they
    appear to be driving much of the pandemic.

    This fact is alarming and reassuring at the same time.

    It's alarming because it suggests a virus swift and efficient, and so
    seemingly unstoppable.

    But the considerable role of superspreading in this pandemic should be
    reassuring, too, because it also suggests a way to stop SARS-CoV-2 that is
    both less onerous and more effective than many of the strategies that have
    been pursued so far.

    The epidemic's growth can be controlled with tactics far less disruptive,
    socially and economically, than the extended lockdowns or other extreme
    forms of social distancing that much of the world has experienced over the
    past few months.

    Forget about maintaining -- or, if infections resurge, resuming -- sweeping
    measures designed to stem the virus's spread in all forms. Just focus on
    stopping the superspreading.

    Dillon C. Adam is a visiting research fellow at the University of Hong
    Kong, where Benjamin J. Cowling is a professor of infectious disease
    epidemiology.

    ------------------------------

    Date: Wed, 03 Jun 2020 21:29:04 +0200
    From: "Diego.Latella" <diego....@isti.cnr.it>
    Subject: The Militarization of Artificial Intelligence
    (UNODA, Stanley Center, Stimson Center)

    The Militarization of Artificial Intelligence
    (The Militarization of Artificial Intelligence – UNODA)
    Melanie Sisson - Defense Strategy and Planning Program Stimson Center
    Jennifer Spindel - University of New Hampshire
    Paul Scharre - Center for a New American Security
    China Arms Control and Disarmament Association
    Vadim Kozyulin - PRI Center (Russian Center for Policy Research)
    United Nations Office for Disarmament Affairs, the Stanley Center
    for Peace and Security, and the Stimson Center.
    June 3, 2020

    Link available also in the "Computers: National security, War, and Civil
    Rights" page (USPID) of the USPID web site
    (www.uspid.org)

    ------------------------------

    Date: Tue, 02 Jun 2020 18:36:12 +0200
    From: "Diego.Latella" <diego....@isti.cnr.it>
    Subject: Limits on Autonomy in Weapon Systems (SIPRI)

    Vincent Boulanin, Neil Davison, Netta Goussac and Moa Peldán Carlsson Limits
    on Autonomy in Weapon Systems: Identifying Practical Elements of Human
    Control, SIPRI, ICRC June 2020
    https://www.sipri.org/sites/default/files/2020-06/2006_limits_of_autonomy_0.pdf

    Accessible also from the USPID web site (www.uspid.org) at page
    "Computers: National security, War, and Civil Rights"
    (http://uspid.org/compwa.html)

    ------------------------------

    Date: Mon, 1 Jun 2020 17:45:09 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: White nationalist group posing as antifa called for violence on
    twitter (NBC News)

    https://www.nbcnews.com/tech/securi...-protest-disinformation-bot-behavior-n1221456

    ------------------------------

    Date: Tue, 2 Jun 2020 00:34:48 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Re: Minnesota is now using contact tracing to track protestors,
    as demonstrations escalate (Vox)

    Minnesota law enforcement isn't contact-tracing protesters, despite an
    official's comment.

    The appropriation of the term could undermine public health efforts.

    https://www.vox.com/recode/2020/6/1/21277393/minnesota-protesters-contact-tracing-covid-19

    ------------------------------

    Date: Wed, 3 Jun 2020 10:09:52 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: Resuscitate The Internet Fairness Doctrine (The Hill)

    John -- I agree with your arguments [well, The Hill's. PGN]

    Constructing a machine to auto-cook speech labels for politicians of every
    stripe and flavor, let alone for any/all Twitter subscribers? A current
    impossibility, unless one is prepared to accept high error rates for
    contextual and semantic interpretation with unpredictable latency.

    Selling confusion, falsehood and inaccuracy to the public has always
    tarnished political speech. Harry S. Truman said, "If you can't convince
    them, confuse them!" The volume and frequency of confusing political
    messages, at times, comprises a nefarious torrent.

    Section 230 of the Communications Decency Act establishes an explicit
    platform exemption: "No provider or user of an interactive computer service
    shall be treated as the publisher or speaker of any information provided by
    another information content provider."

    Twitter policy on violence or other inflammatory content is quite clear
    (https://help.twitter.com/en/rules-and-policies#general-policies).

    That a Twitter subscriber expresses umbrage when their content is labeled
    demonstrates platform policy enforcement via editorial oversight.

    Does the President's content submission deserve an exemption to Twitter
    policy enforcement? In my opinion, no.

    Technologically, Khanna's ideas are no-ops. If a manually constructed,
    GUI-visible label can squelch a digital bullhorn, an approximate speech
    fairness path already exists.

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.94
    ************************
     
  7. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.95

    RISKS List Owner

    Jun 5, 2020 4:08 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 5 June 2020 Volume 31 : Issue 95

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Lawsuit over online book lending could bankrupt Internet Archive
    (Ars Technica)
    MIT Researchers: If Chips Can't Get Smaller, Programmers Must Get Smarter
    (Srividya Kalyanaraman)
    Programming Languages: Rust Enters Top 20 Popularity Rankings for the First
    Time (Liam Tung)
    Pressure on ZOOM Mounts to Provide End-to-End Encryption (Politico)
    What does cyber-arms control look like? (Andrew Futter)
    Handcrafted phish emails (Dan Jacobson)
    Re: Misinformation About George Floyd Protests Surges on Social Media
    (Amos Shapir)
    Re: Australian Federal Government's automated debt recovery 'Robodebt' was
    illegal (Rodney Parkin)
    Re: REvil Ransomware Gang Starts Auctioning Victim Data (Paul Edwards)
    Surgisphere: governments and WHO changed Covid-19 policy based on suspect
    data from tiny US company (The Guardian)
    UK Failed to Conduct Data COVID Track/Trace Data Protection Impact
    (Politico)
    Re: Just Stop the Superspreading (Peter Ladkin, Henry Baker)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: June 5, 2020 at 14:18:40 GMT+9
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Lawsuit over online book lending could bankrupt Internet Archive
    (Ars Technica)

    Publishers call online library *willful digital piracy on an industrial
    scale*.

    Timothy B. Lee, Ars Technica, 1 Jun 2020

    <Lawsuit over online book lending could bankrupt Internet Archive>

    Four of the nation's leading book publishers have sued the Internet Archive,
    the online library best known for maintaining the Internet Wayback
    Machine. The Internet Archive makes scanned copies of books -- both public
    domain and under copyright -- available to the public on a site called the
    Open Library.

    "Despite the Open Library moniker, IA's actions grossly exceed legitimate
    library services, do violence to the Copyright Act, and constitute willful
    digital piracy on an industrial scale," write publishers Hachette,
    HarperCollins, Wiley, and Penguin Random House in their complaint. The
    lawsuit was filed in New York federal court on Monday.

    For almost a decade, the Open Library has offered users the ability to
    "borrow" scans of in-copyright books via the Internet. Until recently, the
    service was based on a concept called "controlled digital lending" that
    mimicked the constraints of a conventional library. The library would only
    "lend" as many digital copies of a book as it had physical copies in its
    warehouse. If all copies of a book were "checked out" by other patrons,
    you'd have to join a waiting list.

    In March, as the coronavirus pandemic was gaining steam, the Internet
    Archive announced it was dispensing with this waiting-list system. Under a
    program it called the National Emergency Library, IA began allowing an
    unlimited number of people to check out the same book at the same time --
    even if IA only owned one physical copy.

    Before this change, publishers largely looked the other way as IA and a few
    other libraries experimented with the digital lending concept. Some
    publishers' groups condemned the practice, but no one filed a lawsuit over
    it. Perhaps the publishers feared setting an adverse precedent if the courts
    ruled that CDL was legal.

    But the IA's emergency lending program was harder for publishers to
    ignore. So this week, as a number of states have been lifting quarantine
    restrictions, the publishers sued the Internet Archive.

    In an email to Ars Technica, IA founder Brewster Kahle described the lawsuit
    as "disappointing."

    "As a library, the Internet Archive acquires books and lends them, as
    libraries have always done," he wrote. "Publishers suing libraries for
    lending books, in this case, protected digitized versions, and while schools
    and libraries are closed, is not in anyone's interest."

    The publishers have a pretty strong case.

    The publishers' legal argument is straightforward: the Internet Archive is
    making and distributing copies of books without permission from copyright
    holders. That's generally illegal unless a defendant can show it is
    authorized by one of copyright law's various exceptions.

    Legal experts tell Ars that the Internet's Archive's best response is to
    argue that its program is fair use. That's a flexible legal doctrine that
    has been used to justify a wide range of copying over the decades -- from
    recording television broadcasts for personal use to quoting a few sentences
    of a book in a review. Most relevant for our purposes, the courts have held
    that it is a fair use to scan books for limited purposes such as building a
    book search engine.

    When considering a fair use claim, courts consider several factors,
    including the impact of the use on the market for the original work. A book
    search engine, for example, is not a substitute for reading books but,
    rather, helps readers find new books they might want to buy. This is one of
    the reasons the courts found that book scanning for a search engine was
    legal under fair use.

    But it's harder to come up with compelling arguments that the Internet
    Archive's open-ended lending program is fair use.

    James Grimmelmann, a copyright scholar at Cornell University, told Ars that
    he is withholding judgment until he sees the Internet Archive's
    response. However, he said, "it seems like the publishers have a pretty
    strong case."

    "I think there are arguments for fair use, but they're not terribly strong
    arguments," he said in a Monday phone interview.

    A pandemic exception?

    The Internet Archive would have had a stronger argument if it had continued
    to limit the number of copies that could be lent out. In that scenario, IA
    could argue that the program's impact on the market was little different
    from a conventional library.

    Obviously, a patron who checks out a book from a library is less likely to
    purchase a copy, undermining the market for the book. On the other hand,
    libraries themselves buy many books -- and the more popular a book is, the
    more copies libraries must buy. So the overall impact of libraries on demand
    for books is not clear.

    But once the IA stopped buying a copy of a book for every copy it lent out,
    this argument became a lot weaker. An institution like IA can buy a single
    copy of a book and then "lend" it to dozens, hundreds, or thousands of
    people at the same time. There's little doubt that this has a negative
    impact on the market for new books.

    Instead, the Internet Archive will likely need to make a more novel argument
    -- that the unique circumstances of a pandemic justifies allowing types of
    infringement that would be clearly illegal at other times. Grimmelmann
    wasn't able to identify any other cases where courts have made that kind of
    leap.

    ------------------------------

    Date: Fri, 5 Jun 2020 12:14:15 -0400 (EDT)
    From: ACM TechNews <technew...@acm.org>
    Subject: MIT Researchers: If Chips Can't Get Smaller, Programmers Must Get
    Smarter (Srividya Kalyanaraman)

    Srividya Kalyanaraman, American Inno, 4 Jun 2020,
    via ACM TechNews, 5 Jun 2020

    Researchers at the Massachusetts Institute of Technology (MIT) suggest the
    approaching limits of chip miniaturization require future increases in
    computing power to come from software, algorithms, and specialized
    hardware. MIT's Neil Thompson said shrinking processors has been the
    standard approach to growing computer performance for decades, "but the
    nature of computer processing is changing." Performance extension has long
    relied on generic hardware and specialized software, but Thompson suggested
    it may prove more economical to design hardware for executing particular
    tasks, even if speed and other factors must be compromised. He added that
    such an approach initially will be applicable to specific areas like
    supercomputing and quantum computing.
    MIT researchers: If chips can't get smaller, programmers must get smarter

    ------------------------------

    Date: Fri, 5 Jun 2020 12:14:15 -0400 (EDT)
    From: ACM TechNews <technew...@acm.org>
    Subject: Programming Languages: Rust Enters Top 20 Popularity Rankings for
    the First Time (Liam Tung)

    Liam Tung, ZDNet, 2 Jun 2020 via ACM TechNews, 5 Jun 2020

    The Rust programming language has cracked the top 20 rankings of the Tiobe
    popularity index for the first time, amid growing interest in using it for
    systems programming to build major platforms. Microsoft is considering Rust
    for Windows and Azure, aiming to eliminate memory bugs in code authored in C
    and C++; Amazon Web Services is using Rust for performance-sensitive
    elements in Lambda, EC2, and S3. Tiobe ranked Rust in 20th place this year
    versus 38th last year, and although this does not mean more people are using
    Rust, it demonstrates that more developers are searching for information
    about the language. Tiobe software CEO Paul Jansen credited Rust's ascension
    with being a systems programming language that is "done right." He said,
    "All the verbose programming and sharp edges of other languages are solved
    by Rust while being statically strongly typed," which "prevents run-time
    null pointer exceptions, and memory management is calculated compile-time."
    Programming languages: Rust enters top 20 popularity rankings for the first time | ZDNet

    ------------------------------

    Date: 5-Jun-2020 15:48:13-GMT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Pressure on ZOOM Mounts to Provide End-to-End Encryption (Politico)

    Zoom is facing more pressure to expand its use of end-to-end encryption to
    free accounts, which it has said need to be accessible to law enforcement.
    On Thursday, Consumer Reports called on Zoom to change course. ``Privacy is
    a right, not a luxury. If Zoom has the technical capacity to safeguard
    conversations with end-to-end encryption, it should offer the same
    protections for all its users,'' Justin Brookman, Consumer Reports' director
    of privacy and technology policy, said in a statement. Other popular
    conferencing platforms like Verizon's BlueJeans, Google's Meet and Cisco's
    Webex offer varying levels of encryption -- features that have drawn more
    attention since the pandemic forced millions of Americans online for work,
    school, socializing and medical care.

    In the weeks since Zoom announced its encryption
    plans,<Zoom Acquires Keybase and Announces Goal of Developing the Most Broadly Used Enterprise End-to-End Encryption Offering - Zoom Blog>
    security experts and consumer advocates have urged
    <> the
    videoconferencing giant to extend the new, more robust protections to free
    accounts, not just paid ones. Instead, the company has stood by its plan,
    citing the need to monitor meetings that are used to share child sexual
    abuse material and engage in other illegal behavior. ``Zoom is dealing with
    some serious safety issues,'' said Alex Stamos, a former Facebook chief
    information security officer who is now advising Zoom on security. Zoom
    faces ``a difficult balancing act,'' Stamos added , by ``trying to both
    improve the privacy guarantees it can provide while reducing the human
    impact of the abuse of its product.''

    ------------------------------

    Date: Thu, 04 Jun 2020 17:19:48 +0200
    From: "Diego.Latella" <diego....@isti.cnr.it>
    Subject: What does cyber-arms control look like? (Andrew Futter)

    Four principles for managing cyber-risk, European Leadership Network [1],
    4 Jun 2020
    Andrew Futter [2] - Associate Professor in International Politics at
    the University of Leicester
    European Leadership Network [3]

    I don't quite know whether it is especially computer science or its
    subdiscipline Artificial Intelligence that has such an enormous affection
    for euphemism. We speak so spectacularly and so readily of computer systems
    that understand, that see, decide, make judgments, and so on, without
    ourselves recognizing our own superficiality and immeasurable naivete with
    respect to these concepts. And, in the process of so speaking, we
    anesthetise our ability to evaluate the quality of our work and, what is
    more important, to identify and become conscious of its end use. […] One
    can't escape this state without asking, again and again: "What do I actually
    do? What is the final application and use of the products of my work?" and
    ultimately, "am I content or ashamed to have contributed to this use?" --
    Prof. Joseph Weizenbaum ["Not without us", ACM SIGCAS 16(2-3) 2--7, Aug1986]

    [1] What does cyber arms control look like? Four principles for managing cyber risk
    [2] Dr Andrew Futter
    [3] Home
    [4] ISTI::Home Page

    ------------------------------

    Date: Fri, 05 Jun 2020 00:54:06 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Handcrafted phish emails

    I received one of those evil emails:

    "Your Email Account was just signed in on a new Windows device from this
    IP 114.058.33.178."

    Hey wait, wouldn't that be
    114.058.033.178 or
    114.58.33.178 ?

    Sounds kinda hand crafted.

    ------------------------------

    Date: Thu, 4 Jun 2020 11:57:36 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Misinformation About George Floyd Protests Surges on Social
    Media (RISKS-31.94)

    Fight back!

    In the current climate of disrespect of decency and reason, it seems that
    too many people take an attitude of "Who cares if global warming /
    vaccination / moon landing is the result of hard work by tens of thousands
    of people over decades -- we know better because we have read an Internet
    post!"

    Things like the Flat Earth society have been viewed as harmless weirdness,
    but no more; such ideas had already spilled into the real world and are
    causing real damage and even loss of lives. It's time to fight back.

    Fighting back does not require overt actions like Buzz Aldrin's punching
    the face of a moon landing denier; it's as simple as clicking "reply". I
    have taken to replying to any conspiracy-related post sent to me on social
    media and mail, specifically those forwarded by friends and colleagues.
    It's rather easy to find the correct information, either from sites
    like *Snopes,
    *or more often, by just clicking the links included in the message itself
    -- almost always, the article's contents contradict the post's headline.

    I always urge posters to read the articles, not the headlines. "Don't send
    me such posts, I actually click the links!"... A link to a scientific
    article posted as "Scientists Show Global Warming is a Hoax" leads to a
    research which definitely supports the global warming idea; and an article
    labeled "Soros is out to Destroy America" reveals that his greatest crime is
    "using his money to support candidates he favors".

    I might be considered a nuisance, but this method greatly reduces the
    volume of nonsense on my feeds, and hopefully contributes just a bit to
    reduce the trend.

    ------------------------------

    Date: Thu, 4 Jun 2020 12:15:48 +1000
    From: <rodney...@spitbrook.net>
    Subject: Re: Australian Federal Government's automated debt recovery
    'Robodebt' was illegal (RISKS-31.94)

    To add some context for non-Australian readers, the scheme made 2
    fundamental errors.

    Firstly, it tried to automatically match income tax returns (which are
    assessed on an annual basis), with social security payments (which are
    assessed on a fortnightly basis). It was assumed that the recipient's
    fortnightly income was 1/26 of their annual income. But take, for example, a
    low income worker with casual work from time to time. In slow 2-week
    periods they might be entitled to social security payments, but in better
    2-week periods little or no support. By assuming their fortnightly income
    was 1/26 of their annual income, the conclusion was often (but incorrectly)
    made that their social security had been overpaid in the slow times.

    Secondly, it sent letters of demand putting the onus of proof onto the
    recipient, where the recipient had little or no ability to provide such
    proof. For example, the claims often related to payments made years before
    - long after the recipient would have retained any records. Further, the
    letters offered no detail on how the "overpayment" was determined - the
    recipient was given almost no information about which payments were in
    dispute nor how the "overpayment" amounts had been calculated. The receipts
    often didn't even know what data was in dispute, let alone have access to
    the records that would allow them to prove their position.

    The government embarked on a massive bluff against members of the community
    least able to defend themselves. It was clear at the time that it was
    unreasonable, and it is no surprise that it was eventually reversed.

    ------------------------------

    Date: Thu, 4 Jun 2020 11:01:11 +1000
    From: Paul Edwards <pa...@cathicolla.com>
    Subject: Re: REvil Ransomware Gang Starts Auctioning Victim Data
    (RISKS-31.94)

    This is fascinating. Effectively these guys are packaging up bad debt and
    selling it. It just happens that the collateral against that debt is data
    rather than a house, car, or boat. I wonder if the auction is a fraction of
    the extortion demanded. Will we have a GDC (Global Data Crisis)? What next?
    Data futures contracts? :)

    Paul (with tongue slightly in cheek)

    ------------------------------

    Date: Fri, 5 Jun 2020 00:33:42 -0400
    From: Gabe Goldberg <ggol...@apcug.org>
    Subject: Surgisphere: governments and WHO changed Covid-19 policy
    based on suspect data from tiny US company (The Guardian)

    Surgisphere, whose employees appear to include a sci-fi writer and adult
    content model, provided database behind Lancet and New England Journal of
    Medicine hydroxychloroquine studies

    The World Health Organization and a number of national governments have
    changed their Covid-19 policies and treatments on the basis of flawed data
    from a little-known U.S. healthcare analytics company, also calling into
    question the integrity of key studies published in some of the world’s most
    prestigious medical journals.

    A Guardian investigation can reveal the U.S.-based company Surgisphere,
    whose handful of employees appear to include a science fiction writer and an
    adult-content model, has provided data for multiple studies on Covid-19
    co-authored by its chief executive, but has so far failed to adequately
    explain its data or methodology.

    Data it claims to have legitimately obtained from more than a thousand
    hospitals worldwide formed the basis of scientific articles that have led to
    changes in Covid-19 treatment policies in Latin American countries. It was
    also behind a decision by the WHO and research institutes around the world
    to halt trials of the controversial drug hydroxychloroquine. On Wednesday,
    the WHO announced those trials would now resume.

    Two of the world's leading medical journals -- the Lancet and the New
    England Journal of Medicine -- published studies based on Surgisphere
    data. The studies were co-authored by the firm's chief executive, Sapan
    Desai.

    Late on Tuesday, after being approached by the Guardian, the Lancet released
    an `expression of concern' about its published study. The New England
    Journal of Medicine has also issued a similar notice.

    An independent audit of the provenance and validity of the data has now been
    commissioned by the authors not affiliated with Surgisphere because of
    ``concerns that have been raised about the reliability of the database.''

    https://www.theguardian.com/world/2...-world-health-organization-hydroxychloroquine

    ------------------------------

    Date: Fri, 5 Jun 2020 11:40:30 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: UK Failed to Conduct Data COVID Track/Trace Data Protection Impact
    Assessment (Politico)

    U.K. FACING COMPLAINT OVER LACK OF DATA PROTECTION SAFEGUARDS -- Privacy
    advocates have filed a complaint with the U.K. data protection authority for
    failing to conduct a data protection impact assessment for its coronavirus
    track-and-trace program. ``The Government is moving too fast, and breaking
    things as a result,'' James Killock of the Open Rights Group said. Ravi
    Naik, the lawyer assisting Killock with the complaint, said that deploying
    the tracing program without implementing the proper safeguards is a
    *disaster*.

    <https://www.politico.eu/article/uk-test-trace-privacy-data-impact-assessement/>

    ------------------------------

    Date: Thu, 4 Jun 2020 09:52:23 +0200
    From: Peter Bernard Ladkin <lad...@causalis.com>
    Subject: Re: Just Stop the Superspreading (Baker, Risks 31-94)

    In Risks 31-94, Henry Baker says that "The NYTimes article below attributes
    the bulk of COVID19 spread to "superspreaders" and "superspreading
    events". "

    Indeed so, but better to cite the source. This info is three months old
    already, from the London School of Hygiene and Tropical Medicine Centre for
    Mathematical Modelling of Infectious Diseases (LSHTM CMMID). It has recently
    been confirmed in two preprints from late May.

    The technical expression is that the disease has an overdispersion parameter
    value of about 0.1, according to the CMMID estimate. (The parameter is
    usually denoted as "k"=2E.)

    Baker drew attention in Risks 31.84 to a mathematical situation with
    significant overdispersion even with a low basic reproduction number. He
    seemed to want to turn that exercise into a critique of the concept of R0 in
    particular and SIR models in general, which puzzled me. As far as I know,
    the CMMID result was obtained with an SIR model.

    The published source is Endo et al.,
    https://wellcomeopenresearch.org/articles/5-67 . This article was available
    in preprint first on March 11, 2020 at
    https://cmmid.github.io/topics/covid19/

    The k value has been recently confirmed by an Israeli preprint about a
    different group of cases, Miller et al, 2020-05-22
    https://www.medrxiv.org/content/10.1101/2020.05.21.20104521v1 and by a
    preprint from Hong Kong, Adam et al
    https://www.researchsquare.com/article/rs-29548/v1 from 2020-05-21 (Baker
    extensively quotes an NYT opinion article from Adam and co-author Cowling).

    The result, that most of the infection comes from superspreading, deriving
    directly from the k value of around 0.1, seems now to be generally
    accepted. German government advisor, virologist Christian Drosten, mentioned
    it in his podcast last week
    https://www.ndr.de/nachrichten/info/podcast4684.html (in German), and Oxford
    epidemiologist David Hunter in a Guardian opinion piece
    https://www.theguardian.com/comment...ronavirus-infection-rate-too-high-second-wave

    Prof. Peter Bernard Ladkin, Bielefeld, Germany Styelfy Bleibgsnd
    www.rvs-bi.de

    ------------------------------

    Date: Thu, 04 Jun 2020 08:53:22 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: Just Stop the Superspreading (Ladkin, RISKS-31.95)

    Once again, Peter Ladkin is misinterpreting my criticism of "R0"-based
    models.

    The problem is a fundamental *logical* problem: if one uses an English term
    "*THE* R0", it presumes that there is such a more-or-less well-defined
    "number" which is named "R0". But as I have argued, and continue to argue,
    there is *NO* such individual "number" in the case of superspreaders, since
    the *variance* associated with this "number" is so large.

    Perhaps the best analogy comes from quantum physics. Classical physics
    presumed the independent existence of "position" and "momentum" of a
    particle, but quantum physics showed that any such notions quickly lead to
    contradictions with actual experiments, so any attempt to utilize terms like
    "THE position" or "THE momentum" demonstrates conclusively the lack of
    understanding by the speaker of the true nature of the situation in our
    actual quantum world.

    For example, the phrase "THE position" of an electron surrounding the proton
    in a hydrogen atom demonstrates conclusively the ignorance of the speaker of
    the concepts of quantum mechanics. Ditto with "THE orbit", "THE momentum",
    etc.

    Similarly, any use of the phrase "THE reproduction number" demonstrates
    conclusively the ignorance of the speaker of the concept of
    "superspreaders".

    For fifty years after Heisenberg, logicians, reporters and popular science
    writers destroyed entire forests trying to describe quantum physics using
    *classical* physical terminology; they failed miserably and only produced
    more confusion. Even Einstein himself -- whose paper on the *quantum*
    nature of the photoelectric effect won him his Nobel Prize -- was never able
    to become comfortable with the 'spooky action at a distance' nature of
    quantum mechanics. Einstein couldn't force the reality of quantum mechanics
    onto the Procrustean bed of existing naive concepts and words.

    Similarly the COVID19 pandemic is causing the destruction of entire virtual
    forests by talking fat(uous) heads, reporters and popular science writers
    trying to explain what "THE" reproduction number is, when the demonstrated
    existence of superspreaders -- e.g., the Boston hotel event, a NY bat
    mitzvah, or a choir practise -- proves that there is NO single reproduction
    number which can provide any intuition for clear thinking about what is
    going on with this pandemic.

    If the confusion were restricted to non-scientists, such logical errors
    might be excused. Unfortunately, some "scientists" were successful at
    convincing many politicians to panic due to fatally flawed "models" whose
    outputs had confidence intervals that wouldn't fit into their conference
    room, much less onto their slides (apologies to XKCD:
    https://m.xkcd.com/2311/).

    U.S. President Lincoln was well aware of how improper usage of words can
    lead to logical errors. When Lincoln was asked "how many legs does a dog
    have if you call his tail a leg?", Lincoln quickly replied, "Four; saying
    that a tail is a leg doesn't make it a leg."

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.95
    ************************
     
  8. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.96

    RISKS List Owner

    Jun 7, 2020 6:32 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Sunday 7 June 2020 Volume 31 : Issue 96

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    The Results Are in for Remote Learning: It Didn't Work (MSN)
    Complex Debate Over Silicon Valley's Embrace of Content Moderation (NYTimes)
    Engineering screwup turns Golden Gate Bridge into creepy wind siren
    (BoingBoing)
    Robot dog hounds Thai shoppers to keep hands virus-free (yahoo)
    Singapore plans wearable virus-tracing device for all (Reuters)
    Even Scientists Funded by Zuckerberg Are Dragging Facebook for Its Hypocrisy
    (Gizmodo)
    Re: Australian Federal Government's automated debt recovery (Attila ...)
    Re: Misinformation About George Floyd Protests Surges on Social Media
    (Bob Wilson, Atilla ...)
    Re: Just Stop the Superspreading (Martin Ward, Henry Baker)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 7 Jun 2020 14:43:17 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: The Results Are in for Remote Learning: It Didn't Work (MSN)

    The Results Are in for Remote Learning: It Didn't Work

    The problems began piling up almost immediately. There were students
    (without computers and] Internet access. Teachers had no experience with
    remote learning. And many parents weren't available to help. In many
    places, lots of students simply didn't show up online, and administrators
    had no good way to find out why not. Soon many districts weren't requiring
    students to do any work at all, increasing the risk that millions of
    students would have big gaps in their learning. "We all know there's no
    substitute for learning in a school setting, and many students are
    struggling and falling far behind where they should be," said Austin
    Beutner, superintendent of the Los Angeles Unified School District, in a
    video briefing to the community on Wednesday.

    [Perhaps it could have been done much better, although not on such short
    notice. But I think we all agree -- there is no substitute for daily
    human interactions in a knowledge-based environment. PGN]

    ------------------------------

    Date: Sat, 6 Jun 2020 07:35:22 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Complex Debate Over Silicon Valley's Embrace of Content Moderation
    (NYTimes)

    Many in tech cheered when Twitter added labels to President Trump's tweets.
    But civil libertarians caution that social media companies are moving into
    uncharted waters.

    The Complex Debate Over Silicon Valley’s Embrace of Content Moderation

    ------------------------------

    Date: Sat, 6 Jun 2020 16:03:54 -0400
    From: Gabe Goldberg <ggol...@apcug.org>
    Subject: Engineering screwup turns Golden Gate Bridge into creepy wind siren
    (BoingBoing)

    After work on the Golden Gate Bridge's sidewalks to bolster their wind
    resistance, nearby residents of San Francisco are complaining that the 1.7
    mile-long structure makes a creepy droning noise when it's windy. The
    mysterious and unsettling tone is heard in videos posted by Alberto
    Martinez, Mark Krueger and @reedm. It's a spectacular example of engineering
    neglect.

