RISKS Forum mailing list archives
Risks Digest 30.78
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 1 Aug 2018 17:12:36 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 1 August 2018 Volume 30 : Issue 78 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.78> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Facebook says it has uncovered a coordinated disinformation operation ahead of the 2018 midterm elections (WashPo) How Silicon Valley Became a Den of Spies (Zach Dorfman) Amazon Face Recognition Falsely Matches 28 Lawmakers With Mugshots, ACLU Says (Sam Levin) Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security (SSRN) The robot chemist that does its own research (bbc.com) How a Hacker Allegedly Stole Millions by Hijacking Phone Numbers (Motherboard) How Cryptojacking Can Corrupt the Internet of Things (Scientific American) Cyberinsurance (Rob Slade) Vaginal Laser Treatments Can Cause Burns and Scarring, the FDA Says (New York Times) Federal judge blocks posting of blueprints for 3-D printed guns hours before they were to be published. (WashPo) Re: "I hacked your webcam and have naughty videos of you" scam (Jose Maria Mateos) Re: The Ordinary License Plate's Days May Be Numbered (Amos Shapir) Re: Robo-calls are getting worse. (Chris Drewe) I did not say that (Dimitri Maziuk) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 31 Jul 2018 10:07:47 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook says it has uncovered a coordinated disinformation operation ahead of the 2018 midterm elections (WashPo) https://www.washingtonpost.com/technology/2018/07/31/facebook-says-it-has-uncovered-coordinated-disinformation-operation-ahead-midterm-elections/ Facebook said Tuesday that it had discovered a sophisticated coordinated disinformation operation on its platform involving 32 false pages and profiles engaging in divisive messaging ahead of the U.S. midterm elections. The social media company that it couldn't tie the activity to Russia, which interfered on its platform around the 2016 presidential election. But Facebook said the profiles shared a pattern of behavior with the previous Russian disinformation campaign, which was led by a group with Kremlin ties called the Internet Research Agency. ------------------------------ Date: Mon, 30 Jul 2018 13:03:52 -0700 From: Prashanth Mundkur <prashanth.mundkur () gmail com> Subject: How Silicon Valley Became a Den of Spies (Zach Dorfman) Zach Dorfman, Politico, 27 Jul 2018 The West Coast is a growing target of foreign espionage. And it's not ready to fight back. https://www.politico.com/magazine/story/2018/07/27/silicon-valley-spies-china-russia-219071 ------------------------------ Date: Wed, 1 Aug 2018 11:47:23 -0400 From: ACM TechNews <technews-editor () acm org> Subject: Amazon Face Recognition Falsely Matches 28 Lawmakers With Mugshots, ACLU Says (Sam Levin) Sam Levin, *The Guardian*, 26 July 2018, via ACM TechNews, 1 Aug 2018 A test of Amazon's facial recognition software incorrectly matched the faces of 28 U.S. legislators to images in a mugshot database, with people of color misidentified disproportionately, according to the American Civil Liberties Union (ACLU). The organization assembled a face database and search tool from 25,000 public arrest photos, then cross-referenced that data with public photos of every member of Congress. Eleven of the misidentified lawmakers were people of color, representing nearly 40% of those wrongly matched, even though minorities comprise only 20% of those in Congress. Says the ACLU Foundation of Northern California's Jacob Snow, "Our test reinforces that face surveillance is not safe for government use." Amazon said the test's results could "probably be improved" by increasing "confidence thresholds." http://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1c33ax21689cx072376%26 [Lillie Coney reported: Amazon's facial-recognition tool misidentified 28 lawmakers as people arrested for a crime, study finds https://www.washingtonpost.com/amphtm/technology/2018/07/26/amazons-facial-recognition-tool-misidentified-lawmakers-people-arrested-crime-study-finds/ PGN] ------------------------------ Date: Tue, 31 Jul 2018 13:01:16 -0400 From: Jose Maria Mateos <chema () rinzewind org> Subject: Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security (SSRN) Robert Chesney and Danielle Keats Citron (SSRN) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=3213954 "Harmful lies are nothing new. But the ability to distort reality has taken an exponential leap forward with *deep fake* technology. This capability makes it possible to create audio and video