RISKS Forum mailing list archives
Risks Digest 30.92
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 21 Nov 2018 21:20:30 PST
RISKS-LIST: Risks-Forum Digest Wednesday 21 October 2018 Volume 30 : Issue 92 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.92> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [I was badly backlogged from lack of RISKS time. PGN] Commentary on Florida Election Recounts (Rebecca Mercuri) 670 ballots in a precinct with 276 voters, and other tales from Georgia's primary (MSN) Voting Machine Manual Instructed Election Officials to Use Weak Passwords (Kim Zetter) Electionland/ProPublica had a lovely collection of election problems already in the wee hours of election evening. At Doomed Flight's Helm, Pilots May Have Been Overwhelmed in Seconds (NYTimes) Boeing issues warning on potential instrument malfunction after Indonesia crash (WashPost) A Runway Train Traveled 57 Miles Through Australia's Outback (WiReD) Rules of the Road Evade Driverless Cars (WashPost) Siri Shortcuts can now be used with the VW Car-Net app to remotely control a vehicle (AppleInsider) Russia suspected of jamming GPS signal in Finland (BBC) Why Google Internet Traffic Rerouted Through China and Russia (WiReD) Operation Infektion (The New York Times) GPS week field roll-over (David Magda) System error: Japan cybersecurity minister admits he has never used a computer (TheGuardian.com) Tech CEOs Are in Love With Their Principal Doomsayer (Nellie Bowles) "IoT botnet infects 100,000 routers to send Hotmail, Outlook, and Buffer Overflows and Spectre (Henry Baker) Police decrypt 258,000 messages after breaking pricey IronChat crypto app (Ars Technica) Guns, drones, and surveillance equipment: Big Brother steps out in Tel Aviv (The Times of Israel) The House That Spied on me (Gizmodo) A DJI Bug Exposed Drone Photos and User Data (WiReD) Fake fingerprints can imitate real ones in biometric systems (The Guardian) Public Attitudes Toward Computer Algorithms (Pew Research Center) Guarding Against Backdoors and Malicious Hardware (Security Boulevard) U.S. Declines to Sign Declaration Discouraging Use of Cyberattacks (NYTimes) 'The Cleaners' Looks At Who Cleans Up The Internet's Toxic Content (npr.org) HealthCare.gov breach compromised applicants' financial, immigration data (Washington Times) Apple IDs locked for unknown reasons for a number of iPhone users (Apple Insider) Debate in Germany over allowing Chinese to bid on 5G (Taipei Times) Bug bounty (Fortune) A thing to worry about: sleep study (Tom Van Vleck) A robot scientist will dream up new materials to advance computing and fight pollution (MIT Technology Review) AI News Anchor Makes Debut In China (npr.org) 3 Crazy Excel Formulas That Do Amazing Things (MakeUseOf) Dementia risk: Five-minute scan 'can predict cognitive decline' (bbc.com) MAS issues principles to guide use of AI, data analytics in finance (The Straits Times) Awful AI is a curated list to track current scary usages of AI -- hoping to raise awareness (David Dao) Google accused of 'trust demolition' over health app (BBC) AI Could Make Cyberattacks More Dangerous, Harder to Detect (WSJ) AmazonBasics Microwave Review: It's a Little Undercooked (WiReD) Elon Musk's SpaceX wins FCC approval to put Starlink Internet satellites into orbit (WashPost) Customer Complains About Tesla Forums, Tesla Accidentally Gives Him Control Over Them (Motherboard ) Google had a secret bug (WashPost) For the first time, researchers say Facebook can cause depression (Brett Arends) Mozilla - *privacy not included (Gabe Goldberg) The digital epidemic killing Indians (bbc.com) Police: Woman remotely wipes phone in evidence after shooting (The Daily Gazette) He Helped People Cheat at Grand Theft Auto. Then His Home Was Raided. (NYTimes) MoneyGram agrees to pay $125 million for failing to crack down on fraudulent money transfers (WashPost) Report: Could Your Online Behavior Affect What You Pay for Car Insurance? (San Antonio Business Journal) Couple, homeless man in viral GoFundMe charged (BostonGlobe) The Dating Brokers (TacticalTech) Osaka woman terrifyingly attacked by intruder while playing video games in her home late at night (Sora News) Re: EMV card fraud statistics (David Alexander) Re: Ethics of whom to kill (Arthur T.) Re: Tesla (Wol) Re: Credit Card Chips Have Failed to Halt Fraud, Survey Shows (Phil Smith III) Re: Risks in Using Social Media to Spot Signs of Mental Distress (Richard Stein) Book review: You'll see this message when it is too late, by Josephine Wolff (Web Informant) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 15 Nov 2018 11:19:02 -0500 From: Rebecca Mercuri <notable () mindspring com> Subject: Commentary on Florida Election Recounts BREAKING NEWS This article features my thoughts on the recent Florida Election recounts: https://www.weeklystandard.com/alice-b-lloyd/who-needs-hackers-when-you-have-human-error This is actually the *third* time where ballot layouts in certain Florida counties may have confused voters. Here's a detailed report about the 1988 election which led NIST (then NBS) researcher Roy Saltman to recommend against the use of the "butterfly ballot" that was (later) front-and-center in 2000. http://aliciapatterson.org/stories/tale-weird-drop-offs-and-jump-ups-are-computer-vote-counts-honest Different scanners now, no hanging chad, but a similar problem. Coincidence? I think not. Those who fail to learn from the past.... Rebecca Mercuri. ------------------------------ Date: Thu, 8 Nov 2018 18:06:46 -0500 From: Andrew Douglass <andr3wdouglass () gmail com> Subject: 670 ballots in a precinct with 276 voters, and other tales from Georgia's primary (MSN) https://www.msn.com/en-us/news/politics/670-ballots-in-a-precinct-with-276-voters-and-other-tales-from-georgias-primary/ar-BBLBUA4 WASHINGTON - Habersham County's Mud Creek precinct in northeastern Georgia had 276 registered voters ahead of the state's primary elections in May. But 670 ballots were cast, according to the Georgia secretary of state's office, indicating a 243 percent turnout. Georgia is one of four states that uses voting machines statewide that produce no paper record for voters to verify, making them difficult to audit, experts say. Difficult indeed. Coincidentally (we hope), 83% of the county vote was for the outgoing secretary of state Kemp. It really only takes one story like this to prove the larger proposition that unauditable electronic voting machines are a menace to democracy. Only obvious errors like this bubble to the surface; who knows what goes on in other cases? ------------------------------ Date: Tue, 6 Nov 2018 14:37:25 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Voting Machine Manual Instructed Election Officials to Use Weak Passwords (Kim Zetter) Kim Zetter, Motherboard, 5 Nov 2018 <https://motherboard.vice.com/en_us/contributor/kim-zetter> Voting Machine Manual Instructed Election Officials to Use Weak Passwords A vendor manual for voting machines used in about ten states shows the vendor instructed customers to use trivial easy-to-crack passwords and to re-use the passwords when changing log-in credentials. States and counties have had two years since the 2016 presidential election to educate themselves about security best practices and to fix security vulnerabilities in their election systems and processes. But despite widespread concerns about election interference from state-sponsored hackers in Russia and elsewhere, apparently not everyone received the memo about security, or read it. An election security expert who has done risk-assessments in several states since 2016 recently found a reference manual that appears to have been created by one voting machine vendor for county election officials and that lists critical usernames and passwords for the vendor's tabulation system. The passwords, including a system administrator and root password, are trivial and easy to crack, including one composed from the vendor's name. And although the document indicates that customers will be prompted periodically by the system to change the passwords, the document instructs customers to re-use passwords in some cases -- alternating between two of them -- and in other cases to simply change a number appended to the end of some passwords to change them. https://motherboard.vice.com/en_us/article/kzvejx/voting-machine-manual-instructed-election-officials-to-use-weak-passwords ------------------------------ Date: Wed, 7 Nov 2018 3:47:43 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Electionland/ProPublica had a lovely collection of election problems already in the