    Engineering screwup turns Golden Gate Bridge into creepy wind siren

    ------------------------------

    Date: Sat, 6 Jun 2020 10:49:46 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Robot dog hounds Thai shoppers to keep hands virus-free (yahoo)

    Robot dog hounds Thai shoppers to keep hands virus-free

    "I think the execution, like the robot itself, is a bit scary," the
    29-year-old said, though she admitted that giving out hand sanitiser is a
    "good idea".

    Muzzle the mandible-equipped model.

    ------------------------------

    Date: Fri, 5 Jun 2020 17:25:49 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Singapore plans wearable virus-tracing device for all (Reuters)

    Singapore plans to give a wearable device that will identify people who had
    interacted with carriers of coronavirus to each of its 5.7 million
    residents, in what could become one of the most comprehensive
    contact-tracing efforts globally.

    Testing of the small devices, which can be worn on the end of a lanyard or
    carried in a handbag, follows limited take-up of an earlier smartphone-based
    system and has further fueled privacy concerns about contact tracing
    technology.

    The tiny city-state, with one of the highest COVID-19 caseloads in Asia, is
    one of many countries trying to use technology to allow them to safely
    reopen their economies.

    Singapore will soon roll out the device, which does not depend on a
    smartphone, and ``may then distribute it to everyone in Singapore,'' Vivian
    Balakrishnan, the minister in charge of the city-state's smart nation
    initiative, said on Friday. [...]

    Singapore plans wearable virus-tracing device for all

    ------------------------------

    Date: Sun, 7 Jun 2020 14:52:55 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Even Scientists Funded by Zuckerberg Are Dragging Facebook for Its
    Hypocrisy (Gizmodo)

    Even Scientists Funded by Zuckerberg Are Dragging Facebook for Its Hypocrisy

    ------------------------------

    Date: Sun, 7 Jun 2020 08:31:48 +0100
    From: Attila the Hun <attilath...@tiscali.co.uk>
    Subject: Re: Australian Federal Government's automated debt recovery
    'Robodebt' was illegal (RISKS-31.95)

    Rodney Parkin should remember Hanlon's razor.

    My experience of various governments (the administrative parts) consistently
    demonstrated "stupidity" when designing systems. This word is better
    characterised as: "ignorance of the reality" and "inability to consider
    'out-of-the-box' situations". Government projects, especially where
    computer programs are involved, provide a rich seam for RISKS' contributors
    to mine.

    ------------------------------

    Date: Fri, 5 Jun 2020 21:52:20 -0500
    From: Bob Wilson <wil...@math.wisc.edu>
    Subject: Re: Misinformation About George Floyd Protests Surges on Social
    Media (Shapir, RISKS-31.94)

    Shapir's excellent comments connect to research on "news finds me",
    e.g.,those people who say

    > "we know better because we have read an Internet post!"

    Recent research papers tell us that the people most likely to believe
    conspiracy theories are those who don't read (on paper, online, etc.)
    articles about a topic. They believe that anything that matters will find
    them, via channels such as social media groups, rather than their having to
    look for news at all. One paper that is available online is by Michael
    Wagner and John Foley. Once you "know" that reports contrary to your
    beliefs derive from conspiracies, no amount of presenting facts and rational
    arguments will change those beliefs.
    How media consumption patterns fuel conspiratorial thinking

    ------------------------------

    Date: Sun, 7 Jun 2020 08:30:52 +0100
    From: Attila the Hun <attilath...@tiscali.co.uk>
    Subject: Re: Misinformation About George Floyd Protests Surges on Social
    Media (RISKS-31.95)

    Since the early days of social media I have been making the point that Amos
    Shapir echoes. Headlines, in both mainstream and social media have become
    increasingly hyperbolic, seldom more so than when a "cause" or disaster is
    involved. With no apologies to the coronavirus pandemic, there is a
    long-standing saying in the media, that the headline: "Small Earthquake In
    China, Not Many Dead" does not sell newspapers. Consequently, editors have
    always chosen snappier phrases, which sometimes misrepresent the real story.

    That seems to have become somewhat of the norm these days, especially so on social media such as Facebook, Twitter and even LinkedIn.

    Contributors (I would not demean the role of an Editor by giving the authors
    that title) now trade on their readers (and I hesitate to use that
    description) not looking beyond the headline. Only a vanishing few now read
    below the fold.

    Anecdote: many moons ago I found myself seated next to the retired British
    Prime Minister, Sir Ted Heath on a Concorde flight to Miami (he was going to
    watch the Superbowl, I was heading to Bogota in a hurry). He read the
    broadsheets from masthead to imprimatur and I commented to him that he must
    now have a Catholic view of the news. His reply was at the same time both
    stunning and bleedin' obvious, so much so that I recall it verbatim, and is
    highly relevant in this context.

    He said: "It has been my delight since leaving office, to read the
    newspapers for myself. When I was Prime Minister, I received two digests of
    the news: one prepared by the Cabinet Office [the Civil Service digest of
    relevant news - MB] and one prepared by my PPS [Parliamentary Private
    Secretary, giving the Conservative Party's digest of relevant news - MB].

    "You know, I could have been Prime Minister of two different countries!"

    ------------------------------

    Date: Sat, 6 Jun 2020 09:31:39 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.95)

    Unless the variance is *infinitely* large (and extensive scientific evidence
    gathered over the last few months proves this not to be the case), then the
    concept of R0 is indeed well-defined and R0 does indeed have a precise value
    for a given data set: "superspeaders" notwithstanding. The value of R0 is
    analogous to the "expected value" in probability theory: the actual wins and
    losses in a game of chance may vary wildly, but the concept of "expected
    value" is still valid.

    There is no point in continuing to argue that the infection process "might"
    have such a wide variance that the outcome is completely random and
    undeterminable and uncontrollable, and that therefore any model is
    worthless. The data is in: as I wrote in RISKS-31.90, a number of countries
    have taken various actions (those supported by the models that Baker is
    still trying to discredit) and these are beating COVID-19. Other countries
    have failed to take effective action and these still do not have the virus
    fully under control.

    If the model is faulty because the situation is completely random and
    unpredictable (in the chaos theory sense), then there would be no
    corollation between actions taken and outcomes. But by now the corollation
    is plainly there to see in the data:

    Countries beating Covid-19 — EndCoronavirus.org

    The Law of Holes: "If you find yourself in a hole, stop digging!"

    ------------------------------

    Date: Sat, 06 Jun 2020 15:00:29 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: Just Stop the Superspreading (Arthur T., RISKS-31.95)

    [If the experts who read RISKS are having trouble with these concepts,
    then we're all in deep yogurt! Derek Bok, a president of Harvard
    University, said "If you think education is expensive, try ignorance".
    Between the trillion dollar bailout in the Great Recession, and the
    trillion dollar bailout in the Great Pandemic, I'd say that we all just
    paid the highest tuition in history to learn the cost of our ignorance
    regarding heavy/fat tailed distributions. HB]

    Statisticians came up with the terms 'mean', 'median', and 'mode' because
    the term 'average' was ill-defined.

    For 'normal' distributions, 'mean/expected', 'median', and 'mode' coincide,
    so there is less need to disambiguate.

    For (ab)normal distributions, mean/median/mode can vary widely from one
    another, or may not even exist -- e.g., the pathological, but not unusual,
    'Cauchy' distribution ("applications of the Cauchy distribution ... can be
    found in fields working with exponential growth" [Wikipedia]), which has
    neither a *mean/expected value*, nor a *variance*, nor a *standard
    deviation*, thus for the Cauchy distribution (and many other commonly
    occurring distributions) Arthur's phrase "the size of the standard
    deviation" is nonsensical.

    Takeaway: when some distribution is not 'normal', then our INTUITION FAILS
    US. The sign on an abnormal distribution should read: "Abandon all
    intuition, ye who enter here". Something is dreadfully wrong when the
    variance/standard deviation or even the mean/expected value does not exist.
    Even when the mean/'expected value' does exist for such an abnormal
    distribution, it is almost always misleading and/or useless. Perhaps it
    would be more appropriate to call such a mean 'the SUSpected value'! :)

    Indeed, Nassim Taleb has written entire books about the differences between
    'mediocristan' ('normal' distributions) and 'extremistan'
    (heavier-tail-than-normal distributions), and has had unrelenting criticism
    of the financial regulators for their inappropriate use of 'normal' instead
    of 'fat-tailed' distribution models in the run-up to the Great Recession.
    One of Taleb's books has the name 'Fooled by Randomness', which I loosely
    translate as 'Fooled by Ab-Normality'.

    The whole point of the terms mean/median/mode/average is to attempt to
    characterize the 'ordinary/typical/expected' behavior of a system. For many
    systems having 'normal' distributions, these attempts often succeed, mostly
    because the bulk of the density of the distribution is confined within a
    relatively narrow band around the mean/median/ mode/average, and the 'tails'
    of the distribution fall off extremely fast, so the percentage of
    'out-liars' (pun intended) is negligible.

    Thus, e.g., classical thermodynamics works beautifully, because many/most of
    the variables are normally distributed, and with Avagadro's number of
    'independent' variables, these normal distributions are incredibly smooth
    and accurate. Traditional differential equation models are therefore
    appropriate.

    Getting back to 'reproduction rate', we find that in the presence of
    superspreaders, this rate is NOT normally distributed -- indeed, it has
    exceedingly high variance due to its heavier-than-'normal' tail. If such a
    random variable occurred by itself, discussions of 'average' behavior might
    be excused. However, when a symbol like 'R0' appears as the *BASE of an
    exponential function* -- e.g., (R0)^n -- any attempt to describe an
    'ordinary/typical' behavior is nonsensical, because the variance of (R0)^n
    is amplified to effectively infinite proportions (variances nearing the
    magnitude of Avagadro's Number qualify as 'effectively infinite' IMHO).

    We all agree that these pandemic R0-based models are *ill-conditioned*, and
    I have simply pointed out that one of the causes of this ill-conditioning is
    the high variance of the distribution for a 'reproduction number', which
    variance is then amplified by its appearance as the base of an exponential
    function.

    An aside on "policy prescriptions":

    I have studiously avoided any discussion about which policy prescriptions
    should be followed, but I would merely make the comment that if one bases
    one's decision about whether to follow some policy prescription on the
    validity of some scientific statement, then if that statement is shown to be
    false/inaccurate, then such a prescription becomes illogical and
    unsupported.

    Indeed, from a false premise, one can deduce a true conclusion, but in that
    case, all false premises are *logically equivalent*, e.g., "we would predict
    approximately 510,000 deaths in GB" is logically equivalent to "Iraq had
    weapons of mass destruction" is logically equivalent to "the Moon is made of
    green cheese". But NASA didn't spend $1 trillion on the lunar exploration
    program because some 'scientist' swore that the Moon was made of green
    cheese.

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <riskinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: The Risks Digest takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    The Risks Digest --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    ALTERNATIVE ARCHIVES: The RISKS Forum Mailing List (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <Join ACM>

    ------------------------------

    End of RISKS-FORUM Digest 31.96
    ************************
     
  9. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.97

    RISKS List Owner

    Jun 9, 2020 4:11 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 9 June 2020 Volume 31 : Issue 97

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Democracy Live Internet voting: unsurprisingly insecure, and surprisingly
    insecure (Specter and Halderman, with Andrew Appel's comments via PGN)
    More on Internet e-voting: Swiss Post purchases Scytl (SwissInfo)
    Report Details New Cyber Threats to Elections From Covid-19 (Maggie Miller)
    IBM ends all facial recognition business as CEO calls out bias and
    inequality (TechCrunch)
    Cox slows an entire neighborhood's Internet after one person's'excessive
    use' (Engadget)
    Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. (NYTimes)
    Big brands bring the fight to Big Tech (Politico)
    System Security Integration Through Hardware and Firmware (DARPA via
    Richard Stein))
    2018 War Game Scenario has Gen Z Revolting (Skullcap SaVant via goodfellow)
    A Million-Mile Battery From China Could Power Your Electric Car (Bloomberg)
    I wrote this law to protect free speech. Now Trump wants to revoke it.
    (Ron Wyden via CNN)
    Programming 'language': Brain scans reveal coding uses same regions as
    speech (Medical Express)
    Cisco's Warning: Critical Flaw in IOS Routers Allows 'Complete System
    Compromise' (Liam Tung)
    False Negative Tests for SARS-CoV-2 Infection -- Challenges and Implications
    (NEJM)
    Re: Just Stop the Superspreading (Atilla, Wol, Amos Shapir, Rob Slade)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 9 Jun 2020 10:29:39 PDT
    From: "Peter G. Neumann" <neu...@CSL.SRI.COM>
    Subject: Democracy Live Internet voting: unsurprisingly insecure, and
    surprisingly insecure (Specter and Halderman, with Andrew Appel's
    comments via PGN)

    A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan)
    <https://internetpolicy.mit.edu/wp-content/uploads/2020/06/OmniBallot.pdf>
    demonstrates that the OmniBallot Internet voting system from Democracy Live
    <Democracy Live - Voting Technologies for the Modern Voter> is fatally insecure. That by itself is not
    surprising, as *no known technology* could make it secure. What is
    surprising is all the /unexpected/ insecurities that Democracy Live crammed
    into OmniBallot -- and the way that Democracy Live skims so much of the
    voter's private information.

    Democracy Live internet voting: unsurprisingly insecure, and surprisingly insecure

    Andrew Appel <ap...@princeton.edu> has posted an extremely relevant article
    in Freedom-to-Tinker: Andrew Appel

    The OmniBallot Internet voting system from Democracy Live finds surprising
    new ways to be insecure, in addition to the usual (severe, fatal)
    insecurities common to all Internet voting systems.

    There's a very clear scientific consensus that ``the Internet should not
    be used for the return of marked ballots'' because ``no known technology
    guarantees the secrecy, security, and verifiability of a marked ballot
    transmitted over the Internet.'' That's from the National Academies 2018
    consensus study report <https://doi.org/10.17226/25120>, consistent with
    the May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA.
    <http://s3.amazonaws.com/ftt-uploads...nagement_for_Electronic-Ballot_05082020-1.pdf>

    [Please read the entire paper and Andrew's commentary. They are very
    revealing, and devastating for those persons who believe that Internet
    voting can be made secure. Every known attempt seems to have been easily
    defeated: Washington DC 2010, Estonia 2014, Australia 2015, Scytl in
    Switzerland 2019, Voatz in West Virginia 2020, OmniBallot now. Insiders
    at any of four private companies (Democracy Live, Google, Amazon,
    Cloudflare), or any hackers who manage to hack into these companies, can
    steal votes: Democracy Live doesn't run its own servers. PGN-excerpted]

    ------------------------------

    Date: Tue, 9 Jun 2020 10:11:57 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: More on Internet e-voting: Swiss Post purchases Scytl (SwissInfo)

    Swiss Post set to relaunch its e-voting system | Sonia Fenazzi/SwissInfo
    <Swiss Post set to relaunch its e-voting system>
    The controversial issue of e-voting is back: Swiss Post, which had halted
    the development of a project in July 2019, has bought a Spanish-owned system
    and plans to propose a platform ready for testing by 2021.

    Opposition to the plans of Swiss Post remains strong. The purchase was
    reported on May 17 by the SonntagsBlick newspaper, who wrote that the deal
    between Swiss Post and Spanish firm Scytl had been settled for an
    unspecified amount.

    The deal follows the bankruptcy of the Spanish company, with whom Swiss Post
    had been working on a system until flaws discovered last year sparked a
    political debate, which ended in the government dropping e-voting plans for
    the time being.

    Swiss Post spokesperson Oliver Fl=C3=BCeler confirmed to swissinfo.ch that
    last summer, despite the opposition, his company decided to continue
    developing a system on its own, and ``after several months of negotiations''
    it secured the rights to the source code from Scytl.

    The aim is now to propose an e-vote system by 2021 that ``takes into account
    various federal particularities'' and ``responds even better to the high and
    specific requirements of a Swiss electronic voting system'', Fl=C3=BCeler
    said.

    He added that Swiss Post takes public concerns about security and the role
    of foreign suppliers very seriously, but insisted that it doesn't plan to go
    it completely alone.

    ``In future, Swiss Post will increasingly cooperate with Swiss universities
    of applied sciences, other higher education institutions and encryption
    experts,'' he said. And ``to guarantee maximum security at all times, Swiss
    Post ``will reissue the new improved source code so that independent
    national and international experts can verify any weaknesses''.

    Opposition

    E-voting was first introduced in Switzerland on a limited basis in 2003, as
    part of ongoing tests. However, political opposition and skepticism over the
    safety of such a voting channel has been a constant over the years, and
    again with this latest twist, not everyone is happy.

    Franz Gr=C3=BCter, a right-wing parliamentarian who also heads a people's
    initiative calling for a moratorium on e-voting projects in Switzerland,
    criticised the Swiss Post move and called for a parliamentary inquiry.

    ``There are good reasons to check whether Swiss Post -- a state-controlled
    company -- acted correctly and paid a fair price, because the whole thing
    seems to lack transparency,'' he said.

    The parliamentarian and IT entrepreneur added: ``It's hard to believe that
    Swiss Post has paid an undisclosed price for a system which we already know
    doesn't work properly. In other countries, too, Scytl systems have
    experienced major problems. Perhaps that's precisely why the company went
    bankrupt''.

    He said Swiss Post should have started from scratch and developed an
    entirely new system, ``which could have restored trust and therefore
    considerably reduced opposition to e-voting'' -- an opposition that is
    widespread in Swiss political circles. [PGN truncated for RISKS]

    ------------------------------

    Date: Mon, 8 Jun 2020 12:04:29 -0400 (EDT)
    From: ACM TechNews <technew...@acm.org>
    Subject: Report Details New Cyber Threats to Elections From Covid-19
    (Maggie Miller)

    Maggie Miller, *The Hill*, 5 Jun 2020 via ACM TechNews, Monday, June 8, 2020

    A report compiled by New York University's Brennan Center for Justice
    outlines a wide range of cyber threats stemming from voting changes prompted
    by Covid-19. Such threats include attempts to target election officials
    working on unsecured networks at home, recovering from voter registration
    system outages, and securing online ballot request systems. Report co-author
    Lawrence Norden said election officials already dealing with cyber threats
    now face additional challenges due to the pandemic. Election-security
    upgrades come with funding challenges because of Covid-19 disruptions, and
    the Brennan Center calculates $4 billion must be appropriated to make needed
    changes. Said Norden, "There is no question that what Congress can do, and
    really has to do very soon, is provide more money to states and localities
    so they can invest in election security over the next few months."
    Report details new cyber threats to elections from COVID-19

    ------------------------------

    Date: Mon, 8 Jun 2020 18:54:33 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: IBM ends all facial recognition business as CEO calls out bias and
    inequality (TechCrunch)

    IBM ends all facial recognition business as CEO calls out bias and inequality – TechCrunch

    ------------------------------

    Date: Tue, 9 Jun 2020 10:44:34 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Cox slows an entire neighborhood's Internet after one person's
    'excessive use' (Engadget)

    Cox slows an entire neighborhood's internet after one person's 'excessive use'

    ------------------------------

    Date: Tue, 9 Jun 2020 09:53:48 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them.
    (NYTimes)

    Federal prosecutors in Manhattan are investigating a global hacker-for-hire
    operation that sent phishing emails to environmental groups, journalists and
    others.

    Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them.

    ------------------------------

    Date: Tue, 9 Jun 2020 17:28:19 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Big brands bring the fight to Big Tech (Politico)

    Big brands bring the fight to Big Tech

    The EU's Digital Services Act proposes platform rules to suppress and
    prevent counterfeit IP sales, such as fraudulent-branded women's accessories
    (handbags, shoes, etc.), that appear for sale on Amazon.com, Facebook,
    Alibaba.
    (Towards a more responsible and innovative internet - Digital Services Act position paper - DIGITALEUROPE)

    The platforms now practice voluntary fraud prevention efforts: "Amazon said
    the company invested 'over $500 million in 2019 and has more than 8,000
    employees protecting [their] store from fraud and abuse.'"

    "Despite these efforts, "it's still like comparing Chernobyl with [the Three
    Mile Island nuclear accident in] Harrisburg,' Pennsylvania, Daniel
    Wellington's Sjöstrand said."

    Policing (inspecting and certifying) platform supplier bona fides, and the
    authenticity of brand-name sale items is time-consuming, difficult to
    fulfill, slows inventory turnover in warehouses, etc. The platforms have
    instituted policing for personnel protective equipment during the COVID-19
    Pandemic. Why not continue this practice for less vital goods?

    The affected consumer brands (Nike, LVMH, Coach, Kate Spade, etc.)
    hemorrhage profits from an escalating sales velocity of highly desirable,
    and apparently good enough, knock-offs. One business' profit is another
    business' expense.

    Counterfeit consumer item sales liability will be challenging to resolve and
    enforce internationally.

    Counterfeit internet sales is big business for the ethically-challenged and
    the criminally-inclined.
    Counterfeit consumer goods - Wikipedia estimates the tab
    at US$ 1.77T in 2015 and growing. Millions of jobs at risk, stock prices
    gutted, salaries and bonuses cut, reputations risked, etc.

    ------------------------------

    Date: Tue, 9 Jun 2020 10:05:53 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: System Security Integration Through Hardware and Firmware (DARPA)

    System Security Integration Through Hardware and Firmware

    "Electronic system security has become an increasingly critical area of
    concern for the DoD and more broadly for security of the U.S. as a whole.
    Current efforts to provide electronic security largely rely on robust
    software development and integration. Present responses to hardware
    vulnerability attacks typically consist of developing and deploying patches
    to the software firewall without identifying or addressing the underlying
    hardware vulnerability. As a result, while a specific attack or
    vulnerability instance is defeated, creative programmers can develop new
    methods to exploit the remaining hardware vulnerability and a continuous
    cycle of exploitation, patching, and subsequent exploitations ensues.

    "The System Security Integration Through Hardware and Firmware (SSITH)
    program seeks to break this cycle of vulnerability exploitation by
    developing hardware security architectures and associated design tools to
    protect systems against classes of hardware vulnerabilities exploited
    through software, not just vulnerability instances. Areas of exploration
    that are targeted by SSITH include anomalous state detection, meta-data
    tagging, and churning of the electronic attack surface. The goal of the
    program is to develop ideas and design tools that will enable system-on-chip
    (SoC) designers to safeguard hardware against all known classes of hardware
    vulnerabilities that can be exploited through software, such as exploitation
    of permissions and privilege in the system architectures, memory errors,
    information leakage, and code injection. To accomplish its goal, SSITH seeks
    to encourage collaboration between research teams, commercial teams, and
    traditional DoD performers to provide robust and flexible solutions
    applicable to both DoD and commercial electronic systems."

    Constructive to subdue microcode-enabled exploits. Formal methods (FM)
    (see Formal methods - Wikipedia) have been
    applied in some cases.

    During the 1980s, I seem to recall the INMOS transputer applied FM to
    demonstrate IEEE-754 floating-point verification compliance.

    Once implemented, will the IP comprising the tools and their test cases be
    immunized against unauthorized access or from theft?

    [A paper on formal proofs of security-critical properties of the CHERI
    hardware instruction-set architecture being developed under one of the
    SSITH projects appeared last month in the IEEE Symposium on Security and
    Privacy:

    Kyndylan Nienhuis, Alexandre Joannou, Thomas Bauereiss, Anthony Fox,
    Michael Roe, Brian Campbell, Matthew Naylor, Robert M. Norton, Simon
    W. Moore, Peter G. Neumann, Ian Stark, Robert N. M. Watson, Peter
    Sewell, Rigorous Engineering for Hardware Security: Formal Modelling
    and Proof in the CHERI Design and Implementation Process, 2020 IEEE
    Symposium on Security and Privacy, pp. 1007-1024.
    #344 - S&P 2020

    PGN]

    ------------------------------

    Date: Mon, Jun 8, 2020 at 7:14 AM
    From: Skullcap SaVant <ben.wil...@gmail.com>
    Subject: 2018 War Game Scenario has Gen Z Revolting

    (Sent via geoff goodfellow. PGN)

    This article is a wonderful piece of sleuthing. This news outlet received
    (via FOIA request) documents detailing a war game scenario that was
    conducted in 2018 which forecasted a future of revolution by 2025, that
    would be conducted by GEN Z. The scenario's trigger points are SPOT ON with
    the current unrest in the world, but sped up by 5 years because of the
    "unknown unknown" of COVID.

    The scenario includes GEN Z educating each other on how to use the dark web
    and thus teaching them to be a generation of "Cyber Punks" which know how to
    hack and cover their tracks. The wargame plays out with corporations being
    the most vulnerable, as GEN Z will enact their own form of vigilante justice
    by siphoning the digital bank accounts of the largest companies and convert
    it to *bitcoin... *only to be redistributed to the masses "Robin Hood"
    style.

    *Pentagon War Game Includes Scenario for Military Response to Domestic Gen
    Z Rebellion*

    EXCERPT:

    In the face of protests composed largely of young people, the presence of
    America's military on the streets of major cities has been a controversial
    <https://www.newsweek.com/gop-senato...t-violent-protests-no-quarter-rioters-1507918>
    development. But this isn't the first time that Generation Z -- those born
    after 1996 -- has popped up on the Pentagon's radar.

    Documents obtained by The Intercept via the Freedom of Information Act
    reveal that a Pentagon war game, called the 2018 Joint Land, Air and Sea
    Strategic Special Program, or JLASS, offered a scenario in which members of
    Generation Z, driven by malaise and discontent, launch a ``Zbellion'' in
    America in the mid-2020s.

    The Zbellion plot was a small part of JLASS 2018, which also featured
    scenarios involving Islamist militants in Africa, anti-capitalist
    extremists, and ISIS successors. The war game was conducted by students and
    faculty from the U.S. military's war colleges, the training grounds for
    prospective generals and admirals. While it is explicitly not a national
    intelligence estimate, the war game, which covers the future through early
    2028, is ``intended to reflect a plausible depiction of major trends and
    influences in the world regions,'' according to the more than 200 pages of
    documents.

    According to the scenario, many members of Gen Z -- psychologically scarred
    in their youth by 9/11 and the Great Recession, crushed by college debt,
    and disenchanted with their employment options -- have given up on their
    hopes for a good life and believe the system is rigged against them. Here's
    how the origins of the uprising are described: [...]
    Pentagon War Game Includes Scenario for Military Response to Domestic Gen Z Rebellion

    ------------------------------

    Date: Mon, 8 Jun 2020 09:38:21 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: A Million-Mile Battery From China Could Power Your Electric Car
    (Bloomberg)

    ** CATL ready to sell pack that lasts 16 years, chairman says* Milestone
    could bring EV ownership costs down, boost demand*

    The Chinese behemoth that makes electric-car batteries for Tesla Inc. and
    Volkswagen AG developed a power pack that lasts more than a million miles --
    an industry landmark and a potential boon for automakers trying to sway
    drivers to their EV models.

    Contemporary Amperex Technology Co. Ltd. is ready to produce a battery that
    lasts 16 years and 2 million kilometers (1.24 million miles), Chairman Zeng
    Yuqun said in an interview at company headquarters in Ningde, southeastern
    China. Warranties on batteries currently used in electric cars cover about
    150,000 miles or eight years, according to BloombergNEF.

    Extending that lifespan is viewed as a key advance because the pack could
    be reused in a second vehicle. That would lower the expense of owning an
    electric vehicle, a positive for an industry that's seeking to recover
    sales momentum lost to the coronavirus outbreak and the slumping oil prices
    that made gas guzzlers more competitive. [...]

    https://www.bloomberg.com/news/arti...tery-from-china-could-power-your-electric-car
    https://www.msn.com/en-us/finance/c...ina-could-power-your-electric-car/ar-BB15ahq8

    [This reminds me of The Man in the White Suit, Alec Guiness and the suit
    that never needed washing or ironing, and what it would to the clothing
    industry. However, I suppose the Chinese battery would be a very
    substantial part of the cost of the car, so that you could throw away the
    car at some point, and reuse the battery in your next car purchase. PGN]

    ------------------------------

    Date: Tue, 9 Jun 2020 10:47:57 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Ron Wyden: I wrote this law to protect free speech. Now Trump
    wants to revoke it. (CNN)

    https://www.cnn.com/2020/06/09/perspectives/ron-wyden-section-230/index.html

    ------------------------------

    Date: Mon, 8 Jun 2020 13:56:22 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Programming 'language': Brain scans reveal coding uses same regions
    as speech (Medical Express)

    https://medicalxpress.com/news/2020-06-language-brain-scans-reveal-coding.html

    [See my book chapter on the need for left-right-brain synergy,
    relationships to music, and more:
    Peter G. Neumann, Psychosocial Implications of Computer Software
    Development and Use: Zen and the Art of Computing,
    Theory and Practice of Software Technology,
    (D. Ferrari, M. Bolognani, and J. Goguen (editors). North-Holland,
    Pages 221--232, 1983.
    PGN]

    ------------------------------

    Date: Mon, 8 Jun 2020 12:04:29 -0400 (EDT)
    From: ACM TechNews <technew...@acm.org>
    Subject: Cisco's Warning: Critical Flaw in IOS Routers Allows 'Complete
    System Compromise' (Liam Tung)

    Liam Tung, ZDNet, 4 Jun 2020 via ACM TechNews, Monday, June 8, 2020

    Cisco has released information on four security flaws impacting router
    equipment that uses its IOS XE and IOS networking software. One flaw
    involves the authorization controls for the Cisco IOx application hosting
    infrastructure in Cisco IOS XE, which could allow a non-credentialed remote
    attacker to execute Cisco IOx application-programming-interface commands
    without proper authorization. Another flaw is a command-injection bug in
    Cisco's implementation of the inter-virtual machine (VM) channel of Cisco
    IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers
    and Cisco 1000 Series Connected Grid Routers. The software inadequately
    validates signaling packets routed to the Virtual Device Server (VDS), which
    could allow attackers to send malware to an affected device, hijack VDS, and
    completely compromise the system. The two remaining bugs involve a
    vulnerability in Cisco's 800 Series industrial routers, through which
    hackers could remotely execute arbitrary code or cause it to crash and
    reload. Cisco says it has delivered updates to address the critical flaws
    affecting its industrial routers.
    https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25818x222c4bx066802&

    ------------------------------

    Date: June 8, 2020 at 22:22:54 GMT+9
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: False Negative Tests for SARS-CoV-2 Infection -- Challenges and
    Implications (NEJM)

    [Note: This item comes from friend David Rosenthal. DLH]

    False Negative Tests for SARS-CoV-2 Infection -- Challenges and Implications
    By Steven Woloshin, M.D., Neeraj Patel, B.A., and Aaron S. Kesselheim, M.D., J.D., M.P.H.
    Jun 5 2020
    <https://www.nejm.org/doi/full/10.1056/NEJMp2015897>

    There is broad consensus that widespread SARS-CoV-2 testing is essential to
    safely reopening the United States. A big concern has been test
    availability, but test accuracy may prove a larger long-term problem.