of real people saying and doing things they never said or did. Machine learning techniques are escalating the technology's sophistication, making deep fakes ever more realistic and increasingly resistant to detection. Deep-fake technology has characteristics that enable rapid and widespread diffusion, putting it into the hands of both sophisticated and unsophisticated actors." Academic paper, very in-depth exploration of the underlying issues. ------------------------------ Date: Wed, 01 Aug 2018 17:23:56 +0800 From: Richard M Stein <rmstein () ieee org> Subject: The robot chemist that does its own research (bbc.com) https://www.bbc.co.uk/news/uk-scotland-44872432 "When the robot had been trained for about 10% of all the tasks, it then was able to predict, without the human being, which experiments it should do next. "Writing in the journal Nature, Prof Cronin's team say the robot has already synthesised more than 1,000 new chemicals and reactions, including one with a distinctive 3D structure that is among the top 1% most "peculiar" molecules yet known. "The team says the robot's predictions have so far proved 80% accurate. It'll learn to do better." Wonder if the chembot can determine if a hypergolic reaction will arise, and safely abort? [hyperbolic? hyperlogic? hypergolem? PGN] ------------------------------ Date: Mon, 30 Jul 2018 11:16:51 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How a Hacker Allegedly Stole Millions by Hijacking Phone Numbers (Motherboard) via NNSquad https://motherboard.vice.com/en_us/article/a3q7mz/hacker-allegedly-stole-millions-bitcoin-sim-swapping California authorities say a 20-year-old college student hijacked more than 40 phone numbers and stole $5 million, including some from cryptocurrency investors at a blockchain conference Consensus. ------------------------------ Date: Tue, 31 Jul 2018 22:45:04 +0800 From: Richard M Stein <rmstein () ieee org> Subject: How Cryptojacking Can Corrupt the Internet of Things (Scientific American) IoT devices hijacked crypto-currency mining purposes. https://www.scientificamerican.com/article/how-cryptojacking-can-corrupt-the-internet-of-things/ ------------------------------ Date: Tue, 31 Jul 2018 16:57:32 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Cyberinsurance Still need convincing that cyberinsurance (computer loss insurance, data breach insurance, whatever) is a bad idea? Talk to National Bank of Blacksburg. https://slate.com/technology/2018/07/cyberinsurance-company-refuses-to-pay-out-full-amount-to-bank-after-hacking.html or https://is.gd/PTbH3F Executives had had the foresight to purchase insurance, actually a rider, against computer and electronic crime. The bank had two breaches, one in 2016, and one again the following year, for a total loss of 2.4 million dollars. The insurer, Everest National Insurance Co., offered $50,000 as settlement. The insurer claims that the loss was a debit card loss, even though malware was installed on a bank server via a phishing attack. ATMs and cards were used, but only a lawyer could make that kind of claim. That's why insurance companies employ lots of lawyers. If you read the details of the article, it sounds very likely that the insurer will win and the bank will lose. I'm unsurprised: this kind of weaseling by insurance companies is exactly the type of thing I've been thinking in regard to cyberinsurance since I first heard of the idea thirty years ago. ------------------------------ Date: Tue, 31 Jul 2018 12:14:08 +0800 From: Richard M Stein <rmstein () ieee org> Subject: Vaginal Laser Treatments Can Cause Burns and Scarring, the FDA Says (New York Times) https://www.nytimes.com/2018/07/30/health/vaginal-laser-fda.html "The F.D.A. said the full extent of the risks is unknown, but that the agency has found cases of vaginal burns, scarring, and lasting pain following the treatments. The agency has received 14 report of adverse events related to the treatments, including burning sensations and significant pain." Off-label use of an infra-red laser (probably CO2) for cosmetic surgery. Not a "Therac-25," but a nasty 3rd-degree burn can arise if the dosage editor malfunctions, or if treatment is improperly administered. ------------------------------ Date: Tue, 31 Jul 2018 22:41:24 -0400 From: Monty Solomon <monty () roscom com> Subject: Federal judge blocks posting of blueprints for 3-D printed guns hours before they were to be published. (WashPo) U.S. District Judge Robert Lasnik in Seattle issued the order Tuesday. Several state attorneys general on Monday filed a lawsuit in the Western District of Washington against Defense