wee hours of election evening. https://www.propublica.org/electionland/ Probably lots more to report as well. ------------------------------ Date: Fri, 9 Nov 2018 10:15:09 -0500 From: Monty Solomon <monty () roscom com> Subject: At Doomed Flight's Helm, Pilots May Have Been Overwhelmed in Seconds (NYTimes) https://www.nytimes.com/2018/11/08/world/asia/indonesia-plane-crash-last-moments.html As American and Indonesian investigators puzzle through clues of troubles that befell Flight 610, they are finding not a single lapse but a cascade of issues. ------------------------------ Date: Wed, 7 Nov 2018 08:00:58 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Boeing issues warning on potential instrument malfunction after Indonesia crash (WashPost) https://www.washingtonpost.com/world/asia_pacific/boeing-issues-warning-on-potential-instrument-malfunction-after-indonesia-crash/2018/11/07/b43168b6-e265-11e8-a1c9-6afe99dddd92_story.html Airplane manufacturer Boeing said Wednesday that it has issued a bulletin to airlines worldwide warning of erroneous readings from flight-control software on its planes, after an almost-new Lion Air jetliner crashed into the sea soon after takeoff, killing the 189 people on board. Boeing, which is assisting in an investigation into what went wrong in the Oct. 29 crash of one of its new 737 Max 8 jets, said in a statement that it issued the bulletin Tuesday as "part of its usual process." ------------------------------ Date: Wed, 7 Nov 2018 18:54:51 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: A Runway Train Traveled 57 Miles Through Australia's Outback (WiReD) Most things don't happen the way they do in the movies. Changes are less sudden, incidents less surprising, humans less attractive. But when a runaway train tore through the Australian outback, the action sequence that followed seems to have come right out of a Tony Scott flick. The whole mess started when the engineer stopped the 268-car, four-locomotive train and hopped out to inspect one of the cars, according to the Australian Transport Safety Board. While he was on the ground (presumably distracted by giant spiders and roving kangaroos), the train pulled away with nobody on board. Loaded down with iron ore, it was soon hitting 68 mph. The train, operated by metals, mining, and petroleum giant BHP, covered a remarkable 57 miles before the company stopped it--by flinging it off the tracks. Nobody was hurt, though the investigators, who are working to determine why the train pulled away in the first place, rated the damage to the equipment as `substantial'. ... Here's one spot of good news: The technology to prevent an extended runaway train incident like this one already exists. Positive Train Control systems use train- and rail-mounted GPS and sensors to track locomotive movement and alert conductors and dispatchers to imminent derailments or collisions. If humans don't react to the warnings, the systems are designed to automatically brake trains before something terrible goes down. Congressional legislation demanded that America's rail operators implement Positive Train Control by 2015, but the Department of Transportation extended the deadline to December 2018 after many struggled to deploy the technology in time. According to the DOT's Positive Train Control dashboard, just 18 of 40 railroads had PTC implemented on all their locomotives by July of this year. https://www.wired.com/story/australia-runaway-train-derailment/ ------------------------------ Date: Tue, 13 Nov 2018 13:07:55 +0800 From: Richard Stein <rmstein () ieee org> Subject: Rules of the Road Evade Driverless Cars (WashPost) https://www.washingtonpost.com/business/rules-of-the-road-evade-driverless-cars/2018/11/09/1e1475a0-e484-11e8-ba30-a7ded04d8fac_story.html "Ghosn also acknowledged a big barrier to innovation: regulations and clearing any obstacles they raise before mass-marketing. This is more than just a caveat. Legal questions from traffic rules to liability in an accident ultimately will determine whether consumers -- be they big corporations or individuals -- decide if they can live with driverless cars, or can't live without them." "Removing the driver reduces a company's cost of goods by as much as 90 percent, he said." Risk: Cross-border compliance with traffic rules complicates AV deployment and elevates safety underachievement potential without a binding international treaty. Especially critical for freight delivery services. Unwise to rely on GPS signal to automatically determine AV navigation/driving rule localization enforcement especially near an international border. ------------------------------ Date: Tue, 13 Nov 2018 16:32:36 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Siri Shortcuts can now be used with the VW Car-Net app to remotely control a vehicle (AppleInsider) Volkswagen has updated its Car-Net mobile app with deeper Siri integration to allow drivers to perform specific tasks remotely from their vehicle, enabling users to lock or unlock their car from far away just by asking Apple's digital assistant on an iPhone. Announced on Monday, iPhones and iPads running iOS 12 can start to use Siri with the Car-Net <http://www.vw.com/carnet> app to control their vehicle. Once set up with the app, Siri can be used to change whether or not the car is locked, and to check the estimated mileage remaining for fuel, or for electric vehicles, how much charge is remaining. If the driver has forgotten where the car is located in a parking lot, they can also ask Sir to flash or honk the car's horn so it can be more easily found. There are also several shortcuts that can be enabled in Siri with personalized phrases, including commands to start or stop charging, to defrost the windows, to set the climate control temperature, and a "where is my car?" query. https://appleinsider.com/articles/18/11/12/siri-shortcuts-can-now-be-used-with-the-vw-car-net-app-to-remotely-control-a-vehicle Hmm. What could go wrong with remote access to cars? I wonder how it's secured... ------------------------------ Date: Wed, 14 Nov 2018 05:04:20 -0800 From: Paul Saffo <paul () saffo com> Subject: Russia suspected of jamming GPS signal in Finland (BBC) BBC, 12 Nov 2018 https://www.bbc.com/news/technology-27662580 Finnish Prime Minister Juha Sipila has said the GPS signal in his country's northern airspace was disrupted during recent NATO war games in Scandinavia. He said he believed the signal had been jammed deliberately and that it was possible Russia was to blame because it had the means to do so. Finland is not a NATO member but joined the war games which began last month. Norway also reported GPS problems during the exercises near Russia's north-western borders. ``It is difficult to say what the reasons could be but there are reasons to believe it could be related to military exercise activities outside Norway's borders,'' Wenche Olsen, director of the Civil Aviation Authority of Norway, told the *Barents Observer* earlier this month. Russia is also suspected of jamming the GPS signal in Norway's border area last year when it held its own war games. Relations between NATO and Russia have been strained since Russia annexed Crimea from Ukraine in 2014. How serious was the disruption? The Finnish region of Lapland and northern parts of Norway close to the Russian border were affected, with the Norwegian regional airline Wider=C3=B8e confirming its pilots had experienced GPS disruption, Germany's DW news site reports. However, the airline pointed out that pilots aboard civilian aircraft had other options when a GPS signal failed. ``This is not a joke, it threatened the air security of ordinary people,'' said Mr Sipila, who is himself an experienced pilot. ``It is possible that Russia has been the disrupting party in this. Russia is known to possess such capabilities.'' How could Russia block the signal? GPS is a global navigation system originally devised by the US military which works by sending signals from satellites above the Earth back down to receivers. "Technology-wise, it's relatively easy to disturb a radio signal, and it's possible that Russia was behind it," Mr Sipila was quoted as saying. Russia's electronic warfare capability has impressed many NATO commanders, the BBC's Jonathan Marcus wrote last year. The country has its own, lesser-known global navigation system, called Glonass. Why were the wargames held? NATO'S biggest military exercise since the Cold War, code-named Trident Juncture, rehearsed how the US-led alliance would respond to the invasion of an ally. All 29 NATO members, as well as Finland and