    While debate has focused on the accuracy of antibody tests, which identify
    prior infection, diagnostic testing, which identifies current infection, has
    received less attention. But inaccurate diagnostic tests undermine efforts
    at containment of the pandemic.

    Diagnostic tests (typically involving a nasopharyngeal swab) can be
    inaccurate in two ways. A false positive result erroneously labels a person
    infected, with consequences including unnecessary quarantine and contact
    tracing. False negative results are more consequential, because infected
    persons -- who might be asymptomatic -- may not be isolated and can infect
    others.

    Given the need to know how well diagnostic tests rule out infection, it's
    important to review assessment of test accuracy by the Food and Drug
    Administration (FDA) and clinical researchers, as well as interpretation of
    test results in a pandemic.

    The FDA has granted Emergency Use Authorizations (EUAs) to commercial test
    manufacturers and issued guidance on test validation.1 The agency requires
    measurement of analytic and clinical test performance. Analytic sensitivity
    indicates the likelihood that the test will be positive for material
    containing any virus strains and the minimum concentration the test can
    detect. Analytic specificity indicates the likelihood that the test will be
    negative for material containing pathogens other than the target virus.

    Clinical evaluations, assessing performance of a test on patient specimens,
    vary among manufacturers. The FDA prefers the use of ``natural clinical
    specimens'' but has permitted the use of ``contrived specimens'' produced by
    adding viral RNA or inactivated virus to leftover clinical
    material. Ordinarily, test-performance studies entail having patients
    undergo an index test and a ``reference standard'' test determining their
    true state. Clinical sensitivity is the proportion of positive index tests
    in patients who in fact have the disease in question. Sensitivity, and its
    measurement, may vary with the clinical setting. For a sick person, the
    reference-standard test is likely to be a clinical diagnosis, ideally
    established by an independent adjudication panel whose members are unaware
    of the index-test results. For SARS-CoV-2, it is unclear whether the
    sensitivity of any FDA-authorized commercial test has been assessed in this
    way. Under the EUAs, the FDA does allow companies to demonstrate clinical
    test performance by establishing the new test's agreement with an authorized
    reverse-transcriptase-polymerase-chain-reaction (RT-PCR) test in known
    positive material from symptomatic people or contrived specimens. Use of
    either known positive or contrived samples may lead to overestimates of test
    sensitivity, since swabs may miss infected material in practice.1

    Designing a reference standard for measuring the sensitivity of SARS-CoV-2
    tests in asymptomatic people is an unsolved problem that needs urgent
    attention to increase confidence in test results for contact-tracing or
    screening purposes. Simply following people for the subsequent development
    of symptoms may be inadequate, since they may remain asymptomatic yet be
    infectious. Assessment of clinical sensitivity in asymptomatic people had
    not been reported for any commercial test as of June 1, 2020.

    Two studies from Wuhan Province, China, arouse concern about false negative
    RT-PCR tests in patients with apparent Covid-19 illness. In a preprint, Yang
    et al. described 213 patients hospitalized with Covid-19, of whom 37 were
    critically ill.2 They collected 205 throat swabs, 490 nasal swabs, and 142
    sputum samples (median, 3 per patient) and used an RT-PCR test approved by
    the Chinese regulator. In days 1 through 7 after onset of illness, 11% of
    sputum, 27% of nasal, and 40% of throat samples were deemed falsely
    negative. Zhao et al. studied 173 hospitalized patients with acute
    respiratory symptoms and a chest CT ``typical'' of Covid-19, or SARS-CoV-2
    detected in at least one respiratory specimen. Antibody seroconversion was
    observed in 93%.3 RT-PCR testing of respiratory samples taken on days 1
    through 7 of hospitalization were SARS-CoV-23 positive in at least one
    sample from 67% of patients. Neither study reported using an independent
    panel, unaware of index-test results, to establish a final diagnosis of
    Covid-19 illness, which may have biased the researchers toward
    overestimating sensitivity.

    In a preprint systematic review of five studies (not including the Yang and
    Zhao studies), involving 957 patients (``under suspicion of Covid-19'' or
    with ``confirmed cases''), false negatives ranged from 2 to 29%.4 However,
    the certainty of the evidence was considered very low because of the
    heterogeneity of sensitivity estimates among the studies, lack of blinding
    to index-test results in establishing diagnoses, and failure to report key
    RT-PCR characteristics.4Taken as a whole, the evidence, while limited,
    raises concern about frequent false negative RT-PCR results.

    If SARS-CoV-2 diagnostic tests were perfect, a positive test would mean that
    someone carries the virus and a negative test that they do not. With
    imperfect tests, a negative result means only that a person is less likely
    to be infected. To calculate how likely, one can use Bayes' theorem, which
    incorporates information about both the person and the accuracy of the test
    (recently reviewed5). For a negative test, there are two key inputs: pretest
    probability -- an estimate, before testing, of the person's chance of being
    infected -- and test sensitivity. Pretest probability might depend on local
    Covid-19 prevalence, SARS-CoV-2 exposure history, and symptoms. Ideally,
    clinical sensitivity and specificity of each test would be measured in
    various clinically relevant real-life situations (e.g., varied specimen
    sources, timing, and illness severity).

    Assume that an RT-PCR test was perfectly specific (always negative in people
    not infected with SARS-CoV-2) and that the pretest probability for someone
    who, say, was feeling sick after close contact with someone with Covid-19
    was 20%. If the test sensitivity were 95% (95% of infected people test
    positive), the post-test probability of infection with a negative test would
    be 1%, which might be low enough to consider someone uninfected and may
    provide them assurance in visiting high-risk relatives. The post-test
    probability would remain below 5% even if the pretest probability were as
    high as 50%, a more reasonable estimate for someone with recent exposure and
    early symptoms in a ``hot spot'' area.

    But sensitivity for many available tests appears to be substantially lower:
    the studies cited above suggest that 70% is probably a reasonable
    estimate. At this sensitivity level, with a pretest probability of 50%, the
    post-test probability with a negative test would be 23% -- far too high to
    safely assume someone is uninfected.

    ------------------------------

    From: Attila the Hun <attilath...@tiscali.co.uk>
    Date: Mon, 8 Jun 2020 12:46:57 +0100
    Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.96)

    In Just Stop the Superspreading (Arthur T., RISKS-31.95), Henry
    Baker attributes the statement: "If you think education is expensive, try
    ignorance", to Derek Bok, a President of Harvard University.

    Although, in 1978, Ann Landers credited Bok with saying this, in 1998 she
    wrote that Bok had contacted her and disclaimed authorship of the quotation.

    A source of the statement might well be a 1902 advertisement for a
    Conservatory of Music in Ottumwa, Iowa, which included: ``Education is
    expensive but ignorance is more so.'' Who amended it to the form more
    commonly known appears to be unknown.

    ------------------------------

    Date: Mon, 8 Jun 2020 17:50:08 +0100
    From: Wol <antl...@youngman.org.uk>
    Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.96)

    I'll give you that -- the general public -- or rather journalists -- love to
    talk about the average (the *mean*) but apply where it doesn't make sense.

    And this is where your argument falls apart (and I lose patience with
    you). If you're going to slag other people off for poor science, DON'T DO IT
    YOURSELF.

    You have just defined all "normal" distributions as the Bell Curve, which
    itself is NOT a normal distribution. It's rather rare in nature, which is
    why it's a bloody nuisance as being the easiest to understand but at the
    same time the least relevant to reality.

    > For (ab)normal distributions, mean/median/mode can vary widely from one
    > another, or may not even exist -- e.g., the pathological, but not unusual,
    > 'Cauchy' distribution ("applications of the Cauchy distribution ... can be
    > found in fields working with exponential growth" [Wikipedia]), which has
    > neither a*mean/expected value*, nor a*variance*, nor a *standard
    > deviation*, thus for the Cauchy distribution (and many other commonly
    > occurring distributions) Arthur's phrase "the size of the standard
    > deviation" is nonsensical.

    I think the rule here is "know your distribution", and don't apply the rules
    for one when the numbers are a different one. It's like the chi-squared test
    -- it's tempting to use it more than you should because it seems good, but
    it's actually totally inappropriate under most circumstances.

    > Takeaway: when some distribution is not 'normal', then our INTUITION FAILS
    > US.

    Let me rephrase that -- when the distribution is not a Bell Curve, then the
    General Public will completely misunderstand it.

    > The sign on an abnormal distribution should read: "Abandon all
    > intuition, ye who enter here". Something is dreadfully wrong when the
    > variance/standard deviation or even the mean/expected value does not exist.
    > Even when the mean/'expected value' does exist for such an abnormal
    > distribution, it is almost always misleading and/or useless. Perhaps it
    > would be more appropriate to call such a mean 'the SUSpected value'!:)

    I think you think you are talking about pretty much anything outside of a
    Bell Curve. But other distributions are also well understood (by
    statisticians).

    For example, your beloved (ab)normal SuperSpreader distribution is just a
    normal skewed distribution -- the same distribution and maths associated
    with salaries, actually -- and I would think that is well understood!

    (And while I would not claim to be a statistician, having studied
    Statistics, Relativity and Quantum Mechanics at Uni, I can at least spot a
    bullshit argument relatively <groan> easily.)

    ------------------------------

    Date: Tue, 9 Jun 2020 11:24:37 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Just Stop the Superspreading (Baker, Risks 31.96)

    The way I've heard it, when one asks "Why do models use the normal
    distribution?", statisticians say "We don't know, the mathematicians tell us
    it's easier to calculate that way", and mathematicians say "We don't know,
    the statisticians tell us this is what happens in the real world".

    ------------------------------

    Date: Tue, 9 Jun 2020 08:25:06 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.96)

    > and with Avagadro's number of 'independent' variables

    Does that mean we have a mole influencing our decisions?

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.97
    ************************
     
  10. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.98

    RISKS List Owner

    Jun 12, 2020 7:34 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 12 June 2020 Volume 31 : Issue 98

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The RISKS Digest> as
    <The RISKS Digest, Volume 31 Issue 98>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Election fiasco: Georgia on my mind (NYTimes via PGN)
    Babylon Health app error allowed UK users to watch videos of other
    patients' private doctor visits (CBC-CA)
    How his photo ended up breaking Android phones (BBC News)
    Unusual rodent engine problem has suddenly become 'super common' (Freep)
    Honda confirms its network has been hit by cyber-attack (ZDNet)
    New CrossTalk attack impacts Intel's mobile, desktop, and server CPUs
    (ZDNet)
    Australian beverage company hit by cyber-attack (SHM-AU)
    UPnP flaw exposes millions of network devices to attacks over the Internet
    (Ars Technica)
    IoT Security Is a Mess. Privacy 'Nutrition' Labels Could Help (WiReD)
    Apple publishes free resources to improve password security (ZDNet)
    Satellites Are Capturing the Protests, and Just About Everything Else on
    Earth (Bloomberg)
    Multiple US agencies have purchased this mysterious mobile eavesdropping
    device (TechRadar)
    Telecom security firm flags 'potentially huge' vulnerabilities in Internet
    infrastructure (Laurens Cerulus)
    FBI warns hackers are targeting mobile banking apps (The Hill)
    OpenAI's Text Generator Is Going Commercial (WiReD)
    Zoom disables accounts of former Tiananmen Square student leader (FT)
    Amazon bans police use of face recognition tech for one year (CNBC)
    Data from 15M phones shows some Americans are gathering at pre-pandemic
    levels (NBC News)
    The hidden detectors looking for guns and knives (BBC)
    Trump Order Confronts Big Tech Bias
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 12 Jun 2020 14:09:25 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Election fiasco: Georgia on my mind

    [PGN title, with apologies to Hoagy Carmichel]

    Nick Corasaniti and Stephanie Saul,
    In Georgia Election Havoc, a Costly Bet on Tech Led to Meltdown
    *The New York Times* front page and page A16, 12 Jun 2020

    "As Georgia election officials prepared to roll out an over-$100M high-tech
    voting system last year, good-government groups, a federal judge and
    election security experts warned of its perils. The new system, they
    argued, was too convoluted, too expensive, too big -- and was still
    insecure."

    "The problem seems to have been a perfect storm (overused metaphor, but
    apt here) of new equipment, hasty training and a crush of tasks
    associated with both getting the mail ballots out the door and
    processed AND with running an in-person voting operation."
    (Charles Stewart III)
    "A lot of people saw this coming ... There are a lot more things that can
    go wrong." (Andrew Appel)
    "A Rube Goldberg contraption" (Marilyn Marks)

    * Power demands blew fuses in aging polling places.
    * Some equipment never could power up.
    * Inability to boot equipment [once powered up].
    * PIN authorizations, physical cards.
    * Technicians who never explained the problems they fixed (on the fly).
    * In one location, only four poll workers instead of 12.
    * Inadequate training.
    * Dominion staff had to "replace only 20 components" among 30,000 machines
    considered a success story!
    * Dominion's Democracy 5.5 system used in this election had failed
    certification in Texas last year.
    * The computerized ballot-marking systems in other states were known
    to cause problems in other states, due to user error, poor training,
    infrastructure challenges, and "the occasional software issue".

    This is just one more fiasco in a year already marked by fiascos.
    November does not augur well.

    This election might remind RISKS readers of Murphy's Law. However,
    in this case
    "Anything that can go wrong will go wrong."
    might be recast as
    "Everything that can go wrong did go wrong."

    So, asks a long-time RISKS reader,
    "What's wrong with hand-marked paper ballots?"

    ------------------------------

    Date: Tue, 9 Jun 2020 22:53:41 -0600
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: Babylon Health app error allowed UK users to watch videos of
    other patients' private doctor visits (CBC-CA)

    Babylon Health app error allowed U.K. users to watch videos of other patients' private doctor visits | CBC News

    ------------------------------

    Date: Wed, 10 Jun 2020 14:34:21 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How his photo ended up breaking Android phones (BBC News)

    Gaurav Agrawal, a scientist and amateur photographer living in San Diego,
    couldn't believe it when he suddenly started seeing a photograph he took
    last summer popping up on the news. He took it at St Mary Lake in Glacier
    National Park, Montana, one "magical evening" in August 2019. He shared the
    snap on photo platform Flickr and thought no more about it.

    However, a glitch meant that when the image was set as wallpaper, it caused
    some Android phones to fail. The handsets would switch on and off
    repeatedly, requiring a factory reset which meant all data on them was
    wiped.

    'How my photo ended up breaking Android phones'

    ------------------------------

    Date: Tue, 9 Jun 2020 10:21:50 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Unusual rodent engine problem has suddenly become 'super common'
    (Freep)

    There was once a little mouse that caused a big problem.

    The critter crawled up in the wheel well of a parked car, made his way over
    the brakes and up into the engine. Most rodents would stop there, it's a
    nice nesting spot. But this fella had other plans.

    He kept going until he was inside the dashboard and couldn't get out.
    There, he died (I didn't say it would be a happy story). The rancid and
    revolting odor compelled the car owner to bring it to Avis Ford in
    Southfield, where service technicians made the unsavory discovery.

    "Usually you find a wiring harness for the engine or the fuel injection
    system that is all chewed up," said Avis Ford's Service Manager Larry
    Sirgany. "We'll find a car that's been sitting for a couple weeks and it
    will have a big nasty nest in there too."

    Over the years, Sirgany has found plenty of flora and fauna in car engines.
    There are grass and twig nests and dead -- sometimes alive -- vermin and
    lots of chewed wires. The resulting damage is costly to fix.

    But this spring, amid the stay home order during the coronavirus pandemic,
    the rodent ruination to engines has been exceptionally high in some places.

    "I've seen a solid dozen to 15 cars with damage in the last six weeks,"
    Sirgany said. "Typically, I would have two per month this time of year."

    *Hundreds in repairs* [...]

    Unusual rodent engine problem has suddenly become 'super common'

    ------------------------------

    Date: Wed, 10 Jun 2020 03:01:48 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Honda confirms its network has been hit by cyber-attack (ZDNet)

    Honda confirms its network has been hit by cyberattack | ZDNet

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Tue, 9 Jun 2020 20:19:15 -0400
    Subject: New CrossTalk attack impacts Intel's mobile, desktop, and server CPUs
    (ZDNet)

    Academics detail a new vulnerability named CrossTalk that can be used to leak data across Intel CPU cores.

    New CrossTalk attack impacts Intel's mobile, desktop, and server CPUs | ZDNet

    ------------------------------

    Date: Tue, 9 Jun 2020 22:06:35 +0000
    From: John Colville <John.C...@uts.edu.au>
    Subject: Australian beverage company hit by cyber-attack (SHM-AU)

    http://www.smh.com.au/technology/dr...rget-corporate-australia-20200609-p550pu.html

    ------------------------------

    Date: Fri, 12 Jun 2020 07:40:11 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: UPnP flaw exposes millions of network devices to attacks over the
    Internet (Ars Technica)

    Unsafe for more than a decade, universal plug and play strikes again.

    UPnP flaw exposes millions of network devices to attacks over the Internet

    ------------------------------

    Date: Tue, 9 Jun 2020 20:08:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: IoT Security Is a Mess. Privacy 'Nutrition' Labels Could Help (WiReD)

    Just like with foods that display health information the package,
    researchers are exploring a tool that details how connected devices manage
    data.

    The Internet-of-things security crisis has been building for more than a
    decade, with unprotected, unpatchable gadgets fueling botnets, getting
    attacked for nation state surveillance, and just generally being a weak link
    for networks. Given that IoT security seems unlikely to magically improve
    anytime soon, researchers and regulators are rallying behind a new approach
    to managing IoT risk. Think of it as nutrition labels for embedded devices.

    IoT Security Is a Mess. Privacy 'Nutrition' Labels Could Help

    ------------------------------

    Date: Tue, 9 Jun 2020 20:19:02 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Apple publishes free resources to improve password security (ZDNet)

    The new tools are meant to help the developers of password managers and
    Apple hopes the tools will reduce the instances where users chose their own
    password rather than rely on the password manager.

    Apple publishes free resources to improve password security | ZDNet

    ------------------------------

    Date: Wed, 10 Jun 2020 09:43:53 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Satellites Are Capturing the Protests, and Just About Everything
    Else on Earth (Bloomberg)

    *This year has brought immense change, much of it immortalized in
    high-resolution images from space.*

    As protesters gathered in Washington over the weekend, their march across
    the city was documented by photography satellites flying overhead. One
    particular image stood out and made its way to various television
    newscasts. It showed the the bright yellow *Black Lives Matter* mural that
    had been painted on two blocks of asphalt near the White House. It was
    visual proof that the protests and their message had, in a sense, made their
    way to space.

    The company that took the photo, Planet Labs Inc., has hundreds of
    satellites floating around Earth, enough that it can snap at least one photo
    of every spot on the planet every day, according to the startup. Such
    imagery used to be rare, expensive and controlled by governments. Now,
    Planet has built what amounts to a real-time accounting system of the earth
    that just about anyone can access by paying a fee.

    Over the next couple months, Planet is embarking on a project that will
    dramatically increase the number of photos it takes and improve the quality
    of the images by 25% in terms of resolution. To do that, the company is
    lowering the orbits of some of its larger, high-resolution satellites and
    launching a half-dozen more devices. As a result, Planet will go from
    photographing locations twice a day to as many as 12 times a day in some
    places.

    Customers will also be able to aim the satellites where they want using an
    automated system developed by Planet. ``The schedule is shipped to the
    satellite, and it knows the plan it needs to follow,'' said Jim Thomason,
    the vice president of products at Planet.

    Advancements like this in satellite imaging would have seemed unbelievable
    to the folks who started working on such research in earnest in the 1960s.
    Back then, the U.S. had a top-secret operation that entailed putting
    satellites into orbit, snapping pictures and then ejecting canisters of film
    from the satellites that tumbled back to Earth to be caught midair by a
    plane. Analysts would then develop the film and pore over the images looking
    for Soviet missile sites and other military operations. This Rube
    Goldbergian process didn't always work well, but it did ultimately result in
    the U.S. learning that the Russian missile program was not as advanced as
    officials had feared. [...]

    Satellites Are Capturing the Protests, and Just About Everything Else on Earth
    Satellites Are Capturing the Protests, and Just About Everything Else on Earth

    ------------------------------

    Date: Wed, 10 Jun 2020 09:44:50 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Multiple US agencies have purchased this mysterious mobile
    eavesdropping device (TechRadar)

    Multiple US federal agencies have obtained a mysterious new eavesdropping
    device thought to be designed to monitor 4G-enabled mobile phones.

    Very little is known about the *Crossbow* device, other than it iterates on
    the Stingray ISMI-catchers manufactured by Harris, used to trace location
    data and listen in on phone calls.
    <Governments will use location data to map spread of coronavirus | TechRadar>

    While devices of this kind are used by law enforcement and intelligence
    across the globe, the air of mystery around the kit and a lack of
    transparency over the way in which it is being deployed has given rise to
    concern it could be used to infringe upon civil liberties.

    - This WhatsApp feature will land your phone number in Google search
    results
    <Beware - this WhatsApp feature might see your phone number end up in Google search results | TechRadar>
    - Google Incognito mode is not as private as you might like to think
    <Google Incognito mode is not as private as you might like to think | TechRadar>
    - Contact tracing apps from Apple and Google 'will not collect location
    data'
    <Contact-tracing apps from Apple and Google 'will not collect location data' | TechRadar>

    Procurement documents show the US Marshals placed an order with Harris for
    Crossbow devices worth $1.7 million, while the US Army and Navy made
    similar purchases worth circa $380,000.

    *Mobile surveillance*

    ISMI-catchers, or international mobile subscriber identity-catchers, are
    able to mimic the qualities of a cellphone tower and, by this mechanism,
    record the SIM card identity, eavesdrop on calls, access text messages and
    capture location data. [...]

    Multiple US agencies have purchased this mysterious mobile eavesdropping device | TechRadar

    ------------------------------

    Date: Wed, 10 Jun 2020 14:41:00 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Telecom security firm flags 'potentially huge' vulnerabilities in
    Internet infrastructure (Laurens Cerulus)

    Laurens Cerulus, Politico

    BRUSSELS -- A key protocol for Internet traffic is riddled with
    vulnerabilities that pose risks to telecom operators, including the
    potential to bring down websites and allow fraudsters to set up fake
    traffic, a telecom security firm said Wednesday.

    The protocol ``contains a number of vulnerabilities threatening both mobile
    operators and their clients. As a result, attackers can interfere with
    network equipment and leave an entire city without communications,
    impersonate users to access various resources, and use network services at
    the expense of the operator or subscribers,'' Positive Technologies said in
    a new report.
    <https://www.politico.eu/wp-content/...logies-report-Threat-vector-GTP-June-2020.pdf>

    The widespread GTP protocol is used across the board by telecom companies
    and Internet service providers to manage Internet traffic. It is also used
    in core parts of Internet networks, meaning the vulnerabilities are likely
    to persist in coming years as operators build new 5G infrastructure that
    still relies on 4G core networks.

    ``It's not like vulnerabilities in software. In the case of GTP, it is a
    kind of architectural deficiency. It's harder to eliminate,'' said Dmitry
    Kurbatov, chief technology officer at Positive Technologies. The firm
    performed security tests on dozens of networks in 2018-2019 and found
    ``every network tested was vulnerable'' to exploits through the protocol.

    The vulnerabilities can be used to target servers with denial-of-service
    attacks, allow hackers to set up so-called man-in-the-middle attacks that
    trick people into thinking they are visiting legitimate websites, and even
    allow operators to send fraudulent traffic to other operators, Kurbatov
    said.

    ------------------------------

    Date: Thu, 11 Jun 2020 09:57:09 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: FBI warns hackers are targeting mobile banking apps (The Hill)

    The FBI on Wednesday warned that malicious cyber actors were targeting
    mobile banking apps in an attempt to steal money as more Americans have
    moved to online banking during the coronavirus pandemic.

    In a public service announcement, the FBI noted it expects to see hackers
    exploit mobile banking platforms, which have seen a 50 percent surge in use
    since the beginning of the pandemic.
    <Internet Crime Complaint Center (IC3) | Increased Use of Mobile Banking Apps Could Lead to Exploitation>

    ``With city, state, and local governments urging or mandating social
    distancing, Americans have become more willing to use mobile banking as an
    alternative to physically visiting branch locations. The FBI expects cyber
    actors to attempt to exploit new mobile banking customers using a variety of
    techniques, including app-based banking trojans and fake banking apps.''

    The FBI specifically pointed to threat of banking trojans, which involve a
    malicious virus hiding on a user's mobile device until a legitimate banking
    app is downloaded. Once the real app is on the device, the banking trojan
    then overlays the app, tricking the user into clicking on it and inputting
    their banking login credentials.

    Fake banking apps were also cited as a threat, with users in danger of
    being tricked into downloading malicious apps that also steal sensitive
    banking information.

    In order to combat these threats, the FBI recommended that Americans only
    download banking apps from official app stores or from banking websites and
    that banking app users enable two-factor authentication on their accounts
    and use strong passwords. [...]
    FBI warns hackers are targeting mobile banking apps

    ------------------------------

    Date: Thu, 11 Jun 2020 19:41:13 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: OpenAI's Text Generator Is Going Commercial (WiReD)

    The research institute was created to steer AI away from harmful uses. Now
    it's competing with tech giants to sell a cloud-computing service to
    businesses.

    Last spring, artificial intelligence research institute OpenAI said it had
    made software so good at generating text—including fake news articles --
    that it was too dangerous to release. That line in the sand was soon erased
    when two recent master's grads recreated the software and OpenAI released
    the original, saying awareness of the risks had grown and it hadn't seen
    evidence of misuse.

    Now the lab is back with a more powerful text generator and a new pitch: Pay
    us to put it to work in your business. Thursday, OpenAI launched a cloud
    service that a handful of companies are already using to improve search or
    provide feedback on answers to math problems. It's a test of a new way of
    programming AI and the lab's unusual business model.

    OpenAI’s Text Generator Is Going Commercial

    ------------------------------

    Date: Thu, 11 Jun 2020 09:58:10 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Zoom disables accounts of former Tiananmen Square student leader

    *Chinese dissidents in US targeted after announcing plans for video call
    commemorating 1989 massacre*

    Zoom disabled the accounts of a group of Chinese dissidents in the US after
    they used its video conference service to commemorate the Tiananmen Square
    massacre.

    Zoom's role in shutting down the meeting, which was hosted and organised by
    activists in the US but included participants dialing in from China, will
    increase fears about the platform's security and how it will respond to
    government censorship requests.

    Zoom's video chat service has exploded in popularity since lockdowns were
    introduced across the globe to slow the spread of Covid-19. The company,
    which is listed on Nasdaq, has a large operation in China: almost a third
    of its workers are based in the country and much of its research and
    development takes place there. It also has servers in China.

    The annual Tiananmen Square commemoration was hosted on Zoom by a group of
    Chinese activists in the US, including Wang Dan, one of the most prominent
    leaders of the pro-democracy student movement that was crushed by the
    Chinese army in Beijing on June 4 1989.

    Mr Wang's team shared screenshots with the *Financial Times* of his Zoom
    call being canceled twice and two of his team's paid Zoom accounts being
    disabled. The cancellations started just as the meetings were due to begin
    on the morning of June 4 in Washington, where Mr Wang is based. He added
    that as of Thursday, the accounts remained disabled. [...]

    Subscribe to read | Financial Times

    [Lauren Weinstein noted this:
    Zoom closes account of U.S.-based Chinese activist after Tiananmen event
    (Axios): Zoom is effectively an arm of the Chinese communist government.
    You should not be using it, there are many alternatives. -L
    Zoom closed account of U.S.-based Chinese activist “to comply with local law”
    PGN]

    ------------------------------

    Date: Wed, 10 Jun 2020 14:48:44 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Amazon bans police use of face recognition tech for one year (CNBC)

    Amazon bans police use of facial recognition technology for one year

    ------------------------------

    Date: Thu, 11 Jun 2020 22:04:53 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Data from 15M phones shows some Americans are gathering at
    pre-pandemic levels (NBC News)

    Cellphone location data shows where people are leaving home and coming near other people.

    Analysis: Data from 15M phones shows Americans are starting to be around one another at pre-pandemic levels

    ------------------------------

    Date: Fri, 12 Jun 2020 11:53:42 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: The hidden detectors looking for guns and knives (BBC)

    The hidden detectors looking for guns and knives

    Security screens are inconvenient; they slow consumer foot traffic to
    benefit public safety.

    Enter real-time AI to assess the shape and density of concealed objects in
    high-foot traffic areas (transportation terminals, entertainment venues,
    office doorways). Potted plants frequently conceal metal and temperature
    detectors. Some detectors apply passive (non-ionizing) radiation to resolve
    features.

    Add facial recognition to auto-profile using Clearview AI to resolve
    (erroneously or not, given unknown false{positive, negative}) a name,
    address, social media linkage, etc.

    Significant, possibly panoptic, auto-profile ingress/egress go/no-go
    processing can promote complacency among security personnel, and raise alarm
    fatigue risk. Reducing human security footprint (aka business operational
    expense) is apparently a key motive fueling the business.