Distributed, the Second Amendment Foundation, the State Department and other federal agencies regulating weapons. The filing requested a nationwide injunction. [...] https://www.washingtonpost.com/news/morning-mix/wp/2018/07/31/in-last-minute-lawsuit-states-say-3-d-printable-guns-pose-national-security-threat/ ------------------------------ Date: Mon, 30 Jul 2018 17:48:42 -0400 From: Jose Maria Mateos <chema () rinzewind org> Subject: Re: "I hacked your webcam and have naughty videos of you" scam The blackmailing scam consisting on hacking a user's webcam while he or she is involved in interacting with pornographic material and threatening with the publication of the recordings unless a payment is made has not only been reported in the past ([1, 2]) but has inspired some recent fiction works (Black Mirror - "Shut up and dance"). We have also seen the next iteration of this scam, in which, while no recording is available, the attacker tries to fool the victim by offering a recognizable password, and implying that a hacking operation took place ([3]). I wonder if we are yet to see another step further: from having the recording, to pretending to have the recording, to be able to fool the victim's contacts and make *them* believe a recording is available. I can only expect this to happen as the skills and technologies for this attack to become readily available at a scale: 1. Find victim. 2. Obtain pictures and videos from the public Facebook database. 3. Generate a *deepfakes* video of the kind mentioned above. 4. Proceed with the blackmailing scam as before, now armed with a recording that, while not legit, might look as such to third parties. [1] https://www.computerweekly.com/news/2240209018/US-teen-hacker-pleads-guilty-to-webcam-blackmail [2] https://arstechnica.com/tech-policy/2016/11/webcam-blackmail-cases-double-uk-suicides/ [3] https://www.schneier.com/blog/archives/2018/07/reasonably_clev.html ------------------------------ Date: Tue, 31 Jul 2018 18:09:53 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: The Ordinary License Plate's Days May Be Numbered (RISKS-30.77) "When the vehicle is parked, businesses can display advertisements on the plate, even targeting a vehicle's particular location because the plate is connected to GPS." Let me get that right: This device enables third parties (possibly without the owner's control) to change the car's license plate -- which is essentially its legal identity! If you thought license-plate readers were a problem, how about remote license-plate writers? (Beside GPS tracking, which is a rather old issue by now) This is not a matter of "What could possibly go wrong" any more; everything just did! ------------------------------ Date: Wed, 01 Aug 2018 22:27:15 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: Robo-calls are getting worse. (Jeff Jonas, R 30 76) About 5-10 years ago I was deluged by annoying junk telephone calls, so did what a lot of people do and got a simple answering machine and let this take all calls. If I want to speak to the caller I pick up the phone, and if not, I don't; my regular callers know this. It's also handy for taking messages if I can't get to the phone. :o) I have to declare an interest here as I used to work in telecomms, so those **** are at least paying for their calls answered by my machine and thus helping to support my previous employer's pension fund... Strangely, the number of calls has greatly reduced in recent years; I don't know if this is due to stricter regulations nowadays (junk callers have to maintain opt-in lists), or if it's just a symptom of landline phones no longer being considered as mainstream communications. ------------------------------ Date: Mon, 30 Jul 2018 15:19:01 -0500 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: I did not say that (Re: Fenichel, RISKS-30.77)
Dmitri Maziuk says "I'm not quite sure what makes med AI coders so different" from medical researchers,
No, I didn't. I never said that and I would like this and every subsequent RISKS issue referencing that thread to prominently feature the phrase 'Dmitri Maziuk never said "I'm not quite sure what makes med AI coders so different from medical researchers".' Because while I have said and done plenty of seriously dumb things in my life, this one is way too idiotic even for me. ------------------------------ Date: Tue, 5 May 2018 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks have done to URLs. I have tried to extract the essence. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.78 ************************
Current thread:
- Risks Digest 30.78 RISKS List Owner (Aug 01)