Sweden, were involved and it took place a few hundred miles from Norway's border with Russia. At one point in the exercises, a Russian maritime reconnaissance plane flew past a US warship, the USS Mount Whitney. The exercises began on 25 October and ended last Wednesday. Just after they ended, an oil tanker collided with one of the Norwegian warships involved, in a fjord in southern Norway. The warship had been repeatedly warned of its collision course with the tanker, the BBC was told. ------------------------------ Date: Tue, 13 Nov 2018 19:59:08 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Why Google Internet Traffic Rerouted Through China and Russia (WiReD) For two hours Monday, Internet traffic that was supposed to route through Google's Cloud Platform <https://www.wired.com/story/google-cloud-security-command-center/> instead found itself in quite unexpected places, including Russia and China. But while the haphazard routing invoked claims of traffic hijacking -- a real threat, given that nation states could use the technique to spy on web users or censor services -- the incident turned out to be a simple mistake with outsized impacts. https://www.wired.com/story/google-internet-traffic-china-russia-rerouted/ [Li Gong noted this: https://www.darkreading.com/vulnerabilities---threats/google-traffic-temporarily-rerouted-via-russia-china/d/d-id/1333257 PGN] ------------------------------ Date: Tue, 13 Nov 2018 21:21:55 +0800 From: Richard Stein <rmstein () ieee org> Subject: Operation Infektion (The New York Times) https://www.nytimes.com/video/opinion/100000006210828/russia-disinformation-fake-news.html Informative series on disinformation campaigns (aka Active Measures == Bullsh*t), their discovery, patterns/characteristics, and mechanisms to counter them. Note: the United States has conducted, and likely continues to conduct, disinformation campaigns internationally to achieve certain strategic and/or tactical political/policy objectives. Interesting to note that a disinformation campaign, as conducted by Russia's GRU, follows 7 rules for deployment: Rule 1) "Find a Crack" Rule 2) "The Big Lie" Rule 3) "A Kernel of Truth" Rule 4) "Conceal your Hand" Rule 5) "The Useful Idiot" Rule 6) "Deny Everything" Rule 7) "The Long Game" Risks by the bushel: (a) uninformed electorate that believes disinformation despite factual evidence to the contrary; (b) political governance that applies similar disinformation tactics to mislead and polarize populace or is not versed in policy formulations to counteract it; (c) dissolution of democracy; (d) severing of strategic international relationships; (e) social media business profit preservation and prioritization (exploiting viral and divisive content) to subvert democratic process. ------------------------------ Date: Wed, 14 Nov 2018 11:01:15 -0500 From: David Magda <dmagda () ee ryerson ca> Subject: GPS week field roll-over Still a few months away, but perhaps worth knowing ahead of time: on Saturday, 6 April, 2019, 23:25 UTC, the GPS week counter field will roll over:
However, the [GPS data] field that contains the week number is a 10-bit binary number. This limits the range of the week number to 0 – 1023, or 1024 total weeks. GPS week zero started January 6, 1980. The 1024 weeks counter ran out and rolled over on August 21, 1999. The week counter then reset to zero, and it has been recounting ever since. The next time the counter will reach week 1023 and rollover to zero is on April 6, 2019. Receivers must properly interpret that week number as the correct date, not 19.7 years into the past or future. To do this, receivers use various methods to ensure that they are providing the correct date. One common method is to use the firmware date as a reference. This works well if the receiver is new or is receiving firmware updates. It is also possible for the user to modify this reference date in some receivers.
https://spectracom.com/resources/blog/lisa-perdue/2018/gps-2019-week-rollover-what-you-need-know I was reminded of this by a recent article:
When a Pennsylvania county's 911 system suddenly went down without warning, garbled messages across the network impacted fire and police agencies' ability to respond to emergency messages. The issue was traced to a firmware malfunction on communications equipment, related to provision of GPS timing. The firmware had not been updated for 19-1/2 years. Why should it have been? Everything was working fine -- until it didn't.
https://www.gpsworld.com/prepare-today-for-timing-disruptions-tomorrow/ This roll-over last occurred in August 1999, and a few incidents were mentioned in RISKS-20.55: https://catless.ncl.ac.uk/Risks/20/55 The world now uses GPS a lot more than it did twenty years ago, especially in embedded things. ------------------------------ Date: Thu, 15 Nov 2018 14:13:29 +0800 From: Richard Stein <rmstein () ieee org> Subject: System error: Japan cybersecurity minister admits he has never used a computer (TheGuardian.com) https://www.theguardian.com/world/2018/nov/15/japan-cyber-security-ministernever-used-computer-yoshitaka-sakurada "A Japanese minister in charge of cybersecurity has provoked astonishment by admitting he has never used a computer in his professional life, and appearing confused by the concept of a USB drive." Risk: Incurious governance oversight of a cabinet-level portfolio diminishes public health and safety readiness. A "decider" decides w/o subject matter comprehension. "Magic 8-ball" governance can be simulated. [Gene Wirchenko saw another item on this story "Japanese cybersecurity minister finds computers a mystery" https://www.zdnet.com/article/japanese-cybersecurity-minister-finds-computers-a-mystery/ and noted ``Can you spot the security risk?'' PGN] ------------------------------ Date: November 12, 2018 at 1:24:45 AM GMT+9 From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Tech CEOs Are in Love With Their Principal Doomsayer (Nellie Bowles) [Note: This item comes from friend Paul Pangaro. DLH] Nellie Bowles, *The New York Times*, 9 Nov 2018 Tech CEOs Are in Love With Their Principal Doomsayer The futurist philosopher Yuval Noah Harari thinks Silicon Valley is an engine of dystopian ruin. So why do the digital elite adore him so? <https://www.nytimes.com/2018/11/09/business/yuval-noah-harari-silicon-valley [Long item pruned for RISKS. PGN] ------------------------------ Date: Wed, 07 Nov 2018 11:36:54 -0800 From: Gene Wirchenko <genew () telus net> Subject: "IoT botnet infects 100,000 routers to send Hotmail, Outlook, and Yahoo spam" (Catalin Cimpanu) Catalin Cimpanu for Zero Day | 7 Nov 2018 https://www.zdnet.com/article/iot-botnet-infects-100000-routers-to-send-hotmail-outlook-and-yahoo-spam/ IoT botnet infects 100,000 routers to send Hotmail, Outlook, and Yahoo spam Botnet infects routers and uses them to relay connections to webmail services. opening text: A new botnet made up of roughly 100,000 home routers has silently grown over the past two months. According to current evidence, the botnet's operators appear to use the infected routers to connect to webmail services and are most likely sending out massive email spam campaigns. ------------------------------ Date: Tue, 20 Nov 2018 09:19:17 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Buffer Overflows and Spectre Spectre is no longer just an annoyance; it is a scandal bigger than Dieselgate, affecting *billions* of people. Is it just me, or does anyone else in computer science feel a deep sense of embarrassment and betrayal ? We professionals in computer science have spent 50+ years advocating proper code hygiene in which every array reference is properly bounds-checked to avoid the dreaded *buffer overflow*, which is the source of perhaps the largest fraction of software bugs and hacking vulnerabilities. We've beaten up on computer languages such as C & C++ for their bad hygiene, and attempted to steer students towards modern languages which are *safe by design*, because they obsessively and anally check every array reference. What has our caution, advice and conscientious programming netted us? We've been undone by our hardware vendors, whose CPU's *ignore* our *explicit instructions* (what is it about the words "instruction", "command", "order code" do these vendors not understand?) to check every array reference -- e.g., hence the Spectre bugs. Isn't it time for a *class action lawsuit* against every CPU vendor whose *defective* and *dangerous* products exhibit Spectre vulnerabilities ? This is not just *negligence*, but outright *fraud*, because these CPU's violate their own specifications