    Surveillance-enabling technologies seek to displace Barney beagle and other
    manual inspection deterrents. Over-reliance on deployed technology, without
    demonstrable public safety benefits (as measured by false positive/negative
    outcome, etc. versus human inspection) may prove catastrophic.

    ------------------------------

    Date: Wed, 10 Jun 2020 14:55:24 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Trump Order Confronts Big Tech Bias (Whitehouse)

    <Executive Order on Preventing Online Censorship | The White House>*

    President Trump finally issued an *Executive Order targeting viewpoint
    discrimination by Big Tech social media companies. The Order grows out of
    Trump's summit on this thorny issue last July. Topping the list of targets
    are Facebook, Twitter, Instagram, YouTube and Google, but there are many
    other possibilities.

    This form of discrimination is very much uncharted legal territory. The
    chosen central concept for Big Tech wrongdoing is censorship, as the EO is
    titled *Executive Order on Preventing Online Censorship*. This choice in
    itself is a strategic legal decision.

    The Order is basically a hunting license for federal agencies. There are
    two distinct parts. The first is basically laying out a number of legal
    arguments. If you are not familiar with the legal issues this may seem like
    empty rhetoric, but it is actually the opposite. The lawyers who wrote this
    order are preparing to stand before a judge.

    In fact the Order begins by focusing on the present law, which protects Big
    Tech from liability when they publish someone else's content. Here is the
    opening paragraph on that legal issue. Note that it is presented as a
    Federal policy. [...]

    Trump Order Confronts Big Tech Bias

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <riskinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: The RISKS Digest takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    The RISKS Digest --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    ALTERNATIVE ARCHIVES: The RISKS Forum Mailing List (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <Join ACM>

    ------------------------------

    End of RISKS-FORUM Digest 31.98
    ************************
     
    Last edited: Jun 13, 2020
  11. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 32.01

    RISKS List Owner

    Jun 16, 2020 3:53 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 16 June 2020 Volume 32 : Issue 01

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The RISKS Digest> as
    <The RISKS Digest, Volume 32 Issue 01>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Russia Exploits Conspiracy Mill Americans Built (Nicole Perlroth)
    Fox News runs digitally altered images in coverage of Seattle's
    protests in the Capitol Hill Autonomous Zone (sundry sources)
    Harassment and cyberstalking (Travis Andersen)
    Elite CIA unit that developed hacking tools failed to secure its own
    systems, allowing massive leak, an internal report found (WashPost)
    Digitality, Personal Security & Privacy Risks (Robert Mathews)
    South African bank to replace 12M cards after employees stole master key
    (ZDNet)
    Spies Can Listen to Your Conversations by Watching a Light Bulb in the Room
    (The Hacker News)
    Feds allege eBay terror campaign against Natick publishers of articles the
    company didn't like (Universal Hub)
    USA T-Mobile Hit by Widespread Voice and Data Outage (jonathan spira)
    Google is messing with the address bar again -- new experiment hides URL
    path (Ars Technica)
    30,000 Unsuspecting Rose Bowl Attendees Were Scooped Up in a Facial
    Recognition Test (Medium)
    Joanna Hoffman: Facebook is peddling 'an addictive drug called anger' (CNBC)
    Why jK8v!ge4D isn't a good password (Toward Data Science)
    IoT Nutrition Labels (Keith Medcalf)
    What Zebra Mussels Can Tell Us About Errors In Coronavirus Tests (npr.org)
    Re: Election fiasco: Georgia on my mind (Bob Brown)
    Re: Multiple US agencies have purchased this mysterious mobile
    (Steve Singer)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 16 Jun 2020 11:55:14 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Russia Exploits Conspiracy Mill Americans Built (Nicole Perlroth)

    *The New York Times* front page today 16 Jun 2020 [PGN-ed]

    This is a remarkably comprehensive take on the saga that began in the Iowa
    caucuses in February 2016, Robby Mook (who was falsely accused of developing
    the app that came from Shadow Inc.), the Kremlin-backed Russian Internet
    Research Agency, and more that continues today.

    Clint Watts, former FBI special agent: "The Kremlin doesn't need to make
    fake news any more. It's all American made."

    Russians have concluded that it is easier to identify divisive content from
    real Americans [rather than masquerading as real Americans] and help it
    spread through low-profile networks of social media accounts.

    Cindy Otis, former CIA analyst: "Russia's trolls learned it is far more
    effective to find the sore spots and amplify content by native English
    speakers than it is to spin out their own wackadoodle conspiracy theories."

    @DanRadov [who had earlier promulgated various Russian fake news as formerly
    @DanWals83975326, and who is still active]: "U.S. has long been in the
    position when one spark can burn the whole country down and all of the
    United West for that matter. Buckle your seatbelts people. We are up for a
    rough ride."

    ------------------------------

    Date: Mon, 15 Jun 2020 19:19:11 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Fox News runs digitally altered images in coverage of Seattle's
    protests in the Capitol Hill Autonomous Zone (sundry sources)

    Fox News published digitally altered and misleading photos on stories about
    Seattle's Capitol Hill Autonomous Zone (CHAZ) in what photojournalism
    experts called a clear violation of ethical standards for news
    organizations.

    As part of a package of stories Friday about the zone, where demonstrators
    have taken over several city blocks on Capitol Hill after Seattle police
    abandoned the East Precinct, Fox's website for much of the day featured a
    photo of a man standing with a military-style rifle in front of what
    appeared to be a smashed retail storefront.

    The image was actually a mashup of photos from different days, taken by
    different photographers — it was done by splicing a Getty Images photo of an
    armed man, who had been at the protest zone June 10, with other images from
    May 30 of smashed windows in downtown Seattle. Another altered image
    combined the gunman photo with yet another image, making it appear as though
    he was standing in front of a sign declaring “You are now entering Free Cap
    Hill.”

    Fox News runs digitally altered images in coverage of Seattle’s protests, Capitol Hill Autonomous Zone

    Fox News Removes a Digitally Altered Image of Seattle Protests Fox News
    acknowledged that one photo was a combination of several images, and a
    second was taken in a different city.
    Fox News Removes a Digitally Altered Image of Seattle Protests

    Fox News Removes Digitally Altered, Misleading Photos of Seattle 'Autonomous Zone' From Website
    Fox News Removes Digitally Altered, Misleading Photos of Seattle 'Autonomous Zone' From Website

    Fox News removes altered images from Seattle protest
    Fox News removes altered and misleading protest images after Seattle Times report

    ------------------------------

    Date: Mon, 15 Jun 2020 14:30:48 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Harassment and cyberstalking (Travis Andersen)

    `We are going to crush this lady': Six former eBay employees charged in
    federal cyberstalking case targeting Natick couple

    Travis Andersen, *The Boston Globe*, 15 Jun 2020

    Six eBay employees including a former police captain in California last year
    engaged in a relentless campaign of harassment and cyberstalking of a Natick
    couple that published a newsletter critical of the online retailer, sending
    items including fly larvae, live spiders, and a bloody pig mask to their
    home and traveling to Massachusetts to conduct surveillance of the victims
    in an effort to get them to stop publishing, authorities alleged Monday.

    ‘We are going to crush this lady’: Six former eBay employees charged in federal cyberstalking case targeting Natick couple - The Boston Globe

    ------------------------------

    Date: Tue, 16 Jun 2020 10:33:59 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Elite CIA unit that developed hacking tools failed to secure its
    own systems, allowing massive leak, an internal report found (WashPost)

    The publication of ‘Vault 7’ cyber tools by WikiLeaks marked the largest data loss in agency history, a task force concluded.

    https://www.washingtonpost.com/nati...2e3456-ae9d-11ea-8f56-63f38c990077_story.html

    ------------------------------

    Date: Fri, 12 Jun 2020 17:20:10 -0700 (PDT)
    From: "Robert Mathews (OSIA)" <mat...@hawaii.edu>
    Subject: Digitality, Personal Security & Privacy Risks (sundry sources)

    Who are their targets? NGOs, Journalists, Activists for now.... but,
    literally, ANYONE and EVERYONE are at risk ..... Immediately following are
    TWO VERY different reports that represent TWO very DIFFERENT angles and
    hazards to personal safety, personal security and personal privacy in the
    digital universe.

    John Scott-Railton, Adam Hulcoop, Bahr Abdul Razzak, Bill Marczak, Siena
    Anstis, and Ron Deibert, *Dark Basin*, Uncovering a Massive Hack-For-Hire
    Operation, *THE CITIZEN LAB*, 9 Jun 2020
    Dark Basin: Uncovering a Massive Hack-For-Hire Operation - The Citizen Lab

    and... "The thrill of the hunt"..... except, in this case.... the fox
    may not have a tail, be red... or even be a fox! ...

    MISTAKEN IDENTITY
    Olivia Nuzzi, *New York Magazine - Intelligencer*, 8 Jun 2020
    *What It's Like to Get Doxed for Taking a Bike Ride*

    What It’s Like to Get Doxed for Taking a Bike Ride

    Sasha Ingber, *Newsy, 11 Jun 2020
    Former Air Force Officer Fears Intelligence Collected On Protesters

    Former Air Force Officer Fears Intelligence Collected On Protesters

    [Nuzzi is Newsy!!! PGN]

    ------------------------------

    Date: Mon, 15 Jun 2020 10:33:31 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: South African bank to replace 12M cards after employees stole
    master key (ZDNet)

    [Thanks to Gene Spafford]

    South African bank to replace 12m cards after employees stole master key | ZDNet

    [Risks of all the nest-eggs in one basket. PGN]

    ------------------------------

    Date: Sun, 14 Jun 2020 11:04:02 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Spies Can Listen to Your Conversations by Watching a Light Bulb in
    the Room (The Hacker News)

    You might not believe it, but it's possible to spy on secret conversations
    happening in a room from a nearby remote location just by observing a light
    bulb hanging in there -- visible from a window -- and measuring the amount
    of light it emits.

    A team of cybersecurity researchers has developed and demonstrated a novel
    side-channel attacking technique that can be applied by eavesdroppers to
    recover full sound from a victim's room that contains an overhead hanging
    bulb.

    The findings were published in a new paper by a team of academics -- en
    Nassi, Yaron Pirutin, Adi Shamir, Yuval Elovici and Boris Zadov -- from the
    Israeli's Ben-Gurion University of the Negev and the Weizmann Institute of
    Science, which will also be presented at the Black Hat USA 2020 conference
    later this August.
    <Black Hat USA 2020 | Briefings Schedule>

    The technique for long-distance eavesdropping, called "Lamphone
    <https://www.nassiben.com/lamphone>," works by capturing minuscule sound
    waves optically through an electro-optical sensor directed at the bulb and
    using it to recover speech and recognize music.

    How Does the 'Lamphone Attack' Work?. [...]
    Spies Can Listen to Your Conversations by Watching a Light Bulb in the Room

    ------------------------------

    Date: Mon, 15 Jun 2020 21:30:29 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Feds allege eBay terror campaign against Natick publishers of
    articles the company didn't like (Universal Hub)

    Feds allege eBay terror campaign against Natick publishers of articles the company didn't like

    ------------------------------

    Date: June 16, 2020 at 10:07:52 GMT+9
    From: jonath...@accuramediagroup.com
    Subject: USA T-Mobile Hit by Widespread Voice and Data Outage

    This has been driving us crazy all day...

    T-Mobile Hit by Widespread Voice and Data Outage

    "T-Mobile customers across the country are reporting issues placing and
    receiving calls as well as when using data services. The self-proclaimed
    *Uncarrier* said it began to experience an unspecific network outage that is
    impacting hundreds of thousands of customers starting in the early
    afternoon.

    ``Our engineers are working to resolve the widespread voice and text
    issue,'' the company said on its website. It went on to recommend that
    customers use third-party messaging.

    ------------------------------

    Date: Mon, 15 Jun 2020 11:44:50 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Google is messing with the address bar again -- new experiment
    hides URL path (Ars Technica)

    [BAD IDEA!]

    I've noted in the past why this is a TERRIBLE idea. Yes, URLs can be long
    and messy, but they frequently provide *critical* cues that you're on the
    correct pages. Further tampering with them is an invitation to new kinds of
    confusion and hack attacks.

    Google is messing with the address bar again--new experiment hides URL path

    Google is messing with the address bar again—new experiment hides URL path

    ------------------------------

    Date: Fri, 12 Jun 2020 16:49:18 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: 30,000 Unsuspecting Rose Bowl Attendees Were Scooped Up in a Facial
    Recognition Test (Medium)

    https://onezero.medium.com/90-000-u...-up-in-a-facial-recognition-test-18c843909858

    ------------------------------

    Date: Sat, 13 Jun 2020 17:23:32 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Joanna Hoffman: Facebook is peddling 'an addictive drug called
    anger' (CNBC)

    https://www.cnbc.com/2020/06/12/joa...-peddling-an-addictive-drug-called-anger.html

    ------------------------------

    Date: Sat, 13 Jun 2020 11:57:13 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Why jK8v!ge4D isn't a good password (Toward Data Science)

    There's a fundamental issue with password validation

    https://towardsdatascience.com/why-password-validation-is-garbage-56e0d766c12e

    ------------------------------

    Date: Sat, 13 Jun 2020 08:33:52 -0600
    From: "Keith Medcalf" <kmed...@dessus.com>
    Subject: IoT Nutrition Labels

    The major items missing from the "Nutrition Label" is whether or not the
    "Thing" will still "Thing" when the "Internet" is not and never has been
    present.

    Without that information it is impossible for any rational decision to be made and one must assume that the "Thing" will not "Thing" and is therefore completely unsuitable for use.

    ------------------------------

    Date: Tue, 16 Jun 2020 09:03:14 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: What Zebra Mussels Can Tell Us About Errors In Coronavirus Tests
    (npr.org)

    https://www.npr.org/sections/health...can-tell-us-about-errors-in-coronavirus-tests

    Good discussion of false negative/positive outcomes for polymerase chain
    reaction (PCR) diagnostic tests.

    "The PCR tests, when done perfectly, do boast a very low false-positive
    rate. But they're not always done perfectly.

    "Certified labs like hers use procedures to reduce the risk of false test
    results, since a false-positive test can lead to a medical misdiagnosis. But
    slip-ups are inevitable.

    "Most errors are caused by poor sample handling or other errors even before
    a sample gets to the lab, she says.

    "And PCR is so incredibly sensitive, contamination is a particular concern.
    Even the tiniest amount of stray material in a lab can spell trouble, Pritt
    says."

    ------------------------------

    Date: Fri, 12 Jun 2020 21:19:33 -0400
    From: Bob Brown <Bob.Brown@EmoryCottage.net>
    Subject: Re: Election fiasco: Georgia on my mind (RISKS-31.99)

    Every registered voter in Georgia received an absentee ballot request form.
    While the voter still had to return the form to receive an absentee ballot,
    every Georgia voter had an opportunity to vote using an hand-marked paper
    ballot submitted by postal mail.

    ------------------------------

    Date: Sat, 13 Jun 2020 10:09:56 -0400
    From: Steve Singer <s...@dedicatedresponse.com>
    Subject: Re: Multiple US agencies have purchased this mysterious mobile
    eavesdropping device (RISKS-31.98)

    The only way to view site content is to disable ad blocking or more
    generally, script blocking -- and I find that unappealing, even temporarily.

    A business model apparently overrides any information-providing mission. My
    personal vote is thumbs-down; others are free to choose differently.

    - - - - -

    "AD BLOCKER INTERFERENCE DETECTED

    Thank you for visiting this site. Unfortunately we have detected that you
    might be running custom adblocking scripts or installations that might
    interfere with the running of the site.

    We don't mind you running adblocker, but could you please either disable
    these scripts or alternatively whitelist the site, in order to continue.
    Thanks for your support"

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.01
    ************************
     
  12. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 32.02

    RISKS List Owner

    Jun 21, 2020 4:45 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Sunday 21 June 2020 Volume 32 : Issue 02

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The RISKS Digest> as
    <The RISKS Digest, Volume 32 Issue 02>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    TikTok Teens and K-Pop Fans Say They Sank Trump Rally (The New York Times)
    Widespread VSAP failures in California March 2020 primary (LA County)
    China Reports Progress in Ultra-Secure Satellite Transmission (NYTimes)
    U.S. blacklists 'China's MIT' as tech war enters new phase
    (Nikkei Asian Review)
    French Court Strikes Down Most of Online Hate Speech Law (NYTimes)
    Who's a Bot? Who's Not? (NYTimes)
    Microsoft 365 Security vulnerability (Forbers)
    Russia to install Orwellian facial recognition ... (Moscow Times)
    Apparent suicide by 20-year-old Robinhood trader who saw a negative
    $730,000 balance prompts app to make changes (CNN)
    Mild virus cases may bestow far lower immunity (AFP)
    Contact Tracing (Lauren Weinstein)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 21 Jun 2020 08:21:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: TikTok Teens and K-Pop Fans Say They Sank Trump Rally (NYTimes)

    Taylor Lorenz, Kellen Browning and Sheera Frenkel,
    *The New York Times website*, 21 Jun 2020 [not yet in print]

    Did a successful prank inflate attendance expectations for President Trump's
    rally in Tulsa, Okla.? [...]

    TikTok users and fans of Korean pop music groups claimed to have
    registered potentially hundreds of thousands of tickets for Mr. Trump's
    campaign rally as a prank. After the Trump campaign's official account
    @TeamTrump posted a tweet asking supporters to register for free tickets
    using their phones on June 11, K-pop fan accounts began sharing the
    information with followers, encouraging them to register for the rally --
    and then not show.

    The trend quickly spread on TikTok, where videos with millions of views
    instructed viewers to do the same, as CNN reported on Tuesday. ``Oh no, I
    signed up for a Trump rally, and I can't go,'' one woman joked, along with
    a fake cough, in a TikTok posted on June 15.

    TikTok Teens and K-Pop Stans Say They Sank Trump Rally

    [The title Monty sent me is the one online, which says `Stans' instead of
    `Fans'. Could be a ligature problem? I presume it might get corrected
    later. I am ahead of the curve. PGN]

    ------------------------------

    Date: Sat, 20 Jun 2020 16:23:51 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Widespread VSAP failures in California March 2020 primary (LA County)

    [Sources: LA County Registrar's Office and a consultant's investigation. PGN]

    ``During the 2020 primary election, Los Angeles County launched its new
    Voting Solutions for All People (VSAP), a highly ambitious project that
    dramatically changed the experience of voting in the nation’s most
    populous county. Although many voters welcomed the improvements, many
    others experienced significant challenges, including excessive wait times
    at Vote Centers.'' [...]

    ``Overarching quality control breakdowns and vendor management issues:
    Inadequate vendor and timeline management resulted in a lack of quality
    assurance for election processes and technology deployments. Poor
    technology vendor management resulted in the lack of identification of
    critical design issues. This led to long wait times and a poor voter
    experience during the election.''

    https://ceo.lacounty.gov/wp-content/uploads/2020/06/LAC-Voting-Assessment-Summa
    ry-of-Findings.pdf?utm_content=&utm_medium=email&utm_name=&utm_source=govdelive
    ry&utm_term=
    (5 Jun 2020)

    A commissioned evaluation report is also relevant:
    LAC-Voting-Assessment-Summary-of-Findings.pdf

    [Both of these sources add fuel to the fires continuing to burst anew
    relating to election integrity. The first one relates to the LA County
    Registrar, extensive voter disenfranchisement, compliance issues, and
    problems with the VSAP system -- including lack of adequate testing. The
    prospects for clean elections in November are continuing to be highly
    questionable. PGN]

    ------------------------------

    Date: Tue, 16 Jun 2020 15:35:44 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: China Reports Progress in Ultra-Secure Satellite Transmission
    (NYTimes)

    Researchers enlisted quantum physics to send a secret key for encrypting and
    decrypting messages between two stations 700 miles apart.

    China Reports Progress in Ultra-Secure Satellite Transmission

    ------------------------------

    Date: Wed, 17 Jun 2020 19:56:44 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: U.S. blacklists 'China's MIT' as tech war enters new phase
    (Nikkei Asian Review)

    US blacklists 'China's MIT' as tech war enters new phase

    ------------------------------

    Date: Fri, 19 Jun 2020 20:28:24 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: French Court Strikes Down Most of Online Hate Speech Law
    (The New York Times)

    PARIS — A top French court on Thursday struck down critical provisions of a
    law passed by France's parliament last month to combat online hate speech,
    dealing a severe blow to the government's effort to police Internet content.

    The court’s ruling comes as authorities around the world try to regulate
    what can be shared on vast Internet platforms like Facebook, YouTube or
    Twitter, all American companies with attitudes toward free speech and
    government oversight that often differ from Europe's.

    The flagship provision in France's new law, which was supported by President
    Emmanuel Macron's government and sponsored by his party, created an
    obligation for online platforms to take down hateful content flagged by
    users within 24 hours. If the platforms failed to do so, they risked fines
    of up to 1.25 million euros, or about $1.4 million.

    But the Constitutional Council, a French court that reviews legislation to
    ensure it complies with the French constitution, noted in its ruling on
    Thursday that the measure put the onus for analyzing content solely on tech
    platforms without the involvement of a judge, within a very short time
    frame, and with the threat of hefty penalties.

    French Court Strikes Down Most of Online Hate Speech Law

    ------------------------------

    Date: Sun, 21 Jun 2020 08:53:28 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Who's a Bot? Who's Not? (NYTimes)

    It sometimes seems that automated bots are taking over social media and
    driving human discourse. But some (real) researchers aren't so sure.

    Who’s a Bot? Who’s Not?

    ------------------------------

    Date: Thu, 18 Jun 2020 20:18:57 -0700
    From: Peter G Neumann <Neu...@CSL.SRI.COM>
    Subject: Microsoft 365 Security vulnerability

    Hackers ‘Hijack’ Samsung And Oxford University Servers To Defeat Microsoft 365 Security

    ------------------------------

    Date: Fri, 19 Jun 2020 19:19:05 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Russia to install Orwellian facial recognition ... (Moscow Times)

    Russia to Install ‘Orwell’ Facial Recognition Tech in Every School – Vedomosti - The Moscow Times

    ------------------------------

    Date: Sat, 20 Jun 2020 09:50:45 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Apparent suicide by 20-year-old Robinhood trader who saw a negative
    $730,000 balance prompts app to make changes (CNN)

    Poorly designed UIs can have devastating consequences. (LW)

    Apparent suicide by 20-year-old Robinhood trader who saw a negative $730,000 balance prompts app to make changes - CNN

    ------------------------------

    Date: Sat, 20 Jun 2020 16:57:09 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Mild virus cases may bestow far lower immunity (AFP)

    People who catch COVID-19 but don't show symptoms may have significantly
    lower levels of immunity against the virus than those who become severely
    ill, new research showed Thursday.

    The majority of virus patients display relatively minor signs of infection,
    and a small proportion show no symptoms at all.

    Very little is known about this group, given that they are far less likely
    to be tested than those who go on to develop severe symptoms including
    respiratory problems.

    Researchers based in China compared two groups of individuals infected with
    COVID-19 in Chongqing's Wanzhou district: 37 who showed symptoms versus 37
    who did not.

    The researchers analysed blood samples from both groups taken a few weeks
    after recovering and found that just 62.2 percent of the asymptomatic group
    had short-term antibodies, compared with 78.4 percent of symptomatic
    patients.

    After eight weeks of convalescence, antibody presence had fallen in 81.1
    percent of asymptomatic patients, compared with 62.2 percent of symptomatic
    patients.

    What's more, asymptomatic patients were found to have lower levels of 18
    pro- anti-inflammatory cell-signaling proteins than the symptomatic group,
    suggesting a weaker immune response to the novel coronavirus.

    Authors of the study, which was published in Nature Medicine, said their
    findings called into question the idea that everyone who has had
    coronavirus are immune to future infection. [...]

    The news hub

    ------------------------------

    Date: Sun, 21 Jun 2020 12:40:16 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Contact Tracing

    As I predicted, contact tracing here in the U.S. is largely a failure. Most
    people don't trust any apps for this purpose, and refuse to give personal
    information to human tracers who contact them (no pun intended). This wasn't
    rocket science to predict.

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <riskinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: The RISKS Digest takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    The RISKS Digest --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.02
    ************************
     
  13. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 32.03

    RISKS List Owner

    Jun 25, 2020 12:55 AM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 24 June 2020 Volume 32 : Issue 03

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The RISKS Digest> as
    <The RISKS Digest, Volume 32 Issue 03>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Vehicle Attacks Rise As Extremists Target Protesters (npr.org)
    Chrome extensions with 33 million downloads slurped sensitive user data
    (Ars Technica)
    Millions of documents from >200 US police agencies published in BlueLeaks
    trove (Ars Technica)
    Wrongfully Accused by an Algorithm (NYTimes)
    If T-Mobile's giant outage affected you, now's your chance to tell the FCC
    (Ars Technica)
    This sneaky malware goes to unusual lengths to cover its tracks (ZDNet)
    Masked arsonist might've gotten away with it if she hadn't left Etsy review
    (Jon Brodkin)
    Crooks abuse Google Analytics to conceal theft of payment card data
    (Ars Technica)
    Bot mafias have wreaked havoc in World of Warcraft Classic (WiReD)
    The Pentagon's Bottomless Money Pit (RollingStone)
    Testing, testing, testing (Rob Slade)
    Coronavirus misinformation, and how scientists can help to fight it
    (Dave Farber)
    Wirecard, a Payments Firm, Is Rocked by a Report of Missing $2B (NYTimes)
    Social Media Giants Support Racial Justice. Their Products Undermine It.
    (NYTimes)
    Square, Jack Dorsey's Pay Service, Is Withholding Money Merchants Say They
    Need (NYTimes)
    Many Medical Decision Tools Disadvantage Black Patients
    Why Obsessive K-Pop Fans Are Turning Toward Political Activism (NYTimes)
    Re: TikTok Teens and K-Pop Fans Say They Sank Trump Rally (William Bader)
    Re: Silicon Valley Can't Be Neutral (John Levine)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 22 Jun 2020 10:16:32 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Vehicle Attacks Rise As Extremists Target Protesters (npr.org)

    Vehicle Attacks Rise As Extremists Target Protesters

    That a kill switch cannot be prophylacticly applied to all non-emergency
    vehicles in the vicinity of a protest exposes pedestrian marchers to heinous
    and violent reprisals. A localized kill switch won't halt a '63 Chevy
    Impala.

    Kill switch vulnerabilities have appeared repeatedly in comp.risks:

    The RISKS Digest, Volume 27 Issue 11
    The RISKS Digest, Volume 27 Issue 84
    The RISKS Digest, Volume 28 Issue 24
    The RISKS Digest, Volume 28 Issue 25
    The RISKS Digest, Volume 30 Issue 29

    In The RISKS Digest, Volume 28 Issue 25, Jonathan Zittrain
    <zitt...@law.harvard.edu> states:

    "I know I've long inveighed against vendor (and, by proxy, government)
    control over consumer technology, and I still think that's a central
    threat to both open code and free speech. But all of that
    otherwise-worrisome tech applied to weapons seems to invert the equities."

    Given that kill switches are not readily viable solutions: Laying traffic
    spikes across intersections and at start/end points traversed by protesters
    might suppress vehicle ramming incidents.

    Public safety offices require advanced notification to deploy traffic spikes
    given a march route and duration estimate. Protest planning forbearance
    reduces flash-mob spontaneity, but can enhance pedestrian safety that
    appears absent today.

    ------------------------------

    Date: Tue, 23 Jun 2020 18:49:30 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Chrome extensions with 33 million downloads slurped sensitive user
    data (Ars Technica)

    Chrome extensions with 33 million downloads slurped sensitive user data

    The extensions, which Google removed only after being privately notified of
    them, actively siphoned data such as screenshots, contents in device
    clipboards, browser cookies used to log in to websites, and keystrokes such
    as passwords, researchers from security firm Awake told me. Many of the
    extensions were modular, meaning once installed, they updated themselves
    with executable files, which in many cases were specific to the operating
    system they ran on. Awake provided additional details in this report.

    https://cdn2.hubspot.net/hubfs/3455...-arms-dealers-malicious-domain-registrars.pdf

    ------------------------------

    Date: Tue, 23 Jun 2020 18:34:10 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Millions of documents from >200 US police agencies published in
    BlueLeaks trove (Ars Technica)

    Document dump comes almost 4 weeks after murder by police of George Floyd.

    Millions of documents from >200 US police agencies published in “BlueLeaks” trove | Ars Technica

    ------------------------------

    Date: Wed, 24 Jun 2020 14:49:41 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Wrongfully Accused by an Algorithm (NYTimes)

    In what may be the first known case of its kind, a faulty facial recognition
    match led to a Michigan man's arrest for a crime he did not commit.

    Wrongfully Accused by an Algorithm

    ------------------------------

    Date: Tue, 23 Jun 2020 18:32:41 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: If T-Mobile's giant outage affected you, now's your chance to tell
    the FCC (Ars Technica)

    FCC asks public to describe experiences during last week's 13-hour outage.

    If T-Mobile’s giant outage affected you, now’s your chance to tell the FCC

    ------------------------------

    Date: Wed, 24 Jun 2020 14:20:40 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: This sneaky malware goes to unusual lengths to cover its tracks
    (ZDNet)

    *Glupteba creates a backdoor into infected Windows systems - and researchers
    think it'll be offered to cyber criminals as an easy means of distributing
    other malware.*

    A malware campaign which creates a backdoor providing full access to
    compromised Windows PC, while adding them to a growing botnet, has developed
    some unusual measures for staying undetected.

    Glupteba first emerged in 2018 and started by gradually dropping more
    components into place on infected machines in its bid to create a backdoor
    to the system.