and advertising -- their own instruction reference manuals ! It is as if an automobile manufacturer put a Spectre-like bug in our automobile braking systems which occasionally ignored the brake pedal because it adversely affected gas mileage. Who cares about a few "accidental" deaths here and there, if the manufacturer can claim a few percentage points additional gas mileage? ***What the CPU manufacturers have done is every bit as bad as what the auto manufacturers did to *cheat government emissions testing*! *** ------------------------------ From: Monty Solomon <monty () roscom com> Date: Sat, 10 Nov 2018 10:44:27 -0500 Subject: Police decrypt 258,000 messages after breaking pricey IronChat crypto app (Ars Technica) https://arstechnica.com/information-technology/2018/11/police-decrypt-258000-messages-after-breaking-pricey-ironchat-crypto-app/ ------------------------------ Date: Thu, 15 Nov 2018 13:42:05 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Guns, drones, and surveillance equipment: Big Brother steps out in Tel Aviv (The Times of Israel) Some of the technology on show at the 5th International Homeland Security and Cyber-Exhibition is positively spooky https://www.timesofisrael.com/guns-drones-and-surveillance-equipment-big-brother-steps-out-in-tel-aviv/ ------------------------------ Date: Sun, 11 Nov 2018 11:33:50 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: The House That Spied on me (Gizmodo) [He] had the same view of Kashmir's house that her Internet Service Provider (ISP) has. After Congress voted last year to allow ISPs to spy on and sell their customers' Internet usage data, we were all warned that the ISPs could now sell our browsing activity, or records of what we do on our computers and smartphones. But in fact, they have access to more than that. If you have any smart devices in your home TV that connects to the Internet, an Echo, a Withings scale -- your ISP can see and sell information about that activity too. With my router [he] was seeing the information about Kashmir and her family that Comcast, her ISP, could monitor and sell. https://gizmodo.com/the-house-that-spied-on-me-1822429852 ------------------------------ Date: Sun, 11 Nov 2018 15:25:37 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: A DJI Bug Exposed Drone Photos and User Data (WiReD) DJI makes some of the most popular quadcopters <https://www.wired.com/story/guide-drones/> on the market, but its products have repeatedly drawn scrutiny <https://www.wired.com/story/army-dji-drone-ban/ government over privacy and security concerns. Most recently, the Department of Defense in May banned the purchase of consumer drones made by a handful of vendors, including DJI. <https://dronedj.com/2018/06/07/department-of-defense-bans-the-purchase-of-commercial-over-the-shelf-uas-including-dji-drones/> Now DJI has patched a problematic vulnerability in its cloud infrastructure that could have allowed an attacker to take over users' accounts and access private data like photos and videos taken during drone flights, a user's personal account information, and flight logs that include location data. A hacker could have even potentially accessed real-time drone location and a live camera feed during a flight. https://www.wired.com/story/dji-drones-bugs-exposed-users-data/ ------------------------------ Date: Thu, 15 Nov 2018 11:06:03 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Fake fingerprints can imitate real ones in biometric systems (The Guardian) Another fascinating vulnerability for a particular algorithmic implementation of fingerprint recognition! This approaches what a master key does for classes of locks. This goes way beyond the individualized gummy-bear attacks. PGN https://www.theguardian.com/technology/2018/nov/15/fake-fingerprints-can-imitate-real-fingerprints-in-biometric-systems-research Researchers have used a neural network to generate artificial fingerprints that work as a "master key" for biometric identification systems and prove fake fingerprints can be created. According to a paper presented at a security conference in Los Angeles, the artificially generated fingerprints, dubbed "DeepMasterPrints" by the researchers from New York University, were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand. ------------------------------ Date: Mon, 19 Nov 2018 18:02:23 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Public Attitudes Toward Computer Algorithms (Pew Research Center) Americans express broad concerns over the fairness and effectiveness of computer programs making important decisions in people's lives http://www.pewinternet.org/2018/11/16/public-attitudes-toward-computer-algorithms/ ... but doesn't seem to motivate most people to opt out where it's possible. ------------------------------ Date: Sun, 11 Nov 2018 21:43:53 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Guarding Against Backdoors and Malicious Hardware (Security Boulevard) In a post-Supermicro-scoop world, it's important for security teams to review the basics on detecting and guarding against hardware backdoors. Malicious software is relatively easy to find, but what if your actual device is the enemy? Last month, Bloomberg Businessweek broke a story on Chinese nation-state actors secretly implanting spy chips in targeted motherboards manufactured by mega-supplier Supermicro, compromising large enterprises in both the public sector and the private sector. This story came on the heels of multiple revelations earlier this year by security researchers backed by the Department of Homeland Security that the firmware of millions of Chinese-manufactured smartphones was compromised. There is much skepticism over the Bloomberg story because of vehement denials by the organizations implicated and other factors. If nothing else, though, it serves as a good wake-up call to IT security for guarding against hardware-embedded backdoors. For years, after all, it has been anticipated that China would try--or has already tried--embedding malicious backdoors directly into hardware. In 2012, researchers discovered a serious embedded backdoor in a Chinese-manufactured FPGA chipset used by military and aerospace organizations in the West. In this instance, for what it's worth, the cybersecurati generally agreed that this backdoor was inadvertent, not malicious. However, even inadvertent backdoors can be converted to malicious ones if discovered by the wrong person. https://securityboulevard.com/2018/11/guarding-against-backdoors-and-malicious-hardware/ ------------------------------ Date: Mon, 12 Nov 2018 23:56:38 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: U.S. Declines to Sign Declaration Discouraging Use of Cyberattacks (NYTimes) https://www.nytimes.com/2018/11/12/us/politics/us-cyberattacks-declaration.html The Trump administration, leery of limiting its options, chose not to sign on to the nonbinding pact put forward by President Emmanuel Macron of France. ------------------------------ Date: Tue, 13 Nov 2018 14:02:05 +0800 From: Richard Stein <rmstein () ieee org> Subject: 'The Cleaners' Looks At Who Cleans Up The Internet's Toxic Content (npr.org) https://www.npr.org/2018/11/12/667118322/the-cleaners-looks-at-who-cleans-up-the-internets-toxic-content '"I have seen hundreds of beheadings. Sometimes they're lucky that it's just a very sharp blade that's being used to them," one content moderator says in a clip from the film.' '"By the end of this year we're gonna have more than 20,000 people working on security and content review,' Zuckerberg said. See https://catless.ncl.ac.uk/Risks/30/09%23subj17.1 on Internet cleaning. Risk: PTSD -- post-traumatic stress disorder from a desk job. ------------------------------ Date: Tue, 13 Nov 2018 19:54:08 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: HealthCare.gov breach compromised applicants' financial, immigration data (Washington Times) Personal data including immigration status and employment information were compromised in a breach of HealthCare.gov that affected people who applied for coverage under the Affordable Care Act, former President Barack Obama's hallmark healthcare reform law, the Department of Health and Human Services said Friday. The Centers for Medicare and Medicaid Services (CMS), the division of HHS responsible for running HealthCare.gov's online application portal -- designated the Marketplace -- has begun notifying approximately 75,000 people affected by the previously disclosed data breach, officials announced in an update about the incident. https://www.washingtontimes.com/news/2018/nov/10/healthcaregov-breach-compromised-applicants-financ/ ------------------------------ Date: Tue, 13 Nov 2018 13:51:12 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Apple IDs locked for unknown reasons for a number of iPhone users (Apple Insider) A number of iPhone users have discovered their Apple ID has been locked on all of their Apple devices, preventing them from accessing stored data and related services, with the lockdowns occurring for seemingly unknown reasons. ... It is unclear exactly what is happening to cause the accounts to be locked, but the significant rise in online complaints suggests it has happened to a large number of people at the same time with the first "wave" at about midnight eastern time. While it could be caused in error by Apple's account security protocols, there is also the chance that the accounts are being probed by a malicious actor, though ultimately the reason behind the locking of accounts is unknown in this case. Sources inside Apple not authorized to speak for the company advised to /AppleInsider/ "At present, this doesn't appear to be an Apple bug. Whatever it is, it is only impacting a minute percentage of our users." https://appleinsider.com/articles/18/11/13/apple-ids-locked-for-unknown-reasons-for-a-number-of-iphone-users ------------------------------ Date: Wed, 14 Nov 2018 16:15:22 -0800 From: Mark Thorson <eee () dialup4less com> Subject: Debate in Germany over allowing Chinese to bid on 5G (Taipei Times) Pressure to exclude Chinese from bidding on 5G build-out, as U.S. and Australia already do. http://www.taipeitimes.com/News/front/archives/2018/11/15/2003704249 Maybe Huawei should go open source? Then, all we'd have to worry about is spy chips. ------------------------------ Date: Sun, 11 Nov 2018 15:38:41 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Bug bounty (Fortune) Bug bounty programs were a major topic of discussion during a panel on risk management at the Money20/20 finance and tech conference in Las Vegas a couple weeks ago. These programs compensate hackers for poking holes in a company's products and finding and reporting any vulnerabilities to the people who can fix them. Ideally, they help companies root out flaws in their code and hardware, making the world safer for businesses and consumers. https://view.email.fortune.com/%3Fqs%3D4eeb8fb07f569ef3f979cf14268fa83115990788ea48131265220db52f436cd60ec6f6c3730c71af18f048b7f1e25608112f3e42b011768b92d040d012711efef2f1fda5cacf467b ------------------------------ Date: Fri, 9 Nov 2018 14:55:47 -0500 From: Tom Van Vleck <thvv () multicians org> Subject: A thing to worry about: sleep study What I have in mind is the paper in the latest CACM, November 2018, Vol. 61 No. 11, Pages 157-165. "LIBS: A Bioelectrical Sensing System from Human Ears for Staging Whole-Night Sleep Study" Sleep study. Good thing, right. Replace the electrode cap applied by a technician with some foam earplugs, saves money, do it at home, results almost as good, plus you can get not only EEG but eye tracking and muscle contractions. They sound very proud. Then their paper ends with a section on other stuff they could do with this. - autism onset detection - meditation training - eating habit monitoring Well hmm. - autonomous audio steering... train a hearing aid to favor amplifying sounds from where the user is looking - also combine with the EEG signal and micro expression to see how pleased the wearers are with the sound they hear - distraction and drowsiness detection .. see if drivers are alert - child's interest assessment .. see what the student is paying attention to in class OK, but then this could be used to -- see if Winston Smith is paying attention to the telescreen -- determine if Winston Smith is pleased by what he hears from Big Brother -- weed out malcontent and rebellious students -- detect physiological responses to stimuli ("lie detectors") oh, not to worry, just don't let anybody stick earplugs with wires on them in your ears. and make sure nobody invents a remote-sensing EEG, and beware of high quality sensor cameras that might pick up your micro expressions and other body responses yup, nobody would ever use this for evil, right. if Alexa or Siri offers us a useful gadget that promises to make us happy, will we be allowed to decline? I bet Joe Weizenbaum would be cautious. ------------------------------ Date: Mon, 12 Nov 2018 09:21:50 +0800 From: Richard Stein <rmstein () ieee org> Subject: A robot scientist will dream up new materials to advance computing and fight pollution (MIT Technology Review) https://www.technologyreview.com/s/612388/a-robot-scientist-will-dream-up-new-materials-to-advance-computing-and-fight-pollution/ From the what-if sci-fi risk category. Suppose the material-bot finds a compound that can literally "rip CO2" from the atmosphere by the boat load, and thereby suppress the hockey-stick rise in greenhouse gas concentration. But...the material must be constructed from highly radioactive and toxic combination of elements: radium, thorium, and polonium. Would pursuit of this CO2 scrubber be ethically justifiable if it was the "last chance" to save the Earth's ecosystem? ------------------------------ Date: Sat, 10 Nov 2018 11:59:00 +0800 From: Richard Stein <rmstein () ieee org> Subject: AI News Anchor Makes Debut In China (npr.org) https://www.npr.org/2018/11/09/666239216/ai-news-anchor-makes-debut-in-china "It's quite difficult to watch for more than a few minutes. It's very flat, very single-paced, it's not got rhythm, pace or emphasis," Michael Wooldridge from the University of Oxford told the BBC. And compared to a trusted human news anchor, he says that "if you're just looking at animation you've completely lost that connection to an anchor." A "real silicon muppet" news anchor appeal to a broader audience? As simulation improves, succeeding generations of viewers may accept and trust silicon muppet as authoritative voice or face of governance. RISK: Pure propaganda broadcast sows confusion, or stiffens polarization despite contradictory, factual evidence. Recall "Dirty Laundry" lyrics by Don Henley and Danny Kortchmar (see https://www.lyricsfreak.com/d/don%2Bhenley/dirty%2Blaundry_20042033.html "We can do 'The Innuendo' / We can dance and sing / When it's said and done we haven't told you a thing / We all know that Crap is King / Give us dirty laundry!" ------------------------------ Date: Tue, 6 Nov 2018 22:31:48 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: 3 Crazy Excel Formulas That Do Amazing Things (MakeUseOf) https://www.makeuseof.com/tag/3-crazy-excel-formulas-that-do-amazing-things/ Fun with Excel. I barely understand some of this but will study it. Already learned from this the (trivial) ways to conditionally format cells. Reading more sophisticated techniques scares the bejeezus out of me -- how do you test/debug/validate arcane formulas producing results/dashboards/graphs/etc. Mostly can't, right? Great. ------------------------------ Date: Mon, 12 Nov 2018 17:30:56 +0800 From: Richard Stein <rmstein () ieee org> Subject: Dementia risk: Five-minute scan 'can predict cognitive decline' (bbc.com) https://www.bbc.com/news/health-46155607 "Scientists used ultrasound scanners to look at blood vessels in the necks of more than 3,000 people and monitored them over the next 15 years. "They found those with the most intense pulses went on to experience greater cognitive decline over the next decade than the other study participants. "Researchers hope it may offer a new way to predict cognitive decline. "An international team of experts, led by University College London (UCL), measured the intensity of the pulse traveling towards the brain in 3,191 people in 2002. "A more intense pulse can cause damage to the small vessels of the brain, structural changes in the brain's blood vessel network and minor bleeds known as mini-strokes." Catch-22. More powerful ultrasonic pulses required to spot cognitive decline potential, but powerful pulses damage blood vessels and possible contribute to TIA -- transient ischemic aneurysm (aka stroke). Not a Therac-25 situation, though pulse intensity must be carefully controlled. ------------------------------ Date: Tue, 13 Nov 2018 13:43:21 +0800 From: Richard Stein <rmstein () ieee org> Subject: MAS issues principles to guide use of AI, data analytics in finance (The Straits Times) https://www.straitstimes.com/business/banking/mas-issues-principles-to-guide-use-of-artificial-intelligence-data-analytics-in "The Monetary Authority of Singapore (MAS) has issued a set of principles to promote fairness, ethics, accountability and