    The malware is continuously in development and in the last few months it
    appears to have been upgraded with new techniques and tactics to coincide
    with a new campaign which has been detailed by cybersecurity researchers at
    Sophos.
    <What is malware? Everything you need to know about viruses, trojans and malicious software | ZDNet>

    The paper <Glupteba malware hides in plain sight> describes Glupteba as
    "highly self-defending malware" with the cyber criminal group behind it
    paying special attention to "enhancing features that enable the malware to
    evade detection".

    However, its method of distribution is relatively simple: it's bundled in
    pirated software, including cracked versions of commercial applications, as
    well as illegal video game downloads. The idea is simply to get as many
    users to download compromised applications which contain the Glupteba
    payload as possible.

    To ensure the best possible chance of a successful compromise, the malware
    is gradually dropped, bit-by-bit onto the system to avoid detection by any
    anti-virus software the user may have installed. The malware also uses the
    EternalBlue SMB vulnerability to help it secretly spread across networks.
    <Why the 'fixed' Windows EternalBlue exploit won't die | ZDNet>

    But that isn't where the concealment and self-defence ends, because even
    after installation Glupteba goes out of its way to stay undetected. [...]
    This sneaky malware goes to unusual lengths to cover its tracks | ZDNet

    ------------------------------

    Date: Sun, 21 Jun 2020 17:00:58 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Masked arsonist might've gotten away with it if she hadn't left
    Etsy review (Jon Brodkin)

    Jon Brodkin, Ars Technica, 18 Jun 2020
    Woman who burned two police cars IDed by tattoo and Etsy review of her
    T-shirt.

    To some extent, every Internet user leaves a digital trail. So when a
    masked arsonist was seen on video setting fire to a police car on the day
    of a recent protest in Philadelphia, the fact that her face was hidden
    didn't prevent a Federal Bureau of Investigation agent from tracking down
    the suspect. The keys ended up being a tattoo and an Etsy review the
    alleged arsonist had left for a T-shirt she was wearing at the scene of
    the crime, according to the FBI.

    Masked arsonist might’ve gotten away with it if she hadn’t left Etsy review

    ------------------------------

    Date: Tue, 23 Jun 2020 18:37:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Crooks abuse Google Analytics to conceal theft of payment card data
    (Ars Technica)

    Ecommerce site's blind trust makes the service a perfect place to dump data.

    Crooks abuse Google Analytics to conceal theft of payment card data

    ------------------------------

    Date: Tue, 23 Jun 2020 18:39:21 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Bot mafias have wreaked havoc in World of Warcraft Classic (WiReD)

    Blizzard has suspended or closed over 74,000 accounts in the last month.

    Bot Mafias Have Wreaked Havoc in 'World of Warcraft Classic'

    ------------------------------

    Date: Mon, 22 Jun 2020 15:32:39 -0500
    From: <bmeac...@earthlink.net>
    Subject: The Pentagon's Bottomless Money Pit (RollingStone)

    When the Defense Department flunked its first-ever fiscal review, one of our
    government's greatest mysteries was exposed: Where does the DoD's $700
    billion annual budget go?

    Contains numerous mentions of huge IT project failures.

    https://www.rollingstone.com/politics/politics-features/pentagon-budget-myst
    ery-807276/


    Just over 50 years ago, Dwight Eisenhower gave his famous farewell address
    warning of the power of the "military-industrial complex." The former war
    commander bemoaned the creation of a "permanent armaments industry of vast
    proportions," and said the "potential for the disastrous rise of misplaced
    power exists and will persist."

    Eisenhower's warning is celebrated by the left as a caution against the
    overweening political power of war-makers, but as we're now seeing, it was
    predictive also as a fiscal conservative's nightmare vision of the future.
    The military has become an unstoppable mechanism for hoovering up taxpayer
    dollars and deploying them in the most inefficient manner possible.

    ------------------------------

    Date: Mon, 22 Jun 2020 11:24:04 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Testing, testing, testing

    Recently, a certain national leader has directed that testing for the
    SARS-CoV-2 virus be "slowed" so that the numbers of new cases of the disease
    will be reduced. This is, of course, flatly ridiculous. Testing does not
    cause problems, it just reveals existing problems. And the lack of testing
    doesn't prevent problems, it only blinds you to the scope of the problem. I
    have told my "testing" story before ...

    Oh, well, what the hey:

    I am reminded of a situation where sales and marketing was supposed to carry
    out virus scans before they installed our product. They had previously been
    using an inferior product, and I mandated that they using a more accurate
    product. At one point a machine was brought in as a problem. First step in
    my process was to scan the machine, and, sure enough, it was infected.

    "Did you scan it?"

    "Yes."

    "Did you use the right scanner?"

    "Well, no, we used the old one."

    "Why did you use the old scanner, when I've specified that you have to use
    the new one?"

    "Well, when we use the one you told us to, it finds viruses ..."

    ------------------------------

    Date: Tue, 23 Jun 2020 10:29:33 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Coronavirus misinformation, and how scientists can help to fight it

    Coronavirus misinformation, and how scientists can help to fight it

    ------------------------------

    Date: Tue, 23 Jun 2020 08:10:03 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Wirecard, a Payments Firm, Is Rocked by a Report of Missing $2B
    (NYTimes)

    The German company's share price has plunged 80 percent, and its longtime
    chief executive has resigned.

    Wirecard, a Payments Firm, Is Rocked by a Report of a Missing $2 Billion

    ------------------------------

    Date: Tue, 23 Jun 2020 08:13:18 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Social Media Giants Support Racial Justice. Their Products
    Undermine It. (NYTimes)

    Shows of support from Facebook, Twitter and YouTube don't address the way those platforms have been weaponized by racists and partisan provocateurs.

    Social Media Giants Support Racial Justice. Their Products Undermine It.

    ------------------------------

    Date: Tue, 23 Jun 2020 09:16:55 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Square, Jack Dorsey's Pay Service, Is Withholding Money Merchants
    Say They Need (NYTimes)

    Small businesses say the Twitter chief's other company is holding on to 30 percent of their customers' payments during the pandemic.

    Square, Jack Dorsey’s Pay Service, Is Withholding Money Merchants Say They Need

    ------------------------------

    Date: Tue, 23 Jun 2020 09:22:30 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Many Medical Decision Tools Disadvantage Black Patients (NYTimes)

    Doctors look to these digital calculators to make treatment decisions, but
    they can end up denying black patients access to certain specialists, drugs
    and transplants.

    Many Medical Decision Tools Disadvantage Black Patients

    ------------------------------

    Date: Tue, 23 Jun 2020 07:47:12 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Why Obsessive K-Pop Fans Are Turning Toward Political Activism
    (NYTimes)

    After claiming some credit for the fizzling of President Trump's rally in
    Oklahoma, the online armies of Korean pop music listeners are feeling
    prepared and empowered.

    Why Obsessive K-Pop Fans Are Turning Toward Political Activism

    ------------------------------

    Date: Sun, 21 Jun 2020 22:21:24 +0100
    From: William Bader <willia...@gmail.com>
    Subject: Re: TikTok Teens and K-Pop Fans Say They Sank Trump Rally
    (PGN comment in RISKS-32.02)

    > The title Monty sent me is the one online, which says `Stans' instead of
    > `Fans'.

    "A crazed and or obsessed fan. The term comes from the song Stan by eminem.
    The term Stan is used to describe a fan who goes to great lengths to obsess
    over a celebrity." Urban Dictionary: Stan

    [Thanks to at least a dozen readers for helping my education. I stans
    corrected. But I remember Stan Laurel and Oliver Hardy, whom all but the
    oldest RISKS readers probably don't. PGN]

    ------------------------------

    Date: June 24, 2020 6:22:20 JST
    From: John Levine <jo...@iecc.com>
    Subject: Re: Silicon Valley Can't Be Neutral (Via Dave Farber)

    In article <566E5F5C-2B19-4E1E-AF1D-0F1194EDC43B@keio.jp> you write:

    > Silicon Valley Can't Be Neutral in the U.S.-China Cold War --
    > Silicon Valley Can’t Be Neutral in the U.S.-China Cold War

    > In other words, Zoom is rolling out a ``one-company, two-systems model'' --
    > participants in China would be subject to censorship, but those outside of
    > China would not.

    I agree this is pretty creepy, but how is this fundamentally different from
    the way that EU laws like right to be forgotten make search engines results
    in Europe omit stuff that is included other places?

    If you're going to operate in a country at all, you have to follow the
    country's rules. I expect I would have a different answer to whether I'd
    operate in China.

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <riskinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: The RISKS Digest takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.03
    ************************
     
    Last edited by a moderator: Jun 25, 2020
  14. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 32.04

    RISKS List Owner

    Jun 26, 2020 5:49 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 26 June 2020 Volume 32 : Issue 04

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The RISKS Digest> as
    <The RISKS Digest, Volume 32 Issue 04>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    The Army will soon allow users to access classified info from home
    (Army Times via Gene Spafford + PGN)
    CRISPR gene editing in human embryos wreaks chromosomal mayhem (Nature)
    More than 1 million coronavirus stimulus checks went to dead people
    according to the GAO (WashPost)
    How Thousands of Misplaced Emails Took Over This Engineer's Inbox (WiReD)
    Demographic report on protests shows how much info our phones give away
    (Engadget)
    FBI warns K12 schools of ransomware attacks via RDP (ZDNet)
    Hidden Back Door Embedded in Chinese Tax Software, Firm Says (Bloomberg)
    80,000 printers are exposing their IPP port online (ZDNet)
    FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy (Krebs)
    The US-China Battle Over the Internet Goes Under the Sea (WiReD)
    Google Will Delete Your Data by Default in 18 Months (WiReD)
    Re: Medical decision tools (Dr. Robert R. Fenichel)
    Re: Only Sort of Wrongfully Accused by an Algorithm (John Levine)
    Risks for charities, non-profits, small group (Rob Slade)
    AI Ethics: IP Protection for AI-generated and AI-assisted works
    (Eventbrite/Wipo via Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    --------------------------------------.--------------------------------

    Date: Thu, 25 Jun 2020 12:22:56 -0400
    From: Gene Spafford <sp...@purdue.edu>
    Subject: The Army will soon allow users to access classified info from home
    (Army Times)

    Gee, I foresee this as a great innovation with no downsides at all. I can't
    wait for phase 3, when I convert my kitchen to a SCIF.

    The Army will soon allow users to access classified info from home

    [Seriously: All efforts at using untrustworthy computer-communication
    systems for trusted information currently seem to be doomed by our
    inherently comprimisible infrastructures. This would seem to be insane
    with today's technology. PGN]

    [Less seriously: This will undoubtedly create many new opportunities to
    "classify" all sorts of illegal activities. Furthermore, Spaf's SCIF
    would have to prevent all emanations of power usage, smoke, and scents --
    and other effluents as well as everything that comes in.. Just my
    two-scents worth. However, I can't wait to have access to Spaf's secret
    recipes for Scytl Skittles (big in the voting business), Tarte Putin
    (French gourmet), and Fits-all Schnitzel. PGN]

    ------------------------------

    Date: Thu, 25 Jun 2020 08:04:42 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: CRISPR gene editing in human embryos wreaks chromosomal mayhem
    (Nature)

    CRISPR gene editing in human embryos wreaks chromosomal mayhem

    ------------------------------

    Date: Thu, 25 Jun 2020 15:53:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: More than 1 million coronavirus stimulus checks went to dead people
    according to the GAO (WashPost)

    https://www.washingtonpost.com/us-policy/2020/06/25/irs-stimulus-checks-dead-people-gao/

    No time to check for dead recipients -- what could go wrong?

    ------------------------------

    Date: Thu, 25 Jun 2020 20:44:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How Thousands of Misplaced Emails Took Over This Engineer's Inbox
    (WiReD)

    Kenton Varda gets dozens of messages a day from Spanish-speakers around the
    world, all thanks to a Gmail address he registered 16 years ago.

    Two weeks ago, longtime software engineer Kenton Varda got an email that
    wasn't meant for him. It was from AT&T Mexico to a customer named Jorge,
    whose most recent phone bill was attached. You've probably gotten an email
    intended for someone else at least once. But then Varda got another AT&T
    Mexico bill for Gloria. And then a third for Humberto, who is overdue on
    paying more than 6,200 pesos, about $275.

    To Varda, the incident wasn't a surprise. As the owner of the email account
    temp...@gmail.com, he gets dozens of messages a day from Spanish-speakers
    around the world, all sent by people who thought they could use his address
    as a dummy input: "Temporal" translates to "temporary." Varda says he
    frequently receives private documents, even medical bills and collection
    notices. Many of the most sensitive emails contain legal notices that the
    messages are confidential and should not be disclosed to other parties aside
    from the intended recipient. Varda doesn't speak Spanish, but he uses Google
    Translate when possible to understand what's going on and reply to senders
    saying they have the wrong address.

    "Recently I had a few people send me what appeared to be photographs of
    handwritten notes. Maybe notes from a class?" Varda says. "Also, I received
    several job evaluations of one Jose Gomez, who appears to be a janitor. And
    a pretty good one!"

    https://www.wired.com/story/misplaced-emails-took-over-inbox-temporal/

    [Also noted by Dave Lesher: NO PLATE is back again!
    Maybe try /dev/null? (RISKS-37.37, RISKS-6.40)
    PGN]

    ------------------------------

    Date: Thu, 25 Jun 2020 13:58:30 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Demographic report on protests shows how much info our phones give
    away (Engadget)

    *Mobilewalla gathered cellphone data from Black Lives Matter protesters in
    four cities.*

    If you marched in recent Black Lives Matter protests in Atlanta, Los
    Angeles, Minneapolis or New York, there's a chance the mobile analytics
    company Mobilewalla gleaned demographic data from your cellphone use. Last
    week, Mobilewalla released a report
    detailing the race, age and gender breakdowns of individuals who
    participated in protests in those cities during the weekend of May 29th.
    What is especially disturbing is that protesters likely had no idea that the
    tech company was using location data harvested from their devices.
    <https://www.mobilewalla.com/about/press/new-report-reveals-demographics-of-protests>

    Mobilewalla observed a total of 16,902 devices (1,866 in Atlanta, 4,527 in
    Los Angeles, 2,357 in Minneapolis and 8,152 in New York).
    <https://f.hubspotusercontent40.net/hubfs/4309344/Mobilewalla Protester Insights Methodology.pdf>
    As *BuzzFeed News* explains, Mobilewalla buys data from sources like
    advertisers, data brokers and ISPs. It uses AI to predict a person's
    demographics (race, age, gender, zip code, etc.) based on location data,
    device IDs and browser histories. The company then sells that info
    <https://www.mobilewalla.com/about> to clients so they can ``better
    understand their target customer.''
    <https://www.buzzfeednews.com/article/carolinehaskins1/protests-tech-company-spying>

    ``This report shows that an enormous number of Americans -- probably without
    even knowing it -- are handing over their full location history to shady
    location data brokers with zero restrictions on what companies can do with
    it,'' Senator Elizabeth Warren told *BuzzFeed News*. ``In an end-run around
    the Constitution's limits on government surveillance, these companies can
    even sell this data to the government, which can use it for law and
    immigration enforcement.''

    Mobilewalla CEO Anindya Datta told *BuzzFeed *that the company produced the
    report to satisfy its employees' curiosity. Supposedly, Mobilewalla doesn't
    plan to share info about whether specific individuals attended the protests
    with clients or law enforcement.

    But the incident is a reminder that data brokers have access to massive
    amounts of data from unassuming individuals. There's a chance that data
    could be used by law enforcement or be leaked -- as we've seen happen in
    past data breaches.
    <https://www.engadget.com/2018-06-28-exactis-leak-340-million-records.html>
    Some fear that individuals concerned about their data being swiped might
    avoid protests, so in effect, the practices of collecting data may suppress
    free speech. [...]

    https://www.engadget.com/mobilewalla-data-broker-demographics-protests-214841548.html

    ------------------------------

    Date: Thu, 25 Jun 2020 13:56:30 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: FBI warns K12 schools of ransomware attacks via RDP

    *The FBI has issued a security alert warning K12 schools of the "ransomware
    threat" during the COVID-19 pandemic.*

    The US Federal Bureau of Investigation sent out on Tuesday a security alert
    to K12 schools about the increase in ransomware attacks during the
    coronavirus (COVID-19) pandemic, and especially about ransomware gangs that
    abuse RDP connections to break into school systems.

    The alert, called a Private Industry Notification, or PIN, tells schools
    that "cyber actors are likely to increase targeting of K-12 schools during
    the COVID-19 pandemic because they represent an opportunistic target as
    more of these institutions transition to distance learning."

    Schools are likely to open up their infrastructure for remote staff
    connections, which in many cases would mean create Remote Desktop Protocol
    (RDP) accounts on internal school systems.

    Over the past two-three years, many ransomware gangs have utilized
    brute-force attacks or vulnerabilities in RDP to breach corporate networks
    and deploy file-encrypting ransomware. [...]
    https://www.zdnet.com/article/fbi-warns-k12-schools-of-ransomware-attacks-via-rdp/

    ------------------------------

    Date: Thu, 25 Jun 2020 13:55:31 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Hidden Back Door Embedded in Chinese Tax Software, Firm Says
    (Bloomberg)

    ** Malware targeted UK vendor starting to do business in China*
    Cybersecurity firm said it has briefed FBI on its discovery*

    When a U.K.-based technology vendor started doing business in China, it
    hired a cybersecurity firm to proactively hunt for any digital threats that
    could arise as part of doing business in the country. The firm discovered a
    problem, one with such major implications that it alerted the FBI.

    A state-owned bank in China had required the tech company to download
    software called Intelligent Tax to facilitate the filing of local taxes.
    The tax software worked as advertised, but it also installed a hidden back
    door that could give hackers remote command and control of the company's
    network, according to a report published Thursday by the SpiderLabs team at
    Chicago-based Trustwave Holdings Inc.
    <https://www.bloomberg.com/quote/TWAV:US> (The cybersecurity firm declined
    to identify the bank).

    ``Basically, it was a wide-open door into the network with system-level
    privileges and command and control server completely separate from the tax
    software's network infrastructure,'' Brian Hussey, vice president of
    cyber-threat detection and response at Trustwave, wrote in a blog post
    <https://www.trustwave.com/en-us/res...tment-and-the-emergence-of-goldenspy-malware/>,
    also published Thursday. The malware, which Trustwave dubbed GoldenSpy,
    isn't downloaded and installed until two hours after the tax software
    installation is completed, he said.

    Trustwave researchers determined that the malware connects to a server
    hosted in China.

    It isn't known how many other companies downloaded the malicious software,
    nor is the purpose of the malware clear or who is behind it, according to
    the report. Trustwave said it disrupted the intrusion at the tech company in
    the early stages. ``However, it is clear the operators would have had the
    ability to conduct reconnaissance, spread laterally and exfiltrate data,''
    according to the report, adding that GoldenSpy had the characteristics of an
    Advanced Persistent Threat campaign. Such efforts are often associated with
    nation-state hacking groups. [...]

    https://www.bloomberg.com/news/arti...or-embedded-in-chinese-tax-software-firm-says
    https://www.msn.com/en-us/finance/o...in-chinese-tax-software-firm-says/ar-BB15Y2So

    ------------------------------

    Date: Thu, 25 Jun 2020 09:59:54 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 80,000 printers are exposing their IPP port online (ZDNet)

    Printers are leaking device names, locations, models, firmware versions,
    organization names, and even WiFi SSIDs.

    https://www.zdnet.com/article/80000-printers-are-exposing-their-ipp-port-online/

    ------------------------------

    Date: Thu, 25 Jun 2020 10:04:20 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy
    (Krebs)

    An information technology specialist at the Federal Emergency Management
    Agency (FEMA) was arrested this week on suspicion of hacking into the human
    resource databases of University of Pittsburgh Medical Center (UPMC) in
    2014, stealing personal data on more than 65,000 UPMC employees, and selling
    the data on the dark web.

    https://krebsonsecurity.com/2020/06...rged-in-id-theft-tax-refund-fraud-conspiracy/

    ------------------------------

    Date: Thu, 25 Jun 2020 00:41:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The US-China Battle Over the Internet Goes Under the Sea (WiReD)

    The DOJ’s opposition to Facebook and Google's 8,000-mile cable to Hong Kong
    highlights how physical infrastructure is as contentious as the virtual
    world.

    https://www.wired.com/story/opinion-the-us-china-battle-over-the-internet-goes-under-the-sea/

    ------------------------------

    Date: Thu, 25 Jun 2020 00:45:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Google Will Delete Your Data by Default in 18 Months (WiReD)

    Starting today, the search giant will make a previously opt-in auto-delete
    feature the norm.

    Google already announced security and privacy upgrades to Android 11 earlier
    this month. But Wednesday's changes focus on the data that Google services
    like Maps and YouTube can access -- and how long they keep it for.

    Pichai wrote in a blog post: ``We’re guided by the principle that products
    should keep information only for as long as it’s useful to you. Privacy is
    personal, which is why we're always working to give you control on your
    terms.''

    Google has been criticized for collecting and retaining data that users
    don't even realize it has. A year ago, the company added auto-delete
    controls that allowed you to set your Google account to delete history --
    like Web and App Activity and location -- every three months or 18
    months. Such a mechanism was long overdue, but Google would still collect
    this data indefinitely by default. You had to find the right toggle in your
    settings to set the auto-delete in motion.

    Google's announcements on Wednesday flips this policy around. Newly formed
    Google accounts will auto-delete activity and location every 18 months by
    default. YouTube history will delete every 36 months. Existing accounts,
    though, will still need to proactively turn on the feature, as Google
    doesn't want to force a change on users who, for whatever reason, want the
    company to maintain a forever-record of their activity. (You can find our
    complete guide to limiting Google's tracking here.) As soon as you do, the
    company will nuke your accumulated activity and location data that's 18
    months or older, and continue to do so going forward. Google will also push
    notifications and email reminders to get existing customers to review their
    data retention settings.

    https://www.wired.com/story/google-auto-delete-data/

    ------------------------------

    Date: Wed, 24 Jun 2020 22:44:52 -0700
    From: "Robert R. Fenichel" <b...@fenichel.net>
    Subject: Re: Medical decision tools (RISKS-32.03)

    The NYT article cited by Monty Solomon was ill-informed. In a nutshell, it
    confused decision rules with estimation tools.

    One of its central examples had to do with the glomerular filtration rate
    (GFR), an important measure of renal function. To measure the GFR
    accurately, one infuses a specialized, non-physiological, non-metabolized
    substance and observes how rapidly it is cleared into the urine. This is a
    tricky procedure, rarely done outside research laboratories.

    Medical decisions are often made on the basis of an *estimated* GFR (eGFR),
    obtained by measuring the serum concentration of some physiological solute
    that is (mostly) eliminated into the urine. The solute most frequently used
    is creatinine, a byproduct of muscle metabolism. With creatinine data and a
    body of true GFR data, it is a curve-fitting exercise to see what eGFR
    formula best predicts the true GFR.

    As a matter of empirical fact, the fit is improved by formulas that include
    age, sex, and self-reported race. Decisions about medical care (for
    example, when to begin hemodialysis) should be based on the best estimates
    of patients' physiological state. If GFR were estimated using simpler
    formulas, blind to sex, age, and race, patient care would be worse.

    The conventional eGFR formulas are not restricted to medical systems that,
    like those of private medical care in the US, have been credibly charged
    with providing poor service to racial minorities and to women.. The same
    formulas are used in socialized systems, including that of the US military
    and, of course, those of developed countries around the world.

    Robert R. Fenichel, M.D.: http://www.fenichel.net

    ------------------------------

    Date: 25 Jun 2020 16:46:01 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Only Sort of Wrongfully Accused by an Algorithm (RISKS-32.03)

    > In what may be the first known case of its kind, a faulty facial
    > recognition >match led to a Michigan man's arrest for a crime he did not
    > commit.

    If you read the article, you will find that the headline doesn't match what
    actually happened:

    After Ms. Coulson, of the state police, ran her search of the probe image,
    the system would have provided a row of results generated by NEC and a row
    from Rank One, along with confidence scores. Mr. Williams's driver's
    license photo was among the matches. Ms. Coulson sent it to the Detroit
    police as an *Investigative Lead Report*.

    ``THIS DOCUMENT IS NOT A POSITIVE IDENTIFICATION. IT IS AN INVESTIGATIVE
    LEAD ONLY AND IS NOT PROBABLE CAUSE FOR ARREST.'' [The file says this in
    bold capital letters at the top.]

    This is what technology providers and law enforcement always emphasize when
    defending facial recognition: It is only supposed to be a clue in the case,
    not a smoking gun. Before arresting Mr. Williams, investigators might have
    sought other evidence that he committed the theft, such as eyewitness
    testimony, location data from his phone or proof that he owned the clothing
    that the suspect was wearing.

    In this case, however, according to the Detroit police report, investigators
    simply included Mr. Williams's picture in a *6-pack photo lineup* they
    created and showed to Ms. Johnston, Shinola's loss-prevention contractor,
    and she identified him. (Ms. Johnston declined to comment.)

    The photo match algorithm indeed did a lousy job, but the people who used
    the picture did a worse job. False identification from photo lineups has
    been a problem for a very long time. There are some well known mitigations
    that they didn't use here, in particular showing the pictures one at a time
    rather than in a group. The latter tends to make people pick the closest
    match even if the match isn't close at all.

    ------------------------------

    Date: Fri, 26 Jun 2020 10:26:45 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Risks for charities, non-profits, small groups

    Gloria belongs to a quilting group and an embroidery group. Neither group
    is meeting right now. The church where both groups normally meet is giving
    them a break on rent, because of the public health restrictions on meetings,
    but there are still some ongoing expenses. In addition, with no meetings
    going on, some members are starting to question their membership and dues.

    They aren't alone. This article focuses on charities, but a number of small
    groups are in serious trouble over the pandemic. Many amateur sports
    leagues are already collapsing.

    https://www.cbc.ca/news/business/nonprofits-charities-pandemic-closures-1.5625165
    http://newsletters.cbc.ca/c/1172n42cXIEJwxO1WDX0kiIMyBQ

    Our industry and technical groups are facing related issues. We may be in a
    slightly different situation, since most of us have the technical chops to
    set up virtual meetings, but getting people to attend these meetings is
    surprisingly difficult. (Apparently if nobody is providing free coffee and
    donuts, we won't go.)

    We need contacts. We need to get ideas from peers. We need to bounce ideas
    off each other. We need to mentor, even if informally, the newcomers to our
    profession (and recruit students in technical areas *into* our profession).

    Support your local chapter, LUG, SIG, meetup or whatever.

    ------------------------------

    Date: Thu, 25 Jun 2020 19:33:47 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: AI Ethics: IP Protection for AI-generated and AI-assisted works

    Tickets, Sun, 5 Jul 2020 at 11:45 AM | Eventbrite

    Session to share our insights with World Intellectual Property Organization
    on IP protection for AI-generated and AI-assisted work

    About this Event

    We are hosting this session to share our insights with the World
    Intellectual Property Organization on IP protections for AI-generated and
    AI-assisted works drawing from our diverse perspectives and experience and
    having done so before for various other public consultations. Given that
    this will be a shorter session and focused on providing concrete
    recommendations, we encourage you to read the document beforehand and frame
    your contributions in line with the questions.

    Link to the reading:
    https://www.wipo.int/edocs/mdocs/mdocs/en/wipo_ip_ai_2_ge_20/wipo_ip_ai_2_ge_20_1_rev.pdf

    Questions that we will cover in the session:

    1. Should the law require that a human being be named as the inventor or
    should the law permit an AI application to be named as the inventor?

    https://www.eventbrite.ca/e/ai-ethi...ed-and-ai-assisted-works-tickets-110841044548

    New horizons in AI planning... AI is a tool; naming it as inventor seems to
    make as much sense as naming the computer on which a patent application is
    typed.

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.04
    ************************
     
  15. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 32.05

    RISKS List Owner

    Jun 27, 2020 7:10 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 27 June 2020 Volume 32 : Issue 05

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The RISKS Digest> as
    <The RISKS Digest, Volume 32 Issue 05>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    A New Normal: Siberian heat wave is a 'warning cry' from the Arctic,
    climate scientists say (Reuters)
    `PizzaGate' Conspiracy Theory Thrives Anew in the TikTok Era (NYTimes)
    EBay's Critics Faced an Extreme Case of an Old Silicon Valley Habit
    (NYTimes)
    Physicists Just Quantum Teleported Information Between Particles of Matter
    (Science Alert)
    Apple Watch Quote/Thread of The Day (Casey Newton)
    California University Paid $1.14 Million After Ransomware Attack
    (Bloomberg)
    Russian Criminal Group Finds New Target: Americans Working at Home
    (NYTimes)
    Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water System
    (Yeshiva World, Geoff Kuenning)
    Re: The Army will soon allow users to access classified info from home
    (Bob Wilson)
    Re: How Thousands of Misplaced Emails Took Over This Engineer's Inbox
    (Paul Wexelblat)
    Re: IP Protection for AI-generated and AI-assisted works (Henry Baker)
    Re: Wrongfully Accused by an Algorithm (Bella, Michael Bacon)
    Scientists just beginning to understand the many health problems caused by
    COVID-19 (Reuters)
    The number of new cases of COVID-19 is misleading (Mark Thorson)
    Re: 0.5% of coronavirus stimulus checks went to dead people
    (John Levine, Gabe Goldberg, John Levine, Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 26 Jun 2020 14:45:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: A New Normal: Siberian heat wave is a 'warning cry' from the
    Arctic, climate scientists say (Reuters)

    Pine trees are bursting into flames. Boggy peatlands are tinderbox dry. And
    towns in northern Russia are sweltering under conditions more typical of the
    tropics.

    Reports of record-breaking Arctic heat -- registered at more than 100
    Fahrenheit (38 Celsius) in the Siberian town of Verkhoyansk on June 20 --
    are still being verified by the World Meteorological Organization. But even
    without that confirmation, experts at the global weather agency are worried
    by satellite images showing that much of the Russian Arctic is in the red.