transparency (FEAT) in the use of artificial intelligence (AI) and data analytics in finance." http://www.mas.gov.sg/~/media/MAS/News%2520and%2520Publications/Monographs%2520and%2520Information%2520Papers/FEAT%2520Principles%2520Final.pdf The four principles are identified as: * Fairness * Ethics * Accountability * Transparency The section on Ethics for AIDA (Artificial Intelligence and Data Analytics) is short: * Use of AIDA is aligned with the firm's ethical standards, values and codes of conduct. * AIDA - driven decisions are held to at least the same ethical standards as human-driven decisions. Mapping explainable AI characteristics to these principles is a challenge. Risks: Brand outrage. AIDA deployment promotes and accelerates organizational profit-seeking behaviors that throttle ethics, fairness, accountability, and transparency parameters. ------------------------------ Date: Tue, 13 Nov 2018 15:17:59 -0500 From: Jose Maria Mateos <chema () rinzewind org> Subject: Awful AI is a curated list to track current scary usages of AI -- hoping to raise awareness (David Dao) https://github.com/daviddao/awful-ai Artificial intelligence in its current state is unfair, easily susceptible to attacks and notoriously difficult to control. Nevertheless, more and more concerning the uses of AI technology are appearing in the wild. This list aims to track all of them. We hope that Awful AI can be a platform to spur discussion for the development of possible contestational technology (to fight back!). ------------------------------ Date: Wed, 14 Nov 2018 08:49:10 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Google accused of 'trust demolition' over health app (BBC) via NNSquad [Ignore the rants!] https://www.bbc.com/news/technology-46206677 A controversial health app developed by artificial intelligence firm DeepMind will be taken over by Google, it has been revealed. Streams was first used to send alerts in a London hospital but hit headlines for gathering data on 1.6 million patients without informing them. DeepMind now wants the app to become an AI assistant for nurses and doctors around the world. One expert described the move as "trust demolition". IGNORE THE RANTS! - Google taking over this app does ABSOLUTELY NOTHING to reduce the privacy protections included therein, nor does it mean that the related health data will be combined with any other Google data. A textbook example of wacky knee-jerk reactions! ------------------------------ Date: Wed, 14 Nov 2018 11:50:09 -0500 From: ACM TechNews <technews-editor () acm org> Subject: AI Could Make Cyberattacks More Dangerous, Harder to Detect (WSJ) Adam Janofsky, *The Wall Street Journal, 13 Nov 2018 via ACM TechNews, Wednesday, November 14, 2018 Scientists warn that hackers could weaponize artificial intelligence (AI) to conceal and accelerate cyberattacks and potentially escalate their damage. IBM researchers last month demonstrated "DeepLocker" AI-powered malware designed to hide its damaging payload until it reaches a specific victim, identifying its target with indicators like facial- and voice-recognition and geolocation. IBM's Marc Stoecklin said with DeepLocker, "AI becomes the decision maker to determine when to unlock the malicious behavior." Meanwhile, the Stevens Institute of Technology's Giuseppe Ateniese has investigated the use of generative adversarial networks (GANs), which contain two neural networks that collaborate to deceive safeguards like passwords; he designed a GAN that fed leaked passwords found online into an AI model, to analyze patterns and narrow down likely passwords faster than brute-force attacks. Said Ateniese, "We need to study how AI can be used in attacks, or we won't be ready for them." https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d288x218730x069217%26 ------------------------------ Date: Wed, 14 Nov 2018 15:24:49 -0500 From: David Tarabar <dtarabar () acm org> Subject; Bugs in Chinese English-Speaking Virtual News Anchor (RadiiChina) China's state media introduced an AI based virtual news anchor. But there are still a few bugs. It referred to Jack Ma -- the founder of Alibaba -- as Jack Massachusetts, https://radiichina.com/xinhua-unveils-first-english-speaking-virtual-news-anchor/ ------------------------------ Date: Sun, 18 Nov 2018 23:05:25 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: AmazonBasics Microwave Review: It's a Little Undercooked (WiReD) Connected, he sped through a battery of tests, which tended to either get the job done or leave him wondering if anyone at Amazon who actually cooks gave this thing a whirl before it was released to the public. https://www.wired.com/review/amazonbasics-microwave/ The risk? Rampant IoT adding "di" after first letter. ------------------------------ Date: Sun, 18 Nov 2018 17:24:14 +0800 From: Richard Stein <rmstein () ieee org> Subject: Elon Musk's SpaceX wins FCC approval to put Starlink Internet satellites into orbit (WashPost) https://www.washingtonpost.com/technology/2018/11/15/elon-musks-spacex-wins-fcc-approval-put-starlink-internet-satellites-into-orbit '"My favorite example is an innocuous little screwdriver that slipped through an astronaut's grasp and has been circling low Earth orbit at up to 21,600 miles per hour for the last 35 years," said FCC Commissioner Jessica Rosenworcel. "At these speeds, even a common household item can wreak havoc."' Risk: ~2X the current orbital satellite population w/o collisions and no orbit reentry plan. See https://catless.ncl.ac.uk/Risks/30/86%23subj22.1 Average Joe is ineligible to play orbital dodgeball. ------------------------------ Date: Mon, 19 Nov 2018 23:43:35 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Customer Complains About Tesla Forums, Tesla Accidentally Gives Him Control Over Them (Motherboard ) “The customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum,” a Tesla spokesperson told Motherboard in an email on Monday. “We revoked the access as soon as it was reported, and made other changes to adjust privileges accordingly following a full audit.” https://motherboard.vice.com/en_us/article/7xy8ey/customer-complains-about-tesla-forums-tesla-accidentally-gives-him-control-over-them "...as soon as it was reported...". Nice security. I hope their car patches system is more secure. ------------------------------ Date: Friday 9 Nov 2018 11:17:22 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Google had a secret bug (WashPost) Craig Timberg, Renae Merle and Cat Zakrzewski, *The Washington Post*, 8 Oct 2018 Google for months kept secret a bug that imperiled the personal data of Google+ users https://www.washingtonpost.com/technology/2018/10/08/google-overhauls-privacy-rules-after-discovering-exposure-user-data/ Google found a serious privacy bug in its Google+ service, but it did not inform government regulators or users for several months. At that time, it announced that it would be winding down the Google+ service, it would impose new privacy limits on developer's for Android apps, and it would limit the sharing of information about Gmail users. Google said it could not notify users about the bug when it was first discovered because it was not sure which users were affected. ------------------------------ Date: Mon, 12 Nov 2018 10:41:25 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: For the first time, researchers say Facebook can cause depression (Brett Arends) Brett Arends, MarketWatch, 12 Nov 2018 https://www.marketwatch.com/story/new-study-claims-facebook-instagram-and-snapchat-are-linked-to-depression-2018-11-09 Spending too much time on "social media" sites like Facebook is making people more than just miserable. It may also be making them depressed. A new study conducted by psychologists at the University of Pennsylvania has shown -- for the first time -- a causal link between time spent on social media and depression and loneliness, the researchers said. It concluded that those who drastically cut back their use of sites like Facebook, Instagram and Snapchat often saw a marked improvement in their mood and in how they felt about their lives. "It was striking," says Melissa Hunt, psychology professor at University of Pennsylvania, who led the study. "What we found over the course of three weeks was that rates of depression and loneliness went down significantly for people who limited their (social media) use." Many of those who began the study with moderate clinical depression finished just a few weeks later with very mild symptoms, she says. The study, "No More FOMO: Limiting Social Media Decreases Loneliness and Depression," was conducted