    That extreme heat is fanning the unusual extent of wildfires across the
    remote, boreal forest and tundra that blankets northern Russia. Those
    blazes have in turn ignited normally waterlogged peatlands.

    Scientists fear the blazes are early signs of drier conditions to come,
    with more frequent wildfires releasing stores of carbon from peatland and
    forests that will increase the amount of planet-warming greenhouse gases in
    the air.

    Thomas Smith, an environmental geographer at the London School of Economics:
    ``This is what this heat wave is doing: It makes much more fuel available to
    burn, not just vegetation, but the soil as well. It's one of many vicious
    circles that we see in the Arctic that exacerbate climate change.''

    Satellite records for the region starting in 2003 suggest there has been a
    dramatic jump in emissions from Arctic fires during just the last two
    summers, with the combined emissions released in June 2019 and June 2020
    greater than during all of the June months in 2003-2018 put together, Smith
    said.

    Atmospheric records dating back more than a century show Arctic air
    temperatures also reaching new highs in recent years. That leads Smith to
    believe the scale of the fires could be unprecedented as well. ``What we're
    seeing happening right now is the consequence of the past industrial
    emissions. What will happen in 40 years' time is already locked in. We
    can't do anything about that. That's why we should be concerned; it can only
    get worse.''

    Although peatland covers only 3% of the Earth's land surface, those
    deposits contain twice as much carbon as all the world's forests together.

    *A NEW NORMAL*... [...]
    Siberian heat wave is a 'warning cry' from the Arctic, climate scientists say

    ------------------------------

    Date: Sat, 27 Jun 2020 08:37:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: `PizzaGate' Conspiracy Theory Thrives Anew in the TikTok Era
    (NYTimes)

    The false theory targeting Democrats, now fueled by QAnon and teenagers on
    TikTok, is entangling new targets like Justin Bieber.

    ‘PizzaGate’ Conspiracy Theory Thrives Anew in the TikTok Era

    ------------------------------

    Date: Sat, 27 Jun 2020 09:04:19 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: EBay's Critics Faced an Extreme Case of an Old Silicon Valley Habit
    (NYTimes)

    Six former employees were recently named in federal charges that were an
    indication of the lengths some companies will go to hit back at detractors.

    EBay’s Critics Faced an Extreme Case of an Old Silicon Valley Habit

    ------------------------------

    Date: Sat, 27 Jun 2020 08:31:06 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Physicists Just Quantum Teleported Information Between Particles of
    Matter (Science Alert)

    By making use of the 'spooky' laws behind quantum entanglement, physicists
    think have found a way to make information leap between a pair of electrons
    separated by distance.
    <What Is Quantum Entanglement?>

    Teleporting fundamental states between photons massless particles of light
    -- is quickly becoming old news, a trick we are still learning to exploit in
    computing and encrypted communications technology.
    <A New Quantum Teleportation Distance Record Has Been Set>
    <Physicists Just Achieved The First-Ever Quantum Teleportation Between Computer Chips>
    <Physicists Just Quantum Teleported Complex Light Patterns For The First Time>

    But what the latest research has achieved is quantum teleportation between
    particles of matter -- electrons -- something that could help connect
    quantum computing with the more traditional electronic kind.
    <How Do Quantum Computers Work?>

    "We provide evidence for 'entanglement swapping,' in which we create
    entanglement between two electrons even though the particles never interact,
    and 'quantum gate teleportation,' a potentially useful technique for quantum
    computing using teleportation," says physicist John Nichol from the
    University of Rochester in New York.
    <What Is Quantum Entanglement?>
    <Is teleportation possible? Yes, in the quantum world>

    "Our work shows that this can be done even without photons."

    Entanglement is physics jargon for what seems like a pretty straightforward
    concept. [...]
    Physicists Just Quantum Teleported Information Between Particles of Matter

    ------------------------------

    Date: Fri, 26 Jun 2020 14:40:04 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Apple Watch Quote/Thread of The Day (Casey Newton)

    *"If Apple Watch can detect hand washing now then it can probably detect
    other activities involving vigorous hand motions and I for one would like to
    know what Apple is doing with the data"*



    ------------------------------

    Date: Sat, 27 Jun 2020 08:29:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: California University Paid $1.14 Million After Ransomware Attack
    (Bloomberg)

    The hackers encrypted data on servers inside the school of medicine, the
    university said Friday. While researchers at UCSF are among those leading
    coronavirus-related antibody testing, the attack didn't impede its
    Covid-19 work, it said. The university is working with a team of
    cybersecurity contractors to restore the hampered servers *soon*.

    ``The data that was encrypted is important to some of the academic work we
    pursue as a university serving the public good. We therefore made the
    difficult decision to pay some portion of the ransom.''
    <Update on IT Security Incident at UCSF>.

    The intrusion was detected as recently as June 1, and UCSF said the actors
    were halted during the attack. Yet using malware known as Netwalker, the
    hackers obtained and revealed data that prompted UCSF to engage in
    ransomware negotiations, which ultimately followed with payment. [...]

    <Hackers Target California University Leading Covid Research>,
    California University Paid $1.14 Million After Ransomware Attack

    ------------------------------

    Date: Fri, 26 Jun 2020 10:42:05 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Russian Criminal Group Finds New Target: Americans Working at Home
    (NYTimes)

    Russian Criminal Group Finds New Target: Americans Working at Home

    ------------------------------

    Date: Fri, 26 Jun 2020 14:43:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's
    Water System (Yeshiva World)

    Following Iran's unprecedented attack on Israel's civilian infrastructure by
    its attempt to hack into Israel's water system to raise the chlorine to
    dangerous levels, the National Cyber Directorate took responsibility for
    protecting Israel's water system, *Channel 12 News* reported on Monday.
    <Iran Tried To Raise Chlorine In Israel's Water To Perilous Levels, Report Says - The Yeshiva World>

    The report added an intriguing detail about the protection of Israel's water
    system -- the employment of dozens of fish in ensuring the safety of
    Israel's water supply.

    Twelve aquariums filled with drinking water at the Eshkol water purification
    site in Be'er Sheva each house several fish who happily swim around as fish
    do. The fish are closely monitored 24/7 to ensure they stay happy and
    healthy. Even the slightest signs of changes in their behavior are regarded
    as *fishy* by those responsible for the safety of Israel's drinking water.
    [...]

    Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water System - The Yeshiva World

    ------------------------------

    Date: Fri, Jun 26, 2020 at 9:52 PM
    From: Geoff Kuenning <ge...@cs.hmc.edu>
    Subject: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's
    Water System (RISKS-32.04)

    [via geoff goodfellow]

    * Have you ever been in a swimming pool and accidentally swallowed some of
    the water?
    * Have you ever gotten sick from doing so?
    * Have you ever been in a swimming pool where you could NOT smell and taste
    the chlorine?

    Even if we assume a cyberattack could have raised chlorine "to dangerous
    levels", Israeli citizens would have smelled and tasted it long before they
    consumed enough to fall ill. Something smells fishy indeed.

    I can believe that there are fish who serve as canaries in the water
    system's "coal mine", because there might be poisons that could be
    introduced in more traditional ways. But I don't buy the part about a
    cyberattack trying to release chlorine to make people sick.

    [This seems like a Canary Row? (both words mispronounced, with apologies
    to Steinbeck). But maybe it was not chlorine that was *being admitted*
    into the water systems (and which is not *being admitted* for intelligence
    reasons)? PGN]

    ------------------------------

    Date: Fri, 26 Jun 2020 17:35:33 -0500
    From: Bob Wilson <wil...@math.wisc.edu>
    Subject: Re: The Army will soon allow users to access classified info
    from home (RISKS-32.04)

    This should really make important things a lot easier! Back when I was
    involved with "Orange Book" style security, we always referred to example
    data that was to be securely protected as "The General's Whisky List". The
    list he wanted an orderly to go out and procure. Now when we have to shop
    from home, we can make that real again! Bob Wilson

    [What comes around goes around. The same is true of all of the zealots
    who want backdoors for law enforcement surveillance. It (once again!)
    reminds me of the old George Price cartoon in The New Yorker, with the
    vine having already wrapped itself around the house: Look out, Fred! Here
    it comes again! PGN]

    ------------------------------

    Date: Fri, 26 Jun 2020 20:49:06 -0400
    From: wexe...@gmail.com
    Subject: Re: How Thousands of Misplaced Emails Took Over This Engineer's
    Inbox (RISKS-32.04)

    Some years while teaching a Comp Sci course at UMass Lowell we got talking
    about spam and bogus email.

    As part of an exercise I registered bogus-address.com
    <http://bogus-address.com/> so we could just watch and see what was coming
    in.

    Afterwards I pretty much ignored it, and had the messages automatically
    forward to dev/null (for the last 18 years or so).

    Your posting piqued my interest, and I think I'll turn it back on, so I can
    see what's going on. Got not much better to do while hunkering. (To answer
    your question, (why did I keep it?) I dunno, but periodically GoDaddy has a
    *special* that allows me to renew it for practically nothing.

    ------------------------------

    Date: Fri, 26 Jun 2020 15:32:53 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: IP Protection for AI-generated and AI-assisted works
    (RISKS-32.04)

    U.S. Constitution, Art. 1, Sect. 8, gives Congress the power "to promote the
    Progress of Science and Useful arts, by securing, for ***limited*** Times,
    to ***Authors*** and ***Inventors***, the exclusive Right to ***their***
    respective Writings and Discoveries".

    The meaning of 'limited' has been twisted by Disney to mean 'limited only by
    the imagination of highly paid Hollywood lawyers'; by a curious coincidence,
    the limit always gets extended whenever a Disney copyright is in danger of
    expiration.

    Copyright is currently "author's life plus 70 years" (or should that read
    "Disney Company's life plus 70 years"?), so when, exactly, does the 'life'
    of an AI end?

    What could possibly go wrong?

    Here's what Disney's own web site has to say:

    "We are working to endow computers and robots with many of the qualities
    long associated with living, thinking beings -- from perception and action
    to reasoning, problem solving, and even ***creativity***! Here we are
    going beyond simply building the next generation of smart tools and are
    instead finding new ways to bring our treasured characters to ***life***."

    Artificial Intelligence | Disney Research Studios

    The plain meaning of 'their' in the Constitution is a *human* reference;
    otherwise, the Constitution would have said 'its'.

    PS. The 'Trans Pacific Partnership', which Trump pulled out of the moment
    he was sworn into office in 2017, would have taken copyright out of the
    hands of Congress and placed it under the control of an international trade
    organization. Like a stopped clock, Trump happened to do the right thing
    this one time.

    ------------------------------

    Date: Sat, 27 Jun 2020 11:28:27 +0000 (UTC)
    From: Bella <belcottrell...@yahoo.com>
    Subject: Re: Wrongfully Accused by an Algorithm (RISKS-32.04)

    While I do not know which facial recognition software the Detroit Police
    Department has chosen to use, people know that NIST's Vendor Recognition
    Test found that pretty much all of them had a much higher rate of
    false-positive matches when looking at people of colour. Considering how
    large a market sample NIST tested; not only do I expect we'll see
    significant bias in false-positive arrests, I also expect we'll probably see
    similar results if other police departments follow suit, regardless of the
    software they select.

    Face Recognition Vendor Test (FRVT) Ongoing

    I wonder if potential gender or racial biases was even a factor in DPD's selection panel?

    ------------------------------

    Date: Sat, 27 Jun 2020 13:01:24 +0100
    From: Michael Bacon <attilath...@tiscali.co.uk>
    Subject: Re: Wrongfully Accused by an Algorithm (Risks-32.04)

    Only Sort of.

    These days, a mismatch between a headline and the body of the article is not
    at all unusual. It used to be that newspaper headlines were accurate,
    albeit those in the "red top" tabloids in particular have always used a
    unique form of grammar, but sadly, no longer. Just the other day, a leading
    British broadsheet headlined a mandatory requirement, but reduced that to a
    "might have to" in the article itself; and throughout the past months the UK
    media (and government) has referred to "Rules" in headlines, but then
    qualified them lower down as being merely "guidance" and "advice". Even
    some UK police forces have been ignorant of the limits of the "Rules" and
    have misapplied the law. There is a strong argument of course in this
    situation, that trading on the ignorance and laziness of Jo Public might not
    be a "bad thing", but I suspect it's largely an accidental abuse of the
    language (I'm thinking Hanlon's Razor).

    Nevertheless, extreme headlines abound, and the very evident RISK is that
    far too many people read no further than the big print (few read the
    subheading, fewer still the first paragraphs of the article, and there seem
    to be almost none at all who read "below the fold" ... and then they
    re-broadcast the hyperbole on social media where it gains new life.

    For over 300 years it's been said that: "A lie gets halfway around the world
    before the truth has a chance to get its pants on" (or similar), and
    Shakespeare had Puck say, in a Midsummer Night's Dream: "I'll put a girdle
    round the Earth in forty minutes." Today the "lie" travels around the globe
    in 40 milliseconds, and is solidified by, and enhanced in, each retelling.

    ------------------------------

    Date: Fri, 26 Jun 2020 14:41:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Scientists just beginning to understand the many health problems
    caused by COVID-19 (Reuters)

    ... some may have lingering effects on patients and health systems for years
    to come, according to doctors and infectious disease experts.

    Besides the respiratory issues that leave patients gasping for breath, the
    virus that causes COVID-19 attacks many organ systems, in some cases causing
    catastrophic damage.

    ``We thought this was only a respiratory virus. Turns out, it goes after the
    pancreas. It goes after the heart. It goes after the liver, the brain, the
    kidney and other organs. We didn't appreciate that in the beginning,''
    said Dr. Eric Topol, a cardiologist and director of the Scripps Research
    Translational Institute in La Jolla, California.

    In addition to respiratory distress, patients with COVID-19 can experience
    blood clotting disorders that can lead to strokes, and extreme inflammation
    that attacks multiple organ systems. The virus can also cause neurological
    complications that range from headache, dizziness and loss of taste or
    smell to seizures and confusion.

    And recovery can be slow, incomplete and costly, with a huge impact on
    quality of life.

    The broad and diverse manifestations of COVID-19 are somewhat unique, said
    Dr. Sadiya Khan, a cardiologist at Northwestern Medicine in Chicago. [...]
    Scientists just beginning to understand the many health problems caused by COVID-19

    ------------------------------

    Date: Fri, 26 Jun 2020 15:55:22 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: The number of new cases of COVID-19 is misleading (Wordpress)

    New cases might be people who are asymptomatic, recovered, or cross-reactive
    to one of the mostly harmless coronavirus strains that cause an estimated
    5-15% of the common cold. What counts are a) hospitalizations and b)
    deaths.

    Death rates from coronavirus drop in half 2 months after Georgia loosens lockdown restrictions

    ------------------------------

    Date: 26 Jun 2020 22:29:59 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: 0.5% of coronavirus stimulus checks went to dead people
    according to the GAO (Goldberg, RISKS-32.04)

    > No time to check for dead recipients -- what could go wrong?

    I would have hoped the WaPo would have better political and arithmetic
    skills than this article shows.

    The $1.4 billion that went to dead people sounds like a lot until you
    remember that the total was $270 billion so we're talking about 0.5% of the
    total. The point of the stimulus was to get money to people as quickly as
    possible so that money generally went to the dead peoples' family members
    who as likely as not were happy to have to to pay for rent, food, and all
    the other stuff the stimulus was intended to support.

    Imagine you're in an office in D.C., you know that as things stand you'll
    send half a percent of the money to dead people, and it would take (making
    up a number here) half a week to arrange to compare the payment file to the
    death records. Knowing that you'll still send money to some dead people (the
    records are always out of date since people die every day), is it worth the
    extra delay to fix a half percent error when the law says to send the money
    s "as rapidly as possible"? What would you say? I'd say of course not, ship
    it.

    My father died last year and he did indeed get a stimulus payment directly
    into the estate's bank account, followed by a letter from the Leader to
    <dad's name> DEC'D. We don't need it so it's sitting in the bank waiting to
    see if they're going to take it back. If they don't, I'll send it to the
    local food bank who can sure use the money.

    ------------------------------

    Date: Sat, 27 Jun 2020 01:30:05 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: 0.5% of coronavirus stimulus checks went to dead people
    according to the GAO (Levine, RISKS-32.05)

    IRS has access to Social Security Death Master File
    Death Master File - Wikipedia to verify payments.

    But, quoting the article: However, IRS counsel determined they did not have
    the legal authority to deny payments to people who had filed a return, even
    if they were deceased at the time of payment.

    ...so it wasn't a technical problem or a week's potential delay, it was set
    up to deliver improper payments. And WaPo columnist now advises against
    recovering improper payments. Because ... well, that's not clear.

    What's the arithmetic skills failure to which you refer? You're likely right
    that family members appreciated incorrect payments. So, likely, do people
    receiving undeserved tax refunds. A billion here, a billion there, out of
    trillions here, trillions there, still amounts to substantial waste.

    ------------------------------

    Date: 27 Jun 2020 12:24:33 -0400
    From: "John R. Levine" <jo...@iecc.com>
    Subject: Re: 0.5% of coronavirus stimulus checks went to dead people
    according to the GAO (Goldberg, RISKS-32.05)

    Unfortunately, it's right there in your paragraph. A billion and a trillion
    are not the same thing, and an 0.5% error is not a big one.

    I would also take issue with calling this mistake "waste", but see my
    previous message about that.

    ------------------------------

    Date: Sat, 27 Jun 2020 13:57:17 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: 0.5% of coronavirus stimulus checks went to dead people
    according to the GAO (Levine, RISKS-32.05)

    That seems opinion or perspective than arithmetic. A small percentage of a
    giant number can be a big number. A billion dollars is a terrible thing to
    waste. Paying people who weren't intended to be paid -- no matter how happy
    they are to receive the payment -- is a waste.

    Let's end here. [I agree. PGN]

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <riskinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: The RISKS Digest takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    The RISKS Digest --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: The RISKS Forum Mailing List (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <Join ACM>

    ------------------------------

    End of RISKS-FORUM Digest 32.05
    ************************
     
  16. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 32.06

    RISKS List Owner

    Jun 29, 2020 9:05 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 29 June 2020 Volume 32 : Issue 06

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The RISKS Digest> as
    <The RISKS Digest, Volume 32 Issue 06>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit
    (Chuck Petras)
    76-year-old American jailed in Spain was unwitting drug mule, U.S. says
    (The Boston Globe)
    Ripple20 IP stack vulnerability may affect literally billion devices
    (Chiaki Ishikawa)
    Security breach impacts Maine State Police database (BostonGlobe)
    How a Good Scam Can Bypass Our Defences (Bruce Grierson)
    E-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image Metadata
    (The Hacker News)
    Moroccan Journalist Targeted With Network Injection Attacks Using NSO Groups
    Tools (Amnesty International)
    Netgear moves to plug vulnerability in routers after researchers find
    zero-day (Sean Lyngaas)
    TikTok and 53 other iOS apps STILL snoop your sensitive clipboard data
    (Ars Technica)
    Zoom chats short circuit a brain function essential for trust --
    and that's bad for business (Don Pittis)
    EFF & Heavyweight Legal Team Will Defend Internet Archive's Digital
    Library Against Publishers (Andy Maxwell)
    Re: 40 milliseconds to go halfway around the Earth? *NOT* (Fred Cohen)
    Re: 0.5% of coronavirus stimulus checks went to dead people
    according to the GAO (James Cloos)
    Re: Smells Fishy? The Fish That Prevent Iran From Hacking (Michael Grant,
    Phil Nasadowski)
    Quote of The Day (George Orwell, 1984)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 29 Jun 2020 20:55:51 +0000
    From: Chuck Petras <Chuck_...@selinc.com>
    Subject: Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit

    Where to begin?

    "The man's relatives then took an air conditioner to the hospital – as
    daytime temps reportedly topped out at 106 degrees — and allegedly unplugged
    the ventilator after not finding an open socket to cool down the room,
    according to the report. Hospital staffers had deactivated air conditioners
    in the unit in an effort to curb the spread of COVID-19 []."

    Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit
    Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit | 24x7 Magazine

    ------------------------------

    Date: Sun, 28 Jun 2020 10:00:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 76-year-old American jailed in Spain was unwitting drug mule, U.S.
    says (The Boston Globe)

    Victor Stemberger wasn't about to ignore the emails inviting him into a
    multimillion-dollar business opportunity, so he pitched himself as perfect
    for the job. In a way he was — but for all the wrong reasons.

    American jailed in Spain was unwitting drug mule, US says | Boston.com

    ------------------------------

    Date: Mon, 29 Jun 2020 07:22:08 +0900
    From: "ISHIKAWA,chiaki" <ishi...@yk.rim.or.jp>
    Subject: Ripple20 IP stack vulnerability may affect literally billion
    devices

    Recently found vulnerability, called Ripple20. of an IP stack software
    created by Treck, may literally affect billion devices.

    The IP stack originally developed by Treck is meant for embedded devices and
    runs on embedded OS, such as real-time OS. It is also marketed by a
    Japanese company Zuken Elmic after the joint development diverged.

    Looking at the few advisories [1][2] and the original report by JSOF [3], an
    Israeli company which first reported the vulnerability, one can't ignore the
    fact that so many companies already published a list of devices affected by
    the vulnerability. HP and HP enterprise, for example, alone listed
    printers, notebook and desktop PCs, and workstations. I don't have the
    marketing figure handy, but the list includes popular models and so I think
    it could be millions of devices(?) Finding names like Aruba, Cisco among
    companies whose products are affected was a surprise to me. These companies
    are known for the networking software. But they used third party network
    stack for certain products, obviously.

    As a matter of fact, I once used the early version of the stack from Elmic
    (a Japanese company before it was bought by Zuken). It was an old version
    in the early 2000s I am a bit concerned since some partner companies used
    the stack back then for prototyping. At the time, it was one of the few IP
    stacks for embedded devices that had the support of IPv6.

    I am afraid the list of Japanese companies whose products are affected may
    grow. I suspect the response may be slow due to Covid-19 outbreak and many
    people work from home. Zuken Elmic web page (in Japanese) claimed the stack,
    marketed under the name of Kasago, has been used by 300 companies for 500
    different products.[5] Ouch.

    The last years' Urgent/11 [4] was also bad, but Ripple20 may turn out to be
    worse according to already reported products.

    We may see more of these vulnerabilities in the future now that security
    community turn its eyes toward embedded device domain.

    [1] Treck IP stacks contain multiple vulnerabilities, CERT/CC,
    https://kb.cert.org/vuls/id/257161
    [2] ICS Advisory (ICSA-20-168-01) - Treck TCP/IP Stack,
    Treck TCP/IP Stack (Update A) | CISA
    [3] Ripple20 - 19 Zero-Day Vulnerabilities Amplified by the Supply
    Chain, JSOF,
    Ripple20 - JSOF
    [4] URGENT/11 - UPDATE: URGENT/11 affects additional RTOSs - Highlights
    Risks on Medical Devices, ARMIS,
    URGENT/11 Leaves Billions of Devices Open to Cyber Security Risks
    [5] KASAGO®IPv4、KASAGO®IPv4Light
    https://www.elwsc.co.jp/wp-content/uploads/2020/02/KASAGOv4_201912.pdf

    ------------------------------

    Date: Sun, 28 Jun 2020 09:54:45 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Security breach impacts Maine State Police database (BostonGlobe)

    State police said the most common documents shared on the database are crime
    information and situational awareness bulletins.

    Security breach impacts Maine State Police database | Boston.com

    ------------------------------

    Date: Sat, 27 Jun 2020 16:46:26 -0600
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: How a Good Scam Can Bypass Our Defences (Bruce Grierson)

    Bruce Grierson:

    Cons exploit our cognitive biases. I learned the hard way that some of us
    are more vulnerable than others

    The email popped up on my screen at 6:45 a.m. on December 24. I'd already
    been up for a couple of hours, working to deadline. It was from someone I
    know quite well: the minister of the North Shore Unitarian Church, which we
    attend.

    "I need a favor from you," the message said. "Email me as soon as you get my
    message."

    "Ahoy Ron," I replied.

    A friend was in the hospital battling cancer, he said, and he'd just learned
    she was scheduled for surgery tonight. Could I possibly pick up some iTunes
    gift cards? "She needs the cards to download her favorite music and videos
    to boost her confidence on her next phase of surgery." He'd do it himself,
    but he was tied up, he explained. "I will surely reimburse you as soon as I
    can." [...]

    How a Good Scam Can Bypass Our Defences | The Walrus

    ------------------------------

    Date: Mon, 29 Jun 2020 09:27:50 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: E-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image
    Metadata (The Hacker News)

    In what's one of the most innovative hacking campaigns, cybercrime gangs are
    now hiding malicious code implants in the metadata of image files to
    covertly steal payment card information entered by visitors on the hacked
    websites.

    "We found skimming code hidden within the metadata of an image file (a form
    of steganography) and surreptitiously loaded by compromised online stores,"
    Malwarebytes researchers said last week.
    <Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files>

    "This scheme would not be complete without yet another interesting variation
    to exfiltrate stolen credit card data. Once again, criminals used the
    disguise of an image file to collect their loot."

    The evolving tactic of the operation, widely known as web skimming or a
    Magecart attack, comes as bad actors are finding different ways to inject
    JavaScript scripts, including misconfigured AWS S3 data

    <Magecart Targets Emergency Services-related Sites via Insecure S3 Buckets>storage
    buckets and exploiting content security policy to transmit data to a Google
    Analytics account under their control.
    <Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards>

    Using Steganography to Hide Skimmer Code in EXIF...
    [...]
    e-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image Metadata

    ------------------------------

    Date: Sun, 28 Jun 2020 10:16:21 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Moroccan Journalist Targeted With Network Injection Attacks
    Using NSO Groups Tools (Amnesty International)

    Amnesty International, 22 June 2020

    In October 2019 Amnesty International published a first report on the use of
    spyware produced by Israeli company NSO Group against Moroccan human rights
    defenders Maati Monjib and Abdessadak El Bouchattaoui. Through our continued
    investigation, Amnesty International's Security Lab identified similar
    evidence of the targeting of Omar Radi, a prominent activist and journalist
    from Morocco from January 2019 until the end of January 2020.

    Evidence gathered through our technical analysis of Omar Radi's iPhone
    revealed traces of the same “network injection” attacks we described in our
    earlier report that were used against Maati Monjib. This provides strong
    evidence linking these attacks to NSO Group's tools.

    These findings are especially significant because Omar Radi was targeted
    just three days after NSO Group released its human rights policy. These
    attacks continued after the company became aware of Amnesty International's
    first report that provided evidence of the targeted attacks in Morocco. This
    investigation thus, demonstrates NSO Group's continued failure to conduct
    adequate human rights due diligence and the inefficacy of its own human
    rights policy.

    Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools

    ------------------------------

    Date: Mon, 29 Jun 2020 12:32:09 -0400 (EDT)
    From: ACM TechNews <technew...@acm.org>
    Subject: Netgear moves to plug vulnerability in routers after researchers
    find zero-day (Sean Lyngaas)

    Sean Lyngaas, CyberScoop, 17 Jun, via ACM TechNews; Monday, June 29, 2020

    Netgear said it is close to releasing a patch for a newly discovered
    software vulnerability that could enable hackers to remotely exploit home
    Internet routers and potentially access devices running on those networks.
    The cybersecurity company GRIMM and Trend Micro's Zero Day Initiative (ZDI)
    reported the vulnerability. GRIMM's Adam Nichols said his team detected a
    vulnerable copy of a Web server on the router in 79 different Netgear
    devices. He noted that a hacker does not necessarily need to be on a Wi-Fi
    network to launch an attack. Researchers said the vulnerability affects a
    version of Netgear firmware dating to 2007. ZDI first reported the bug to
    Netgear in January, delaying its analysis so Netgear could address the
    issue. It published its findings on June 15 to raise awareness after
    Netgear requested multiple extensions for releasing a fix. Netgear said the
    patch has been delayed by the pandemic.
    Netgear moves to plug vulnerability in routers after researchers find zero-day - CyberScoop

    ------------------------------

    Date: Mon, 29 Jun 2020 09:26:50 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: TikTok and 53 other iOS apps STILL snoop your sensitive clipboard data
    (Ars Technica)

    Passwords, bitcoin addresses, and anything else in clipboards are free for
    the taking.

    In March, researchers uncovered a troubling privacy grab by more than four
    dozen iOS apps including TikTok, the Chinese-owned social media and
    video-sharing phenomenon that has taken the Internet by storm. Despite
    TikTok vowing to curb the practice, it continues to access some of Apple
    users' most sensitive data, which can include passwords,
    cryptocurrency wallet addresses, account-reset links, and personal
    messages. Another 53 apps identified in March haven't stopped either.

    The privacy invasion is the result of the apps repeatedly reading any text
    that happens to reside in clipboards, which computers and other devices use
    to store data that has been cut or copied from things like password
    managers and email programs. With no clear reason for doing so, researchers
    Talal Haj Bakry and Tommy Mysk found
    <Popular iPhone and iPad Apps Snooping on the Pasteboard, Mysk>,
    the apps deliberately called an iOS programming interface that retrieves
    text from users' clipboards.
    Universal snooping

    In many cases, the covert reading isn't limited to data stored on the local
    device. In the event the iPhone or iPad uses the same Apple ID as other
    Apple devices and are within roughly 10 feet of each other, all of them
    share a universal clipboard <Use Universal Clipboard to copy and paste between your Apple devices>,
    meaning contents can be copied from the app of one device and pasted into
    an app running on a separate device.

    That leaves open the possibility that an app on an iPhone will read
    sensitive data on the clipboards of other connected devices. This could
    include bitcoin addresses, passwords, or email messages that are
    temporarily stored on the clipboard of a nearby Mac or iPad. Despite
    running on a separate device, the iOS apps can easily read the sensitive
    data stored on the other machines.

    ``It's very, very dangerous,'' Mysk said in an interview on Friday, referring
    to the apps' indiscriminate reading of clipboard data. ``These apps are
    reading clipboards, and there's no reason to do this. An app that doest
    have a text field to enter text has no reason to read clipboard text.''