by Melissa Hunt, Rachel Marx, Courtney Lipson and Jordyn Young, is being published by the peer-reviewed Journal of Social and Clinical Psychology. ------------------------------ Date: Tue, 13 Nov 2018 19:30:55 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Mozilla - *privacy not included Shop Safe This Holiday Season Teddy bears that connect to the Internet. Smart speakers that listen to commands. Great gifts--unless they spy on you. We created this guide to help you buy safe, secure products this holiday season. This shows how creepy users find these products. Scroll to see it change. Click on a product to rate it. https://foundation.mozilla.org/en/privacynotincluded/ Dial-a-risk, nicely calibrated. ------------------------------ Date: Mon, 12 Nov 2018 18:25:13 +0800 From: Richard Stein <rmstein () ieee org> Subject: The digital epidemic killing Indians (bbc.com) https://www.bbc.com/news/av/stories-46152427/the-digital-epidemic-killing-indians (part of a BBC series on fake news and misinformation). Misinformation drives crowds to act maliciously against civilians. Crowd-sourced vigilantism. Risk: Ineffective regulation and irresponsible oversight of messaging application content threatens public order, weakens civility, and erodes public trust. ------------------------------ Date: Tue, 13 Nov 2018 13:35:35 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Police: Woman remotely wipes phone in evidence after shooting (The Daily Gazette) She now faces evidence tampering and prosecution hindering counts https://dailygazette.com/article/2018/11/08/police-woman-remotely-wipes-phone-in-evidence-after-shooting ------------------------------ Date: Fri, 9 Nov 2018 14:15:04 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: He Helped People Cheat at Grand Theft Auto. Then His Home Was Raided. (NYTimes) A gamer in Melbourne has had his assets frozen in connection with a popular video game cheat. He's one of many being sued by game companies worldwide, raising questions about copyright law and the policing of online civility. https://nyti.ms/2yZR4mz ------------------------------ Date: Thu, 8 Nov 2018 23:40:38 -0500 From: Monty Solomon <monty () roscom com> Subject: MoneyGram agrees to pay $125 million for failing to crack down on fraudulent money transfers (WashPost) MoneyGram pays huge penalty to settle FTC and DOJ allegations that it didn't do enough to stop fraudsters from using its money transfer system https://www.washingtonpost.com/business/2018/11/09/moneygram-agrees-pay-million-failing-crack-down-fraudulent-money-transfers/ ------------------------------ Date: Wed, 14 Nov 2018 07:53:15 -0500 From: Jose Maria Mateos <chema () rinzewind org> Subject: Report: Could Your Online Behavior Affect What You Pay for Car Insurance? (San Antonio Business Journal) https://www.bizjournals.com/sanantonio/prnewswire/press_releases/Texas/2018/11/13/DA70769 Charlie Osborne for Zero Day | November 15, 2018 The Zebra, the nation's leading car insurance search engine, today released findings of an investigative report that explores whether the U.S. auto insurance industry -- which serves 250 million U.S. drivers -- is collecting and using data about consumers' online behaviors and preferences (their "digital footprints") to calculate what people pay for their car insurance policies. Link to report: https://www.thezebra.com/research/digital-footprint-car-insurance/ ------------------------------ Date: Thu, 15 Nov 2018 20:52:00 -0500 From: Monty Solomon <monty () roscom com> Subject: Couple, homeless man in viral GoFundMe charged (BostonGlobe) "The entire campaign was predicated on a lie." https://www.boston.com/news/national-news/2018/11/15/homeless-man-viral-gofundme-arrested ------------------------------ Date: Wed, 07 Nov 2018 12:52:23 -0500 From: Jose Maria Mateos <chema () rinzewind org> Subject: The Dating Brokers (TacticalTech) https://datadating.tacticaltech.org/viz In May 2017 artist Joana Moll and Tactical Tech purchased 1 million online dating profiles for 136€ from USDate, a supposedly US-based company that trades in dating profiles from all over the globe. The batch of dating profiles we purchased included pictures (almost 5 million of them), usernames, e-mail addresses, nationality, gender, age and detailed personal information about all of the people who had created the profiles, such as their sexual orientation, interests, profession, thorough physical characteristics and personality traits. Purchasing this data exposed a vast network of companies that are capitalising on this information without the conscious consent of the users, whom ultimately are the ones being exploited. This project attempts to make parts of that network, and how it works, visible to everyone. ------------------------------ Date: Mon, 19 Nov 2018 23:08:25 -0800 From: Gene Wirchenko <genew () telus net> Subject: Osaka woman terrifyingly attacked by intruder while playing video games in her home late at night (Sora News) [Yes, it is not directly computer-related, but consider the security risks: 1) headphones while playing alone (What if the intruder had not cut the power first? (possible surprise)) 2) The fuse box being right by the front door. It would be too easy for a computer programmer to be similarly ambushed.] https://soranews24.com/2018/11/19/osaka-woman-terrifyingly-attacked-by-intruder-while-playing-video-games-in-her-home-late-at-night/ [This story] is like something out of an urban legend. At nearly 2 a.m. on 18 November, a 29-year-old woman was playing video games in her apartment in the Mitsumatsu area of Kaizuka City, Osaka Prefecture. She was playing with a pair of headphones on so as not to disturb the neighbors in her building. However, in the middle of her game all the power in her apartment suddenly went out. She walked toward the front door where the fuse box was, but instead found the silhouette of a strange man standing inside her apartment, having somehow gained entrance to her home. He had apparently pulled the circuit breaker moments earlier, and his entrance had been drowned out by the sounds of her gaming. Fuse boxes are often found next to the front door of Japanese apartments. ------------------------------ Date: Tue, 13 Nov 2018 09:28:20 +0000 (UTC) From: David Alexander <davidalexander440 () btinternet com> Subject: Re: EMV card fraud statistics (Goldberg, RISKS-30.91) I would just like to point out that, just because a card is EMV enabled, it does not mean it cannot be attacked by other means such as compromising the POS device. I have recently returned to the UK from a trip that took me to Texas, New Mexico and California. While I was pleased to see a lot of merchants are now using chip and PIN in the US there were a disappointingly high number of places where the mag stripe on my EMV card was `swiped' through the reader and I still had to sign for my purchase. I know that will not account for anything like all of the 90% quoted in the article but it would be worth analysing if there is still a disproportionately high risk from merchants who have yet to migrate to chip and PIN. The problem is that enough data to commit fraud is still held in the mag stripe on the card. Until such time as the mag stripe can be eliminated the cards will be vulnerable. I haven't yet been brave enough to run a strong magnet over the stripe on one of my cards to see what the effect might be. ------------------------------ Date: Tue, 06 Nov 2018 19:07:43 -0500 From: "Arthur T." <risks2018a.10.atsjbt () xoxy net> Subject: Re: Ethics of whom to kill (RISKS-30.90,91) On 6 Nov 2018 13:44:32 -0500, in comp.risks (Message-ID:<CMM.0.90.4.1541529734.risko () chiron csl sri.com1852>) risko () csl sri com (RISKS List Owner) wrote:
Has Rob Slade not heard of "The exception proves the rule"? Yes I know this saying is horribly mis-used, but it almost certainly comes from the fact that it only takes ONE inconvenient fact to destroy a scientific theory.
That turns out not to be the case. It's a very old legal maxim which says that an exception in the law presupposes the rule it's an exception to. So a sign saying that parking is allowed on Tuesdays implies that there's a rule that it's not allowed on the other days. There are several sites which trace the etymology; one of the more trusted might be <https://www.snopes.com/fact-check/exceptional-proof/
It is also an inconvenient fact that people dismiss inconvenient facts as "oh that's just an anecdote". But it only takes one inconvenient anecdote to be verifiable, at which point it becomes a data point capable of destroying your theory and lifetime's work.
As we just saw, what's "obvious" or "almost certain" may not be true. Anecdotes tend to be passed along and morphed by the whisper-down-the-lane effect. The other problem with anecdotes is confirmation bias. There are, say, ten horrible crashes of self-driving cars. But how many would have been avoided by an alert driver? How many miles of self-driving have there been total, and how does that compare to human-driven miles vs. crashes?
If there are a lot of anecdotes out there you cannot just dismiss and ignore them.
"My cousin's friend was abducted by aliens. What you gotta say about that, Mr. Scientist?" While there are anecdotes which shouldn't be ignored, there are some which which should be. There are enough reputable people on all sides of the self-driving car controversies that I expect the truth to come out, and probably in a timely fashion. ------------------------------ Date: Wed, 7 Nov 2018 01:30:03 +0000 From: Wols Lists <antlists () youngman org uk> Subject: Re: Tesla (Risks-30.91) On 06/11/18 18:42, RISKS List Owner wrote:
Now, the Tesla can do that, too. If it notices that you're being blocked, and that there's room in the next lane, a notification appears on your screen. It informs you that if you put on your turn signal, Autopilot will take it from there. It does the passing maneuver smoothly and gracefully. (It doesn't actually return to your original lane, however -- just changes into a faster lane, passing the slowpoke, and stays there.)
Which is illegal - staying in the outside lane, that is. Certainly in the UK. And I got fined in the old GDR for doing that. In the UK, every lane except the nearside is designated a passing (or overtaking) lane and is supposed to be used *only* for that purpose. If there's a lot of traffic, people stay in the outer lanes because they're continually overtaking other vehicles. Or they stay in the outer lanes when they shouldn't, which is actually a major problem. Hogging the middle lane on a motorway is seen as a minor infringement, but on a motorway many vehicles are not allowed to use the outside lane. So if I'm doing 60 towing a caravan, and come across a lane-hog doing 50, I can't get past! If I undertake that's called dangerous driving, and if I overtake then I'm in big trouble for using a lane I am explicitly barred from. ------------------------------ Date: Wed, 7 Nov 2018 15:56:07 -0500 From: Phil Smith III <phsiii () gmail com> Subject: Re: Credit Card Chips Have Failed to Halt Fraud, Survey Shows (Goldberg, RISKS-30.91) Gabe Goldberg wrote about http://fortune.com/2018/11/05/credit-card-chips-fail-to-halt-fraud-survey-says/ Terrible article by Fortune. EMV was never expected to "put an end to rampant credit card fraud". EMV was expected to make it harder to do CP (Card-Present) fraud, which it has done. And to nobody's surprise (in the Payments industry, anyway) CNP (Card-Not-Present) fraud has gone up while CP fraud has gone down, just as it has in every other market when EMV was introduced. As has surely been discussed here before, the U.S. issuers chose chip & signature instead of chip & PIN as is used in other markets. The stated reason for this is that PINs are "inconvenient", and are thus seen as a competitive disadvantage: if my Chase Visa requires a PIN and my Citi Visa doesn't, the theory is that I'm more likely to use the Citi card. This logic seems thin at best. I believe a more likely real reason is that chip&signature was easier for issuers to implement in their mostly home-grown back-end systems. And this seems to be supported by the fact that most U.S. issuers don't even support chip&PIN. If not for the implementation cost, one would assume that issuers would have added chip&PIN *support* at least while adding EMV support, and thus would at least allow PINs. A few domestic issuers do support chip&PIN: if you ask, they will issue a PIN. But that doesn't mean using the card will ask for a PIN in most cases. It does, however, prepare you for international travel, where chip&PIN is pretty well universal and you may be SOL if you don't have a PIN. ------------------------------ Date: Sun, 18 Nov 2018 18:15:34 +0800 From: Richard Stein <rmstein () ieee org> Subject: Re: Risks in Using Social Media to Spot Signs of Mental Distress (Solomon, RISKS-28.45) https://www.npr.org/2018/11/17/668408122/facebook-increasingly-reliant-on-a-i-to-predict-suicide-risk '"To just give you a sense of how well the technology is working and rapidly improving...in the last year we've had 3,500 reports," she says. That means AI monitoring is causing Facebook to contact emergency responders an average of about 10 times a day to check on someone -- and that doesn't include Europe, where the system hasn't been deployed. (That number also doesn't include wellness checks that originate from people who report suspected suicidal behavior online.) "Davis says the AI works by monitoring not just what a person writes online, but also how his or her friends respond. For instance, if someone starts streaming a live video, the AI might pick up on the tone of people's replies. '"Maybe like, 'Please don't do this,' 'We really care about you.' There are different types of signals like that that will give us a strong sense that someone may be posting of self-harm content," Davis says.' The National Institute for Mental Health (NIHM) sites these statistics for 2016 (https://www.nimh.nih.gov/health/statistics/suicide.shtml): * Suicide was the tenth leading cause of death overall in the United States, claiming the lives of nearly 45,000 people. * Suicide was the second leading cause of death among individuals between the ages of 10 and 34, and the fourth leading cause of death among individuals between the ages of 35 and 54. * There were more than twice as many suicides (44,965) in the United States as there were homicides (19,362). The age-adjusted suicide rate (per 100,000 persons) in 2016 was 21.3 for men, 6.0 for women, with a 13.4 suicides/day national average (see Table 1 from the shtml page above). One year post-deployment of Facebook's AI algorithm to spot customer suicide potential w/o a statement of false positive detection or false negative detection is curious. The reference in Solomon's post (https://catless.ncl.ac.uk/Risks/28/45%23subj3 70% detection accuracy was achievable by analyzing Twitter posts from 171 users. Equivalent arithmetic for Facebook suggests (1-0.7)*3500 = 1050 emergency calls are false positives. The NIMH age-adjusted statistics of 13.4 daily case average suggests that not all potential suicides are either engaged or tracked via Facebook, despite the estimated ~203M users in 2017 (see https://www.statista.com/statistics/408971/number-of-us-facebook-users/ Risk: Emergency service response dilution from suicide detection algorithm contextual analysis bias. ------------------------------ Date: Mon, 19 Nov 2018 19:58:48 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Book review: You'll see this message when it is too late, by Josephine Wolff (Web Informant) A new book from Professor Josephine Wolff at Rochester Inst. of Technology called *You'll see this message when it is too late* is worth reading <https://www.amazon.com/Youll-this-message-when-late/dp/0262038854/davidstromswebin> there are plenty of other infosec books on the market, to my knowledge this is first systematic analysis of different data breaches over the past decade. She reviews a total of nine major data breaches of the recent past and classifies them into three different categories, based on the hackers' motivations; those that happened for financial gain (TJ Maxx and the South Carolina Department of Revenue and various ransomware attacks); for cyberespionage (DigiNotar and US OPM) and online humiliation (Sony and Ashley Madison). She takes us behind the scenes of how the breaches were discovered, what mistakes were made and what could have been done to mitigate the situation. A lot has been already written on these breaches, but what sets Wolff's book apart is that she isn't trying to assign blame but *dive into their root causes and link together various IT and corporate policy failures that led to the actual breach*. http://blog.strom.com/wp/%3Fp%3D6905 ------------------------------ Date: Tue, 5 May 2018 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks have done to URLs. I have tried to extract the essence. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.92 ************************
Current thread:
- Risks Digest 30.92 RISKS List Owner (Nov 21)