    The video below demonstrates universal clipboard reading: [...]
    TikTok and 53 other iOS apps still snoop your sensitive clipboard data

    ------------------------------

    Date: Mon, 29 Jun 2020 06:59:22 -0600
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: Zoom chats short circuit a brain function essential for trust --
    and that's bad for business (Don Pittis)

    In-person encounters are crucial for establishing trust and building
    successful teams, according to research Ever get the sense there is
    something vital missing on those Zoom meetings? If so, you're not alone --
    and there is Canadian science to back you up.

    As political and business leaders push to reopen the economy hoping to get
    restaurants, retailers and factories making money again, there may be good
    economic reasons for putting at least some of the work-from-home crowd back
    into the office as fast as it's safe to do so.

    Canadian research on "computer-mediated communication," begun long before
    the current lockdown, shows video chat is an inadequate substitute for
    real-life interaction. The real thing, dependent on non-verbal cues, is
    extraordinarily more effective in creating rapport and getting ideas across.

    Video chats short circuit a brain function essential for trust: Don Pittis | CBC News

    ------------------------------

    Date: June 28, 2020 20:35:32 JST
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: EFF & Heavyweight Legal Team Will Defend Internet Archive's Digital
    Library Against Publishers (Andy Maxwell)

    Andy Maxwell, Torrent Freak, Jun 26 2020 (via Dave Farber)
    <EFF & Heavyweight Legal Team Will Defend Internet Archive's Digital Library Against Publishers * TorrentFreak>

    The EFF has revealed it is teaming up with law firm Durie Tangri to defend
    the Internet Archive against a lawsuit targeting its Open Library. According
    to court filings, the impending storm is shaping up to be a battle of the
    giants, with opposing attorneys having previously defended Google in book
    scanning cases and won a $1bn verdict for the RIAA against ISP Cox.

    In March and faced with the chaos caused by the coronavirus pandemic, the
    Internet Archive (IA) launched its National Emergency Library (NEL)

    Built on its existing Open Library, the NEL provided users with unlimited
    borrowing of more than a million books, something which the IA hoped would
    help *displaced learners* restricted by quarantine measures.

    Publishers Sue Internet Archive

    After making a lot of noise in opposition to both the Open and Emergency
    libraries, publishers Hachette, HarperCollins, John Wiley and Penguin Random
    House filed a massive copyright infringement lawsuit against the Internet
    Archive.

    Declaring the libraries little more than `pirate' services that have no
    right to scan books and lend them out, even in a controlled fashion, the
    publishers bemoaned the direct threat to their businesses and demanded
    millions of dollars in statutory damages.

    Earlier this month the IA announced the early closure of the NEL, with IA
    founder Brewster Kahle calling for an end to litigation and the start of
    cooperation. There are no public signs of either. Indeed, the opposing sides
    are preparing for action.

    EFF and Attorneys Team Up to Defend IA

    Last evening the EFF announced that it is joining forces with
    California-based law firm Durie Tangri to defend the Internet Archive
    against a lawsuit which they say is a threat to IA's Controlled Digital
    Lending (CDL) program.

    The CDL program allows people to check out scanned copies of books for which
    the IA and its partners can produce physically-owned copies. The publishers
    clearly have a major problem with the system but according to IA and EFF,
    the service is no different from that offered by other libraries.

    ``EFF is proud to stand with the Archive and protect this important public
    service,'' says EFF Legal Director Corynne McSherry. ``Controlled digital
    lending helps get books to teachers, children and the general public at a
    time when that is more needed and more difficult than ever. It is no threat
    to any publisher's bottom line.'' [... PGN-truncated]

    ------------------------------

    Date: Sun, 28 Jun 2020 07:10:51 -0700
    From: Fred Cohen <f...@all.net>
    Subject: Re: 40 milliseconds to go halfway around the Earth? *NOT*
    (Bacon, RISKS-32.05)

    Today the "lie" travels around the globe in 40 milliseconds, and is
    solidified by, and enhanced in, each retelling.

    Hmmm.... 40 milliseconds = 4*10^-2 Speed of light... 3*10^8 meters/second
    Distance in 40 msec = 12,000,000 meters (1.2*10^7) Circumference of the
    Earth (pole to pole in meters) ~40,000,000 (4*10^7) Half way around the
    world = 20,000,000 meters. 40 ms is really only about a quarter of the way
    around the Earth -- at the speed of light! Note that since radio can go all
    directions you could perhaps cover half the Earth by going in all
    directions. HOWEVER, lies typically travel via Internet, where routers
    typically slow things down considerably. If you actually try to get packets
    half way around the world (e.g., from California to Mumbai) you will find
    that routing takes lots of additional time:

    > traceroute mu.ac.in
    traceroute to mu.ac.in (14.139.125.195), 30 hops max, 60 byte packets
    1 10.0.2.1 (10.0.2.1) 0.513 ms 0.818 ms 0.793 ms
    2 192.168.1.254 (192.168.1.254) 2.539 ms 2.512 ms 2.486 ms
    3 162-200-148-1.lightspeed.mtryca.sbcglobal.net (162.200.148.1) 6.802
    ms 7.207 ms 7.696 ms
    4 99.161.44.106 (99.161.44.106) 8.041 ms 8.533 ms 17.439 ms
    5 * * *
    6 12.83.47.137 (12.83.47.137) 19.002 ms 8.016 ms 8.152 ms
    7 sffca402igs.ip.att.net (12.122.114.29) 13.986 ms 15.078 ms 14.440 ms
    8 192.205.37.58 (192.205.37.58) 16.560 ms 16.911 ms 17.543 ms
    9 ae-9.r24.snjsca04.us.bb.gin.ntt.net (129.250.2.2) 15.533 ms 15.869
    ms 24.884 ms
    ...

    I should note that the "lie" (40ms) spread by RISKS got around the World
    literally before I got my pants on this morning, and to get the truth out
    will likely take days before it is even sent out by RISKS.

    One more note. The lie also has to get from someone's brain (or some
    mechanism's mechanism) and into someone (or something) else's brain
    (mechanism), and while getting lies out may be pretty quick, penetrating the
    brain to the point where the meme is formed in the recipient also takes
    considerable time relative to 40ms.

    ------------------------------

    Date: Sun, 28 Jun 2020 15:49:02 -0400
    From: James Cloos <cl...@jhcloos.com>
    Subject: Re: 0.5% of coronavirus stimulus checks went to dead people
    according to the GAO (Goldberg, RISKS-32.04)

    Given that the stimulus is a refundable discount on 2020 income tax, any
    estate that is open and could file a 2020 1040 is due the stimulus anyway.

    So there was nothing at all wrong with his estate receiving it.

    And the same for probably most of the estates which received them.

    The article is an example of low quality journalism.

    ------------------------------

    Date: Sat, Jun 27, 2020 at 10:36 AM
    From: Michael Grant <mgr...@grant.org>
    Subject: Re: Smells Fishy? The Fish That Prevent Iran From (via GG)

    Here's a great little experiment that I encourage everyone to do!
    Next time you're at the swimming pool and you see the lifeguard
    testing the chlorine level in the pool, kindly ask them if they would mind
    testing the water in the drinking fountain.

    Last time I did this in Washington DC, the lifeguard was so astonished that
    he had to do the reading 3 times. He showed me that the levels of chlorine
    in the Washington DC water were in the danger zone, all the way at the top
    of his chart! He said if the water was in the pool, he'd have to take
    everyone out of the pool!

    ------------------------------

    Date: Sun, 28 Jun 2020 12:38:04 -0400
    From: Phil Nasadowski <pnasa...@pcsintegrators.com>
    Subject: Re: Smells Fishy? The Fish That Prevent Iran From Hacking
    Israel's Water System (RISKS-32.04)

    Geoff Kuenning <ge...@cs.hmc.edu> brings up some very valid points. Having
    15 years experience in water/wastewaters controls (and by no means saying
    his views are invalid in any way, they certainly are valid), I'd like to
    point out that even in "major metropolitan areas", in the suburbs, the
    amount of remote control over chlorine injection is often "none". As a
    matter of fact, a lot of operations prefer this, because if there's
    something wrong, they WANT the operator on duty to go out and check the
    station. (Naturally, notification often comes via a SCADA system which has
    stupidly poor security 99% of the time. Sometimes notification comes when
    the call center is flooded with angry calls from residents with bad water.)

    That assumes there's even computerized control over chemical injection.
    Most places, it's a simple pump, sitting on a chemical tank, that gets set
    and left that way, until the flow changes. If the flow is computer
    controlled, the operator has the ability to remotely stop the well, assuming
    that the relay-based hard logic mandated in (some) places doesn't stop the
    out of control chemical injection, first.

    It won't stop against a Stuxnet kind of attack (and I'm sure others I can't
    think of, never mind just breaking into the station and turning the knob on
    the pump up all the way), but it's some hope...Until something else comes
    along that nobody thought of.

    Years ago, a few vendors were offering systems that were basically
    electronic fishtanks. I don't think really anyone took the bait...

    Philip Nasadowski, Chief Engineer, PCS Integrators (973) 575-7464 x155

    ------------------------------

    Date: Sun, 28 Jun 2020 10:42:24 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Quote of The Day (George Orwell, 1984)

    "Every book has been rewritten, every picture has been repainted, every
    statue and street and building has been renamed, every date has been
    altered...History has stopped. Nothing exists except an endless present in
    which the Party is always right."



    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <riskinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: The RISKS Digest takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    The RISKS Digest --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: The RISKS Forum Mailing List (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <Join ACM>

    ------------------------------

    End of RISKS-FORUM Digest 32.06
    ************************
     
  17. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 32.07

    RISKS List Owner

    Jul 3, 2020 2:11 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 3 July 2020 Volume 32 : Issue 07

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The RISKS Digest> as
    <The RISKS Digest, Volume 32 Issue 07>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    A Doctor Confronts Medical Errors -- And Flaws In The System That Create
    Mistakes (npr.org)
    U.S. Watchdog's Report Faults Boeing's Disclosures on 737 Max Software
    (NYTimes)
    U.S. Cyber-Command says foreign hackers will most likely exploit new PAN-OS
    security bug (ZDNet)
    Education Dept. left Social Security numbers of thousands of borrowers
    exposed for months (WashPost)
    China's Software Stalked Uighurs Earlier and More Widely (NYTimes)
    A New Ransomware Targeting Apple macOS Users Through Pirated Apps
    (The Hacker News)
    Breaking HTTPS in the IoT: Practical Attacks For Reverse Engineers
    (BishopFox)
    When speech assistants listen even though they shouldn't (Julia Weiler)
    Over 400 Advertisers Hit Pause On Facebook, Threatening $70 Billion
    Juggernaut (NPR)
    How Police Secretly Took Over a Global Phone Network for Organized Crime
    (Irish News)
    Your next BMW might only have heated seats for 3 months (CNET)
    Microsoft releases emergency security update to fix two bugs in Windows
    codecs (ZDNet)
    Mr Potato Head sales problem (mykawartha)
    Deepfake Technology Enters the Documentary World (NYTimes)
    Fake 5G coronavirus theories have real-world consequences (WashPost)
    How automation is growing amid coronavirus outbreak and beyond
    (Orange County Register)
    Schools already struggled with cybersecurity. Then came COVID-19 (WiReD)
    Scary New Coronavirus is Now Infecting Millions, Study Says (CNN)
    Barbara Simons Receives 2019 ACM Policy Award (ACM)
    Re: Ripple20 IP stack vulnerability may affect literally billion devices
    (Brian Inglis)
    Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water
    System (David E. Ross)
    Re: 40 msecs to go halfway around the Earth? (Henry Baker, Michael Bacon)
    Re: Quote of The Day (Henry Baker)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 1 Jul 2020 11:31:47 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: A Doctor Confronts Medical Errors -- And Flaws In The System That
    Create Mistakes (npr.org)

    A Doctor Confronts Medical Errors — And Flaws In The System That Create Mistakes

    Mistakes and lessons learned from medical practitioners that may resonate
    with comp.risks readers.

    1) "On how the checklist system used in medicine was adapted from aviation"

    "In the aviation industry, there was a whole development of the process
    called "the checklist." And some people date this back to 1935 when a very
    complex [Boeing] B-17 [Flying] Fortress was being tested with the head of
    the military aviation division. And it exploded, and the pilot unfortunately
    died. And when they analyzed what happened, they realized that the high-tech
    airplane was so complex that a human being could not keep track of
    everything. And that even if he was the smartest, most experienced pilot, it
    was just too much and you were bound to have an error. And so they developed
    the idea of making a checklist to make sure that every single thing you have
    to check is done. And so it put more of the onus on a system, of checking up
    on the system, rather than the pilot to keep track of everything. And the
    checklist quickly decreased the adverse events and bad outcomes in the
    aviation industry."

    The interview stream continues with "On how the checklist system did not
    result in improved safety outcomes when implemented in Canadian operating
    rooms" reveals how checklists can compromise safety.

    Software stack release life cycle and ecosystem-wide deployment (aka change
    management) are governed by standard operating procedures and checklists to
    guide governance readiness based on must-fix versus 'deferred or exempt from
    fix, add to release notes' to 'kick bits out the door' for sale.

    Ecosystem deployment checklists cannot do not guarantee an organization
    against data breach or ransomware incidents. Public data privacy stewardship
    and effective computer ecosystem protections are traded for profit. Law
    enforcement pursues cybercriminals more than owners/operators of deployed
    platforms recognized as vulnerable to burgeoning risk perimeters and
    recurrent incidents.

    2) "Electronic medical records"

    "[Electronic medical records] really started as a method for billing, for
    interfacing with insurance companies and medical billing with diagnosis
    codes. And that's the origin. And then it kind of retroactively was expanded
    to include the patient care. And so you see that difference now."

    A solution scoped to expedite fee-for-service billing (revenue capture and
    realization) transitions into the doctor's office and compromises patient
    care. EHRs transform physicians into point-of-sale entry clerks to reduce
    back-end corporate expenses (aka overhead). EHR deployment transition
    diminishes nationwide healthcare effectiveness.

    ------------------------------

    Date: Wed, 1 Jul 2020 21:55:47 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: U.S. Watchdog's Report Faults Boeing's Disclosures on 737 Max
    Software (NYTimes)

    Boeing has completed a series of test flights, but a return to the skies
    will depend on more safety milestones.

    U.S. Watchdog’s Report Faults Boeing’s Disclosures on 737 Max Software

    ------------------------------

    Date: Tue, 30 Jun 2020 07:38:54 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: U.S. Cyber-Command says foreign hackers will most likely exploit
    new PAN-OS security bug (ZDNet)

    Palo Alto Networks disclosed today a major bug that lets hackers bypass
    authentication on its firewall and corporate VPN products.

    US Cyber Command says foreign hackers will attempt to exploit new PAN-OS security bug | ZDNet

    ------------------------------

    Date: Wed, 1 Jul 2020 08:19:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Education Dept. left Social Security numbers of thousands of
    borrowers exposed for months (WashPost)

    The U.S. Department of Education for at least six months left the Social
    Security numbers of nearly 250,000 people seeking student debt relief
    unprotected and susceptible to a data breach.

    https://www.washingtonpost.com/educ...y-numbers-thousands-borrowers-exposed-months/

    ------------------------------

    Date: Wed, 1 Jul 2020 08:15:42 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: China's Software Stalked Uighurs Earlier and More Widely,
    Researchers Learn (NYTimes)

    A new report revealed a broad campaign that targeted Muslims in China and
    their diaspora in other countries, beginning as early as 2013.

    China’s Software Stalked Uighurs Earlier and More Widely, Researchers Learn

    ------------------------------

    Date: Wed, 1 Jul 2020 11:52:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: A New Ransomware Targeting Apple macOS Users Through Pirated Apps
    (The Hacker News)

    Cybersecurity researchers this week discovered a new type of ransomware
    targeting macOS users that spreads via pirated apps.

    According to several independent reports from K7 Lab malware researcher
    Dinesh Devadoss
    <>, Patrick
    Wardle <Objective-See's Blog>, and Malwarebytes
    <New Mac ransomware spreading through piracy - Malwarebytes Labs>,
    the ransomware variant -- dubbed "EvilQuest" -- is packaged along with
    legitimate apps, which upon installation, disguises itself as Apple's
    CrashReporter or Google Software Update.

    Besides encrypting the victim's files, EvilQuest also comes with
    capabilities to ensure persistence, log keystrokes, create a reverse shell,
    and steal cryptocurrency wallet-related files.

    With this development, EvilQuest joins a handful of ransomware strains that
    have exclusively singled out macOS, including KeRanger
    <New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer>
    and Patcher
    <New crypto‑ransomware hits macOS | WeLiveSecurity>
    [...]

    A New Ransomware Targeting Apple macOS Users Through Pirated Apps

    ------------------------------

    Date: Wed, 1 Jul 2020 11:51:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Breaking HTTPS in the IoT: Practical Attacks For Reverse Engineers
    (BishopFox)

    As the old joke goes, the 'S' in 'IoT' stands for security. While (Internet
    of) Things can vary *wildly* in design robustness and overall security, many
    embedded devices nowadays have at least the basic protections in place.
    Happily, the egregious security mistakes of the past are now becoming less
    and less common. Despite the stereotype, Things in the IoT aren't quite as
    bad as they used to be (pun intended).

    For instance, the use of insecure communications (e.g., unencrypted HTTP),
    is now only found in a minority of Bishop Fox client product assessments,
    which gives a somewhat positive (and admittedly biased) picture of IoT
    security trends. In a twist of irony, the increasingly common implementation
    of encrypted communications to repel attackers is also an obstacle for pen
    testers assessing the security of the products, since the data is now hidden
    to everyone but the client and server. Overall, it's a win for security, but
    it's required us to develop new tactics for getting into that data.

    In my time at Bishop Fox, I've had to overcome this problem on many, many
    hardware assessments, with Things ranging from consumer gadgets to
    networking equipment to Internet-connected industrial control systems.
    Regardless of the specific implementation, the goal at the start of every
    assessment is the same: decrypt HTTPS traffic so I can understand what the
    system is doing and why. Once I have this understanding, I can begin to
    attack the device itself, upstream services, and sometimes even other
    devices.

    In this post I'll show you three attack techniques for performing Man-in-the
    Middle attacks against production-grade, HTTPS-protected Things. For these
    examples, we'll assume you're redirecting all the device's traffic through
    an HTTPS-aware proxy (like Burp), and that you have no administrative
    control over the device. All you have at the start is a view of the
    unintelligible encrypted stream, showcasing the full spectrum of unprintable
    ASCII characters: [...]
    Breaking HTTPS in the IoT: Practical Attacks For Reverse Engineers

    ------------------------------

    Date: Wed, 1 Jul 2020 10:21:42 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: When speech assistants listen even though they shouldn't
    (Julia Weiler)

    Julia Weiler, Ruhr-Universitaet Bochum, Translated by Donata Zuber,
    30 June 2020

    Researchers from Ruhr-Universität Bochum (RUB) and the Bochum Max Planck
    Institute (MPI) for Cybersecurity and Privacy have investigated which
    words inadvertently activate voice assistants. They compiled a list of
    English, German, and Chinese terms that were repeatedly misinterpreted by
    various smart speakers as prompts. Whenever the systems wake up, they
    record a short sequence of what is being said and transmit the data to the
    manufacturer. The audio snippets are then transcribed and checked by
    employees of the respective corporation. Thus, fragments of very private
    conversations can end up in the companies' systems.

    Süddeutsche Zeitung and NDR reported on the results of the analysis on 30
    June 2020. Examples yielded by the researchers' analysis can be found at
    unacceptable-privacy.github.io.

    https://news.rub.de/english/press-r...h-assistants-listen-even-though-they-shouldnt

    ------------------------------

    Date: Wed, 1 Jul 2020 09:26:05 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Over 400 Advertisers Hit Pause On Facebook, Threatening $70 Billion
    Juggernaut (NPR)

    Over 400 Advertisers Hit Pause On Facebook, Threatening $70 Billion Juggernaut



    ------------------------------

    Date: Thu, 2 Jul 2020 09:00:20 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: How Police Secretly Took Over a Global Phone Network for Organized
    Crime (Irish News)

    *Police monitored a hundred million encrypted messages sent through
    Encrochat, a network used by career criminals to discuss drug deals,
    murders, and extortion plots.*

    Something wasn't right. Starting earlier this year, police kept arresting
    associates of Mark, a UK-based alleged drug dealer. Mark took the security
    of his operation seriously, with the gang using code names to discuss
    business on custom, encrypted phones made by a company called Encrochat.
    For legal reasons, Motherboard is referring to Mark using a pseudonym.

    Because the messages were encrypted on the devices themselves, police
    couldn't tap the group's phones or intercept messages as authorities
    normally would. On Encrochat, criminals spoke openly and negotiated their
    deals in granular detail, with price lists, names of customers, and explicit
    references to the large quantities of drugs they sold, according to
    documents obtained by Motherboard from sources in and around the criminal
    world.

    Maybe it was a coincidence, but in the same time frame, police across the UK
    and Europe busted a wide range of criminals. In mid-June, authorities picked
    up an alleged member of another drug gang.
    <https://www.irishnews.com/news/nort...ortation-of-drugs-on-encrypted-phone-1977585/

    A few days later, law enforcement seized millions of dollars worth of
    illegal drugs in Amsterdam. It was as if the police were detaining people
    from completely unrelated gangs simultaneously. "[The police] all over it
    aren't they," the dealer wrote in one of the messages obtained by
    Motherboard. "My heads still baffled how they got on all my guys."
    <https://www.thesun.ie/news/5564093/irish-crime-gangs-drugs-seized-oranges-melons/>

    Unbeknownst to Mark, or the tens of thousands of other alleged Encrochat
    users, their messages weren't really secure. French authorities had
    penetrated the Encrochat network, leveraged that access to install a
    technical tool in what appears to be a mass hacking operation, and had been
    quietly reading the users' communications for months. Investigators then
    shared those messages with agencies around Europe.

    "I've never seen anything like this."

    Only now is the astonishing scale of the operation coming into focus: It
    represents one of the largest law enforcement infiltrations of a
    communications network predominantly used by criminals ever, with Encrochat
    users spreading beyond Europe to the Middle East and elsewhere. French,
    Dutch, and other European agencies monitored and investigated "more than a
    hundred million encrypted messages" sent between Encrochat users in real
    time, leading to arrests in the UK, Norway, Sweden, France, and the
    Netherlands, a team of international law enforcement agencies announced
    Thursday. [...]
    https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked

    ------------------------------

    Date: Thu, 2 Jul 2020 09:01:20 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Your next BMW might only have heated seats for 3 months (CNET)

    As services-based economies sweep every industry, it's time for the
    automotive realm to carry on.

    German luxury cars are renowned for the breadth of their options sheets. On
    one hand, this means you can get your next BMW 5 Series
    <https://www.cnet.com/news/2021-bmw-5-series-hybrid-power-price-msrp/>
    configured exactly how you want it. On the other hand, it means you'll often
    wind up paying for extra for seemingly basic things like, say, a spare tire.
    Now, BMW is raising the ante by making many car options into software
    services enabled whenever you want them. The disconcerting part? They can be
    disabled, too.

    In a VR presentation streamed from Germany today, BMW ran through a series
    of digital updates to its cars, including more details on the new BMW
    digital key <https://www.cnet.com/news/apple-car-keyless-entry-ios-bmw/>
    service announced with Apple at last week's WWDC and confirming that current
    model cars will be fully software upgradeable over the air, a la Tesla. The
    first such update will hit BMW Operating System 7 cars in July. Packages are
    said to be approximately 1GB in size and will take roughly 20 minutes to
    install.

    But, the most notable part of the day's presentation was the new plan to
    turn many options into software services. BMW mentioned everything from
    advanced safety systems like adaptive cruise and automatic high-beams to
    other, more discrete options like heated seats.

    These options will be enabled via the car or the new My BMW app. While some
    will be permanent and assigned to the car, others will be temporary, with
    mentioned periods ranging from three months to three years. Some,
    presumably, will be permanent, but during the stream's Q&A portion BMW
    representatives demurred on the details.

    So, yes, you could theoretically only pay for heated seats in the colder
    months if you like, or perhaps save a few bucks by only enabling automatic
    high-beams on those seasons when the days are shortest. [...]
    https://www.cnet.com/roadshow/news/bmw-vehicle-as-a-platform/

    ------------------------------

    Date: Wed, 1 Jul 2020 22:35:09 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Microsoft releases emergency security update to fix two bugs in
    Windows codecs (ZDNet)

    Security updates have been silently deployed to customers on Tuesday through
    the Windows Store app.

    https://www.zdnet.com/article/micro...ity-update-to-fix-two-bugs-in-windows-codecs/

    ------------------------------

    Date: Tue, 30 Jun 2020 17:48:30 -0400 (EDT)
    From: Eli the Bearded <*@qaz.wtf>
    Subject: Mr Potato Head sales problem (mykawartha)

    Full url:
    https://www.mykawartha.com/news-sto...roblem-with-mr-potato-head-glitch-in-lindsay/

    Short url: https://potato-head.on-a.pizza/

    Canadian Tire is attributing the glitch that caused all items at Lindsay's
    Canadian Tire to scan as a Mr. Potato Head toy to a downloading error.

    Five stores in Lindsay and Whitby were impacted in the bizarre computer
    system fritz that started around 7 a.m. Monday (June 29). A staff member
    from Lindsay Canadian Tire who wished to remain anonymous said any item
    the team scanned showed the same product number and information as the
    popular toy.

    Cathy Kurzbock, manager of external communications for the Canadian Tire
    Corporation, clarified the glitch only made the names of products appear
    the same, not the prices or the item numbers. She said the anomaly didn't
    effect stores outside of Lindsay or Whitby.

    Sounds like this would have made for whimsical receipts and difficult
    returns.

    ------------------------------

    Date: Wed, 1 Jul 2020 22:02:27 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Deepfake Technology Enters the Documentary World (NYTimes)

    A film about persecuted gays and lesbians in Chechnya uses digital
    manipulation to guard their identities without losing their humanity. The
    step raises familiar questions about nonfiction movies.

    https://www.nytimes.com/2020/07/01/movies/deepfakes-documentary-welcome-to-chechnya.html

    ------------------------------

    Date: Thu, 2 Jul 2020 08:59:22 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Fake 5G coronavirus theories have real-world consequences
    (WashPost)

    Conspiracy theories have driven people to burn cellular equipment. Telecom
    workers have had to bear the brunt of this.

    Telephone engineer David Snowdon was just returning to his van after an
    assignment repairing a cell site when a car sped past him, spun around and
    stopped right in front of him. Two men got out of the vehicle and asked him
    if he had anything to do with 5G <https://www.cnet.com/5g/> masts.

    "You better not be or there will be f*cking trouble," said one of the men,
    before kicking the door of Snowdon's van, smacking the mirror around and
    walking off.

    Initially, the 56-year-old from Birmingham in the UK's Midlands region
    thought that what he experienced was an isolated incident. Then he did some
    research.

    "The next day, I went onto Facebook and there it all was, this big 5G
    conspiracy," he said in a phone call with CNET. "I thought, I better report
    this, and when I reported it to our security team, they went, 'Yeah,
    there's been quite a few.'"

    Over the past four months, telecom engineers across the UK have been
    subjected to verbal and physical abuse, or targeted online harassment and
    doxxing. The U.S. Department of Homeland Security issued a warning
    <https://www.washingtonpost.com/nati...a9eaa6-951f-11ea-82b4-c8db161ff6e5_story.html>
    to carriers about potential threat to wireless equipment here. All because
    some people are buying into the conspiracy theory that 5G is to blame for
    the coronavirus
    <https://www.cnet.com/health/coronavirus-test-how-long-does-it-take-to-get-covid-19-results-back/>
    pandemic, something that popped up just as the disease spread beyond China
    in January.

    5G has been a target of conspiracy theorists for as long as it's been
    around, just as with 4G and 3G before it. But what's different this time
    around is that people started linking it in various ways to COVID-19, saying
    either that the technology weakens immune systems, or even that it's
    responsible for directly transmitting the virus.

    Scientists around the world are in agreement that all such claims are
    categorically false. [...]
    <https://www.cnet.com/news/5g-has-no...media-aims-to-squash-false-conspiracy-theory/>
    https://www.cnet.com/news/fake-5g-coronavirus-theories-have-real-world-consequences/

    ------------------------------

    Date: Tue, 30 Jun 2020 12:50:32 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: How automation is growing amid coronavirus outbreak and beyond
    (Orange County Register)

    https://www.ocregister.com/2020/06/...growing-amid-coronavirus-outbreak-and-beyond/

    "Even before the global pandemic, waiting in line to get prescriptions
    filled in a pharmacy was a pain. Enter NowRx, a company that started in the
    Bay Area and expanded to Orange County with sights on extending its reach to
    other regions of the state and Arizona.

    "The company claims it has 99% of the pharmaceuticals typically found at
    brick-and-mortar pharmacies (and online) and can deliver medication to you
    on the day or sometimes hours after your doctor submits a prescription."

    Pharmacists fulfill an essential role: trained to decipher a physician's
    enciphered scrawl, they also alert patients to dangerous interactions among
    prescriptions possibly overlooked by their doctor. One website that
    identifies them is drug interaction checker:
    https://reference.medscape.com/drug-interactionchecker.

    NowRX dispenses with consultation. Pharmacists have become too expensive and
    slow: they fill only ~100/day per person with an unacceptable error
    rate. The robo-pharmacist pushes prescriptions out at ~2000/day with
    substantially suppressed error occurrence.

    Will robo-pharmacists automatically identify physicians that over-prescribe
    opioids and notify the DEA? If NowRX dispenses incorrectly, and the medicine
    severely injures the patient, do their Terms of Service state the equivalent
    of "by accepting delivery, you agree to indemnify against error or injury
    after consuming or using said prescription(s)..."

    Note to job seekers: The essay discloses several charts projecting year 2030
    robotic solution encroachment into various industries. The top-3 robotic
    targets are agriculture/forestry/fishing, retail, and finance/insurance.

    ------------------------------

    Date: Fri, 3 Jul 2020 06:17:30 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Schools already struggled with cybersecurity. Then came COVID-19
    (WiReD)

    A lack of resources has made it hard to keep data secure.

    This time last year, Jaggar Henry was enjoying the summer like so many other
    teens. The 17-year-old had a job, was hanging out with friends on the
    weekends, and was just generally spending a lot of time online. But then, at
    the end of July, Henry combed his hair, donned a slightly oversized Oxford
    shirt, and appeared before his school district's board
    <> in Polk County, Florida -- one
    of the larger school districts in the United States -- to outline a slew of
    security flaws he had found in its digital systems. His presentation was the
    culmination of months of work and focused on software used by more than
    100,000 students.

    Those vulnerabilities have been fixed, but Henry, who now works full time on
    education technology, says that his experience illustrates the challenges
    facing school districts across the United States -- and a problem that's
    grown more acute in the wake of COVID-19.

    The coronavirus pandemic has had major cybersecurity implications around the
    world. Tailored phishing
    <https://www.wired.com/story/coronavirus-phishing-scams/> attacks and
    contact-tracing scams
    <https://www.wired.com/story/covid-19-contact-tracing-scams> prey on fear
    and uncertainty. Fraudsters are targeting
    <https://www.wired.com/story/nigerian-scammers-unemployment-system-scattered-canary/>
    economic relief and unemployment payments. The stakes are higher than ever
    <https://www.wired.com/story/covid-19-pandemic-ransomware-long-game/> for
    ransomware attacks that target health care providers and other critical
    infrastructure. For businesses, the transition to remote work has created
    new exposures and magnified existing ones.
    <https://www.wired.com/story/coronavirus-cyberattacks-ransomware-phishing/>

    School districts in the United States already had significant cybersecurity
    shortcomings. They often lack dedicated funding and skilled personnel to
    continuously vet and improve cybersecurity defenses. As a result, many
    schools make basic system-setup errors or leave old vulnerabilities
    unpatched -- essentially propping a door open for hackers and scammers.
    Schools and students also face potential exposure from third-party
    education-technology firms that fail to adequately secure data in their
    platforms. [...]

    <https://www.wired.com/story/teen-hacker-school-software-blackboard-follett/>
    https://arstechnica.com/tech-policy...uggled-with-cybersecurity-then-came-covid-19/

    ------------------------------

    Date: Fri, Jul 3, 2020 at 3:29 AM
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Scary New Coronavirus is Now Infecting Millions, Study Says
    (CNN)

    A mutation works even faster than the original, a new study confirms.

    Just as we're dealing with one coronavirus epidemic, researchers are finding
    the virus has mutated to become an even faster infection machine. "A global
    study has found strong evidence that a new form of the coronavirus has
    spread from Europe to the U.S. The new mutation makes the virus more likely
    to infect people but does not seem to make them any sicker than earlier
    variations of the virus, an international team of researchers reported
    Thursday," says CNN.
    <https://www.cnn.com/2020/07/02/health/coronavirus-mutation-spread-study/index.html>

    "It is now the dominant form infecting people," Erica Ollmann Saphire of the
    La Jolla Institute for Immunology and the Coronavirus Immunotherapy
    Consortium, who worked on the study, told CNN. "This is now the virus."

    How They Discovered the Mutation

    "The study, *published in the journal Cell,*
    <https://www.cell.com/action/showPdf?pii=S0092-8674(20)30820-5> builds
    on some earlier work the team did that was *released on a preprint server*
    <https://www.biorxiv.org/content/10.1101/2020.04.29.069054v1> earlier in the
    year. Shared information on genetic sequences had indicated that a certain
    mutant version of the virus was taking over," reports CNN. "Now the team has
    not only checked more genetic sequences, but they have also run experiments
    involving people, animals and cells in lab dishes that show the mutated
    version is more common and that it's more infectious than other versions."

    Bette Korber, a theoretical biologist at Los Alamos National Laboratory and
    lead author of the study, noted, "The D614G variant first came to our
    attention in early April, as we had observed a strikingly repetitive
    pattern. All over the world, even when local epidemics had many cases of
    the original form circulating, soon after the D614G variant was introduced
    into a region it became the prevalent form."

    "It's remarkable to me," commented Will Fischer of Los Alamos, an author on
    the study, according to *Science Daily
    <https://www.sciencedaily.com/releases/2020/07/200702144054.htm>*, "both
    that this increase in infectivity was detected by careful observation of
    sequence data alone, and that our experimental colleagues could confirm it
    with live virus in such a short time."
    Focused on the Immune Response

    "We are focused on the human immune response because LJI is the
    headquarters for the Coronavirus Immunotherapy Consortium (CoVIC), a global
    collaboration to understand and advance antibody treatments against the
    virus," says Saphire, who leads the Gates Foundation-supported CoVIC.
    "Saphire explains that viruses regularly acquire mutations to help them
    'escape' antibodies made by the human immune system. When a virus acquires
    many of these individual changes, it 'drifts' away from the original virus.
    Researchers call this phenomenon 'antigenic drift.' Antigenic drift is part
    of the reason you need a new flu shot each year," reports *MedicalXpress
    <https://medicalxpress.com/news/2020-07-mutation-coronavirus-dominate-globe.html>*.
    "It is extremely important for researchers to track *antigenic drift*
    <https://medicalxpress.com/tags/antigenic+drift/> as they design vaccines
    and therapeutics for COVID-19."

    No matter what strain of coronavirus we're fighting, it's essential we
    present a united front: wear your face mask when around people you don't
    shelter with, practice social distancing, wash your hands frequently,
    monitor your health, and to get through this pandemic at your healthiest,
    don't miss these *Things You Should Never Do During the Coronavirus
    Pandemic*.
    <https://www.msn.com/en-sg/news/othe...o-during-the-coronavirus-pandemic/ss-BB13eYyy>
    https://www.eatthis.com/covid-19-mutation-study/

    ------------------------------

    Date: Wed, 01 Jul 2020 17:48:51 +0200
    From: "Diego.Latella" <diego....@isti.cnr.it>
    Subject: Barbara Simons Receives 2019 ACM Policy Award (ACM)

    ACM Bulletin Archives, 1 Jul 2020

    Barbara Simons was named the recipient of the 2019 ACM Policy Award for
    long-standing, high-impact leadership as ACM President and founding Chair of
    ACM's U.S. Public Policy Committee (USACM, now USTPC), while making
    influential contributions to improve the reliability of and public
    confidence in election technology. Over several decades, Simons has advanced
    technology policy by founding and leading organizations, authoring
    influential publications, and effecting change through lobbying and public
    education.

    Now part of ACM's Technology Policy Council (TPC), which serves global
    regions, the TPC groups have continued Simons' original vision for ACM: to
    provide cogent advice and analysis to legislators and policymakers about a
    wide range of issues including cryptography, computer security, privacy, and
    intellectual property.

    Simons is internationally known as an expert on voting technology, an
    advocate for auditable paper-based voting systems, and author of numerous
    papers on secure election technology. Through her publications, reports,
    testimony to the U.S. Congress, and advocacy, Simons has been a key player
    in persuading election officials to shift to paper-based voting systems, and
    has contributed to proposals for reforms in election technologies.

    Simons served as ACM President from 1998 to 2000. Since 2008, Simons has
    served as one of two U.S. Senate appointees to the Board of Advisors of the
    U.S. Election Assistance Commission, and she was named Chair of the Board of
    Advisors subcommittee on election security in 2019. She currently also
    chairs the Board of Directors of Verified Voting, a nonpartisan nonprofit
    organization that advocates for legislation and regulation that promotes
    accuracy, transparency and verifiability of elections. She remains active
    with ACM as a member of the global Technology Policy Council and as Co-chair
    of USTPC's Voting subcommittee.

    [Barbara has been a long-time contributor to efforts to achieve election
    integrity. This recognition is hugely well deserved. PGN]

    ------------------------------

    Date: Fri, 3 Jul 2020 09:55:17 -0600
    From: Brian Inglis <Brian...@systematicsw.ab.ca>
    Subject: Re: Ripple20 IP stack vulnerability may affect literally billion
    devices (Ishikawa, RISKS-32.06)

    The cause of the "billions" appears if you follow the trail to Intel: you
    find the stack embedded in management firmware in what appear to be many
    common (all PC?) products; Intel's statement that products for which no
    future releases were planned are out of support and were not evaluated for
    any vulnerabilities; and issued it's own "CVEs" separate from the published
    "CVEs".

    Besides possible attempts at minimization, on the heels of ongoing
    announcements of new speculative execution vulnerabilities, mitigation
    microcode update issuances, withdrawals, and redos, I thought the whole
    point of the "CVE" database was for orgs to reuse existing ids, to simplify
    checking for existence of vulnerabilities and application of mitigation, not
    have to provide a "CVE" cross-reference table in a security announcement
    rated *CRITICAL*, covering what appears to be a number of organizational
    management components in many devices:
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html
    (find VU#257161)

    ------------------------------

    Date: Mon, 29 Jun 2020 19:55:27 -0700
    From: "David E. Ross" <da...@rossde.com>
    Subject: Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's
    Water System (RISKS-32.06)

    I live in a small suburban community in Ventura County, a five-minute walk
    from the Los Angeles County line and about 10 miles from the western edge of
    the city of Los Angeles. The population is less than 15,000. Our water is
    not well water. Instead, it is snow melt from northern California. For
    Ventura and Los Angeles Counties, the California State Water Project
    aqueduct ends in the north end of the city of Los Angeles, where it is
    filtered, chlorinated, and fluoridated at the Jensen Treatment Plant. From
    there, Ventura County's portion is piped to the Bard Reservoir. As it
    leaves the Bard Reservoir -- and only at that location -- the water is again
    filtered, chlorinated, and thoroughly tested. It is also treated with ozone
    to treat organics (live or otherwise) that might pass through the filters or
    be immune to chlorine. It is then piped without further exposure to the
    environment to my house and to over 250,000 people in adjacent areas,

    Similar processes are involved in distributing water elsewhere in Ventura
    County and in Los Angeles County. Nasadowski made generalizations about
    water that do not apply to a very large population in the United States.

    ------------------------------

    Date: Mon, 29 Jun 2020 20:26:02 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: 40 msecs to go halfway around the Earth? (Cohen, RISKS-32.06)

    It's even worse than that; the speed of propagation in a fiber optic cable
    is only ~2/3 of the speed in a vacuum -- i.e., ~2/3c. This is one of the
    reasons why some High Frequency Traders (HFT's) want laser- based 'free
    space' communications links to provide lower latency.

    Perhaps lies propagate faster by means of quantum 'spooky lying at a
    distance'? Perhaps via the collapse of the 'hand wave' function?

    ------------------------------

    Date: Tue, 30 Jun 2020 13:05:42 +0100
    From: Michael Bacon <attilath...@tiscali.co.uk>
    Subject: Re: 40 msecs to go halfway around the Earth? (Cohen, RISKS-32.06)

    Regarding Fred Cohen's detailed calculation, for which I thank him, I will
    merely say in defence of my hyperbole that neither William Shakespeare nor I
    indicated along which line of longitude (or latitude) lay the course of the
    lie.

    ------------------------------

    Date: Tue, 30 Jun 2020 17:09:09 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: Quote of The Day (George Orwell, 1984)

    An old Soviet black humor joke about constantly rewritten history:

    Predicting the future is easy;
    predicting the past is what's hard
    [behind the Iron Curtain].

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.07
    ************************
     
  18. LakeGator

    LakeGator Mostly Harmless Moderator

    4,706
    505
    368
    Apr 3, 2007
    Tampa
    Risks Digest 32.08

    RISKS List Owner

    Jul 7, 2020 9:14 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 7 July 2020 Volume 32 : Issue 08

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The RISKS Digest> as
    <The RISKS Digest, Volume 32 Issue 08>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    No Injuries In Red Line Metro Derailment Outside Silver Spring (DCist)
    In Hong Kong, a Proxy Battle Over Internet Freedom Begins (NYTimes)
    Looks Like Russian Hackers Are on an Email Scam Spree (WiReD)
    Supreme Court bans debt collection robocalling to cellphones (TypePad)
    Goodbye to the Wild Wild Web (NYTimes)
    Encrypted Phone Network of Mob is Hacked in Europe (Adam Nossiter)
    Risks of Editing Wikipedia (Aida Chavez)
    Not so random acts: Science finds that being kind pays off (APNews)
    How my dad got scammed for $3,000 worth of gift cards (Zachary Crockett)
    Japanese startup creates 'connected' face mask for coronavirus new normal
    (Reuters)
    What we need is social-media distancing (Spectator)
    Early Covid-19 tracking apps easy prey for hackers, and it might get worse
    before it gets better (Jumbo Privacy)
    Re: Breaking HTTPS in the IoT: Practical Attacks For Reverse (Keith Medcalf)
    Re: Jane Goodall on conservation, climate change and COVID-19 (CBS News,
    (Dennis Allison)
    Re: A Doctor Confronts Medical Errors (Amos Shapir)
    Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water
    System (Bill Matthews)
    Quote of The Day (Calvin Coolidge)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 7 Jul 2020 17:49:41 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: No Injuries In Red Line Metro Derailment Outside Silver Spring
    (DCist)

    The Washington Metrorail Safety Commission, the independent body overseeing
    Metro safety, says its preliminary investigation found the operator ran a
    red signal, which has been a fireable offense in previous instances.

    How can modern trains run red signals? Even without Positive Train Control,
    automatic stop-on-red has been around for a long time. That seems better
    than firing after offenses.

    No Injuries In Red Line Metro Derailment Outside Silver Spring| DCist

    ------------------------------

    Date: Tue, 7 Jul 2020 12:11:49 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: In Hong Kong, a Proxy Battle Over Internet Freedom Begins (NYTimes)

    As the city grapples with new restrictions on online speech, American tech
    giants are on the front line of a clash between China and the United States
    over the Internet's future.

    In Hong Kong, a Proxy Battle Over Internet Freedom Begins

    ------------------------------

    Date: Tue, 7 Jul 2020 17:26:21 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Looks Like Russian Hackers Are on an Email Scam Spree (WiReD)

    A group dubbed Cosmic Lynx uses surprisingly sophisticated methods -- and
    targets big game.

    For years, costly email grifts have largely been the provenance of West
    African scammers, particularly those based in Nigeria
    <Feds Bust Dozens of Nigerian Email Scammers, but Your Inbox Still Isn’t Safe>. A newly
    discovered "business email compromise" campaign, though, appears to come
    from a criminal group in a part of the world better known for a different
    brand of online mayhem: Russia.

    Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns
    since July 2019, according to researchers from the email security firm
    Agari, particularly targeting senior executives at large organizations and
    corporations in 46 countries. Cosmic Lynx specializes in topical, tailored
    scams related to mergers and acquisitions; the group typically requests
    hundreds of thousands or even millions of dollars as part of its hustles.
    The researchers, who have worked extensively on tracking Nigerian BEC
    scammers, say they don't have a clear sense of how often Cosmic Lynx
    actually succeeds at obtaining a payout. Given that the group hasn't lowered
    its asks in a year, though, and has been prolific about developing new
    campaigns -- including some compelling Covid-19–related scams -- Agari
    reasons that Cosmic Lynx must be raking in a fair amount of money.

    Looks Like Russian Hackers Are on an Email Scam Spree

    ------------------------------

    Date: Tue, 7 Jul 2020 10:23:14 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Supreme Court bans debt collection robocalling to cellphones
    (TypePad)

    Supreme Court bans debt collection robocalling to cellphones
    "Severability" to the Rescue Again: A Further Note on Today's Supreme Court Robocalling Decision
    https://www.supremecourt.gov/opinions/19pdf/19-631_2d93.pdf

    ------------------------------

    Date: Fri, 3 Jul 2020 15:58:26 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Goodbye to the Wild Wild Web (NYTimes)

    The Internet is changing, and the freewheeling, anything-goes culture of
    social media is being replaced by something more accountable.

    Goodbye to the Wild Wild Web

    ------------------------------

    Date: Sat, 4 Jul 2020 17:18:04 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Encrypted Phone Network of Mob is Hacked in Europe (Adam Nossiter)

    Adam Nossiter, *The New York Times*, 3 July 2020

    Paris -- The police in Europe arrested hundreds of people on suspicion of
    drug trafficking and other crimes, after successfully hacking into an
    encrypted phone network being used by organized criminals around the world.
    Millions of messages were read in real time. PGN-ed

    ------------------------------

    Date: Sat, 04 Jul 2020 06:56:17 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Risks of Editing Wikipedia (Aida Chavez)

    [Right on cue re: Orwell, from the Ministry of Truth (Minitrue).. HB]

    Aida Chavez, The Intercept, 2 Jul 2020
    Kamala Harris’s Wikipedia Page Is Being Edited

    There's a War Going On Over Kamala Harris's Wikipedia Page, with
    Unflattering Elements Vanishing

    California Democratic Sen. Kamala Harris is widely seen as a frontrunner for
    a spot on the ticket with presumptive nominee Joe Biden, with vetting well
    underway.

    Presidential vetting operations have entire teams of investigators, but for
    the public, when the pick is announced, the most common source for
    information about the person chosen is Wikipedia. And there, a war has
    broken out over how to talk about Harris's career.

    [Long item pruned for RISKS by your moderator, who notes that what was on
    wikipedia for me for many years was way out of date. I just checked for
    the first time in several years and see that the earlier version has been
    considerably updated! Many thanks to whomever had the patience to do
    that. PGN]

    ------------------------------

    Date: Sun, 5 Jul 2020 01:16:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Not so random acts: Science finds that being kind pays off

    Acts of kindness may not be that random after all. Science says being kind
    pays off.

    Research shows that acts of kindness make us feel better and healthier.
    Kindness is also key to how we evolved and survived as a species, scientists
    say. We are hard-wired to be kind.

    [But apparently not for all values of "we". PGN]

    Kindness ``is as bred in our bones as our anger or our lust or our grief or
    as our desire for revenge,'' said University of California San Diego
    psychologist Michael McCullough, author of the forthcoming book, *Kindness
    of Strangers*. It's also, he said, ``the main feature we take for
    granted.''

    Scientific research is booming into human kindness and what scientists have
    found so far speaks well of us.

    ``Kindness is much older than religion. It does seem to be universal,'' said
    University of Oxford anthropologist Oliver Curry, research director at
    Kindlab. ``The basic reason why people are kind is that we are social
    animals.''

    We prize kindness over any other value. When psychologists lumped values
    into ten categories and asked people what was more important, benevolence or
    kindness, comes out on top, beating hedonism, having an exciting life,
    creativity, ambition, tradition, security, obedience, seeking social justice
    and seeking power, said University of London psychologist Anat Bardi, who
    studies value systems.

    ``We're kind because under the right circumstances we all benefit from
    kindness,'' Oxford's Curry said.

    When it comes to a species' survival, ``kindness pays, friendliness pays,''
    said Duke University evolutionary anthropologist Brian Hare, author of the
    new book *Survival of the Friendliest* <https://amzn.to/2NS4JDs>

    Kindness and cooperation work for many species, whether it's bacteria,
    flowers or our fellow primate bonobos. The more friends you have, the more
    individuals you help, the more successful you are, Hare said.

    For example, Hare, who studies bonobos and other primates, compares
    aggressive chimpanzees, which attack outsiders, to bonobos where the animals
    don't kill but help out strangers. Male bonobos are far more successful at
    mating than their male chimp counterparts, Hare said.

    McCullough sees bonobos as more the exceptions. Most animals aren't kind or
    helpful to strangers, just close relatives so in that way it is one of the
    traits that separate us from other species, he said. And that, he said, is
    because of the human ability to reason.

    Humans realize that there's not much difference between our close relatives
    and strangers and that someday strangers can help us if we are kind to them,
    McCullough said. [...]
    Not so random acts: Science finds that being kind pays off

    ------------------------------

    Date: Sun, 5 Jul 2020 09:27:01 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How my dad got scammed for $3,000 worth of gift cards
    (Zachary Crockett)

    At 2:30 pm on a recent Monday, my dad received a jarring phone call.

    A man claiming to be a federal agent (David White, ID #US2607-12) told him
    there was an abandoned car in El Paso, Texas, rented in his name. Inside
    the car, they'd found a pile of cash, blood, and drugs. His Social Security
    number had been linked to 7 different bank accounts, $230k in wired funds,
    and a rental unit stocked with 22 lbs. of cocaine.

    If my dad -— a 66-year-old retiree with cancer -— didn't cooperate, Agent
    White would freeze his bank account and pursue criminal charges. ...

    How my dad got scammed for $3,000 worth of gift cards

    ------------------------------

    Date: Sun, 5 Jul 2020 01:14:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Japanese startup creates 'connected' face mask for coronavirus new
    normal (Reuters)

    As face coverings become the norm amid the coronavirus pandemic, Japanese
    startup Donut Robotics has developed an Internet-connected `smart mask' that
    can transmit messages and translate from Japanese into eight other
    languages.

    The white plastic `c-mask' fits over standard face masks and connects via
    Bluetooth to a smartphone and tablet application that can transcribe speech
    into text messages, make calls, or amplify the mask wearer's voice.

    ``We worked hard for years to develop a robot and we have used that
    technology to create a product that responds to how the coronavirus has
    reshaped society,'' said Taisuke Ono, the chief executive of Donut
    Robotics. [...]

    Japanese startup creates 'connected' face mask for coronavirus new normal

    ------------------------------

    Date: Sun, 5 Jul 2020 01:15:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: What we need is social-media distancing (Spectator)

    Social media brings out the worst in us because the algorithm rewards us
    for being tribal, divisive and emotional

    Nearly three months into lockdown, 40 million Americans were unemployed.
    Kids lost out on three months of schooling. Businesses shuttered, many never
    to open again. Mental health suffered. People lost their homes. Tens of
    thousands died alone in hospitals, family members were prevented from
    holding the hands of their loved ones in their final days, and in many cases
    they weren't allowed to bury them or hold a funeral.

    Parents struggled to balance distance learning and work. Teachers worried
    that their most vulnerable students weren't logging in to class. People
    couldn't receive medical treatment or attend birthdays and graduations.

    But humans are creative, resilient creatures, and it didn't take long before
    we adjusted to living online. Necessity forced ingenuity. AA meetings,
    fitness classes, happy hours and business meetings all pivoted to Zoom. We
    started group chats with family members and college friends to stay
    connected. Mostly, we shared memes.

    We posted pictures of the dog we adopted, or the sourdough we attempted to
    make, or the projects in our houses we'd been putting off forever that we
    finally got to finish, just to try to stay optimistic. There were silver
    linings, too. Much ink was spilled about learning to slow down, finding joy
    in being home with the family. All that time commuting -- was it worth it?
    Who did we value -- and why? Instead of honoring celebrities, athletes and
    musicians, we applauded nurses, doctors, truck drivers and grocery-store
    cashiers. We smiled at each other with our eyes as we stood six feet apart
    in lines. A feeling of solidarity and grit in the face of a common hardship
    pervaded, for a brief moment.

    Pundits wondered, naively, Did COVID-19 kill the culture wars? [...]
    What we need is social media distancing | Spectator USA

    ------------------------------

    Date: Tue, 7 Jul 2020 01:15:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Early Covid-19 tracking apps easy prey for hackers, and it might
    get worse before it gets better (Jumbo Privacy)

    The apps could prove vital to curtailing the virus's spread as states
    reopen, but security fears may make them unpopular with users.

    The push to use smartphone apps to track the spread of coronavirus is
    creating a potential jackpot for hackers worldwide -- and the U.S. offers a
    fat loosely defended target.

    In the Qatar Covid-19 app, researchers found a vulnerability that would've
    let hackers obtain more than a million people's national ID numbers and
    health status. In India's app, a researcher discovered a security gap that
    allowed him to determine who was sick in individual homes. And researchers
    uncovered seven security flaws in a pilot app in the U.K.

    The U.S. is just starting to use these contact tracing apps -- which track
    who an infected person may have had contact with -- but at least one app has
    already experienced a data leak. North Dakota conceded in May that its
    smartphone app, Care19, had been sending users' location data to th= e
    digital marketing service Foursquare. The issue has since been fixed,
    *according to the privacy app developer* that discovered the leak.

    <Care19 Update: Foursquare allows developers to disable IDFA collection>

    To date, the public debate about whether to use contact tracing apps -- a
    potentially crucial strategy for reopening economies during the pandemic --
    *has centered mostly on* what data to collect and who should have access to
    it, but cybersecurity insiders say the apps are also highly vulnerable to
    attacks that could expose data ranging from user names to location data.
    <https://www.politico.com/news/2020/06/10/google-and-apples-rules-for-virus=
    -tracking-apps-sow-division-among-states-312199
    >

    And the U.S. has its own unique vulnerabilities: a fragmented collection of
    apps, tiny state cybersecurity budgets and stalled legislation in Congress
    that makes federal government rules unlikely anytime soon. [...]
    https://www.politico.com/news/2020/07/06/coronavirus-tracking-app-hacking-3=
    48601

    ------------------------------

    Date: Sun, 05 Jul 2020 07:56:52 -0600
    From: "Keith Medcalf" <kmed...@dessus.com>
    Subject: Re: Breaking HTTPS in the IoT: Practical Attacks For Reverse
    Engineers (RISKS-32.07)

    > For instance, the use of insecure communications (e.g., unencrypted HTTP),
    > is now only found in a minority of Bishop Fox client product assessments,
    > which gives a somewhat positive (and admittedly biased) picture of IoT
    > security trends.

    HTTPS is *not* a security protocol. It is a *privacy* protocol. It has
    absolutely ZERO impact on security, which is quite a different thing
    entirely than privacy. Simply wrapping a security vulnerability inside
    *private* transport does absolutely nothing for security.

    ------------------------------

    Date: Sat, 4 Jul 2020 01:13:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Re: Jane Goodall on conservation, climate change and COVID-19

    "If we carry on with business as usual, we're going to destroy ourselves"

    While COVID-19 and protests for racial justice the world's collective
    attention, ecological destruction, species extinction and climate change
    continue unabated. While the world's been focused on other crises, an
    alarming study was released warning that species extinction is now
    progressing so fast that the consequences of "biological annihilation" may
    soon be "unimaginable."
    <With more species at risk of extinction, study warns of "biological annihilation" - CBS News>

    Dr. Jane Goodall <the Jane Goodall Institute Homepage>, the world-renowned
    conservationist, desperately wants the world to pay attention to what she
    sees as the greatest threat to humanity's existence.

    CBS News recently spoke to Goodall over a video conference call and asked
    her questions about the state of our planet. Her soft-spoken grace somehow
    helped cushion what was otherwise extremely sobering news: "I just know that
    if we carry on with business as usual, we're going to destroy ourselves. It
    would be the end of us, as well as life on Earth as we know it," warned
    Goodall. [...]

    Jane Goodall on conservation, climate change and COVID-19: "If we carry on with business as usual, we're going to destroy ourselves"

    ------------------------------

    Date: Sat, Jul 4, 2020 at 6:27 AM
    From: Dennis Allison <dennis...@gmail.com>
    Subject: Re: Jane Goodall on conservation, climate change and COVID-19
    (RISKS-32.07)

    > "If we carry on with business as usual, we're going to destroy ourselves"

    Geoff, anyone tracking the posts you've made knows that Jane Goodall has
    gotten her tense wrong; we are already extinct. We might be able to save
    ourselves from extinction were we to mount a cooperative global effort to
    mitigate the impacts that are going to occur no matter what we do. The
    likelihood of that is about the same as a snowball's chance of survival in
    the antarctic where temperatures reached 65 degrees Fahrenheit.

    ------------------------------

    Date: Sat, 4 Jul 2020 12:03:03 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: A Doctor Confronts Medical Errors (RISKS-32.07)

    Every documentary I've ever watched about a rare disease or medical
    condition, always repeats the same story: A patient develops some symptoms,
    doctors diagnose it as some common condition, treatment is not effective.
    It might takes a long time -- sometimes years -- for one curious doctor to
    realize it's a rare condition, and try to analyze it correctly.

    It seems that doctors use analysis algorithms that always come up pointing
    to a common condition -- which may be correct in a large majority of cases,
    but is never "this may be a rare case, further investigation is needed".

    Such methods may be understandable when working under constant pressure and
    diminishing budgets, but doctors now employ computerized systems, which can
    present them with a greater variety of options -- but do not. It seems that
    the same old algorithms had just been computerized with no added
    sophistication. AI systems wouldn't help either, if they are trained using
    data which is generated by the old methods.

    ------------------------------

    Date: Sat, 4 Jul 2020 21:30:21 -0400
    From: Bill Matthews <yellow....@gmail.com>
    Subject: Re: Smells Fishy? The Fish That Prevent Iran From Hacking
    Israel's Water System (RISKS-32.06)

    What kind of fish is it that can live in chlorinated water?

    When our local potable water supplier intends to change the level of
    chlorination or the kind of chlorinating-chemical in our water, it's
    advertised in the local paper prior to their making the change. It's
    advertised prior to the event so that aquarists can appropriately adapt to
    the change in chlorination.

    ------------------------------

    Date: Sat, 4 Jul 2020 01:10:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Quote of The Day

    Calvin Coolidge, 150th Anniversary of the Declaration of Independence:

    "We live in an age of science and of abounding accumulation of material
    things. These did not create our Declaration. Our Declaration created
    them."*

    HILL: President Calvin Coolidge on the 150th Anniversary of the Declaration of Independence, July 5, 1926

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <riskinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: The RISKS Digest takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    The RISKS Digest --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: The RISKS Forum Mailing List (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <Join ACM>

    ------------------------------

    End of RISKS-FORUM Digest 32.08
    ************************
     
    Last edited by a moderator: Jul 8, 2020 at 12:41 PM