RISKS Forum mailing list archives
Risks Digest 32.60
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 17 Apr 2021 17:13:57 PDT
RISKS-LIST: Risks-Forum Digest Saturday 17 April 2021 Volume 32 : Issue 60 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.60> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: National Weather Service Internet systems crumbling as key platforms fail (WashPost) 737 MAX recidivus (Rob Slade) Cosmic rays causing 30,000 network malfunctions in Japan each year (The Japan Times) 100 Million More IoT Devices Are Exposed and They Won't Be the Last (WiReD) GPS is endangered by a misguided FCC decision made during the Trump administration (WashPost) Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021 (Zero Day Initiative) A Casino Gets Hacked Through a Fish-Tank Thermometer (Entrepeneur) Millions of Devices at Risk From NAME:WRECK DNS Bugs (Alex Scroxton) Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027) ``How can a democracy function if we can't talk to one another?'' U.S. justices ask (Reuters) Texas Man Charged With Planning To Blow Up Ashburn Data Center (Arlington VA Patch) NYPD's Robot Dog Returns to Work, Touching Off a Backlash (NYTimes) The Perils of Overhyping Artificial Intelligence For AI to Succeed, It First Must Be Able to Fail (Foreign Affairs) Microchip security continues to confound Pentagon (Techxplorre) 'Miss'taken assumptions lead to plane incident (The Guardian) The UK Is Trying to Stop Facebook's End-to-End Encryption (WiReD) Coinbase Makes Its Debut -- and Bitcoin Arrives on Wall Street (WiReD) My email account needs blockchain maintenance? (Rob Slade) Scientists studying solar try solving a dusty problem (techxplore.com) Plan to install green energy storage on Williamsburg roof raises tenants' ire (Bklyner) Understanding fruit fly behavior may be next step toward autonomous vehicles (techxplore.com) Self-driving vehicles (Car and Driver via Richard Stein) Supreme Court & Facebook Unwanted Automated Texts (Consumer Reports) Foreign intel services could abuse ad networks for spying (Henry Baker) NJ town: Our IT vendor ate our e-mails (North Jersey) Loot boxes in video games deemed close enough to gambling to warrant regulation (medicalxpress.com) "Work From Home" being blamed for security risks (Rob Slade) He Built a $10 Billion Investment Firm. It Fell Apart in Days. (NYTimes) Marylanders could soon be fined $100 for intentionally releasing balloons (DCist) She called off her Wedding. The Internet will never forget (WiReD) Scientists Create Online Games to Show Risks of AI Emotion Recognition (Nicola Davis) AI Comes to Car Repair, and Body Shop Owners Aren't Happy (WiReD) The Foundations of AI Are Riddled With Errors (WiReD) We tested the first state's vaccine passport: Here's what to expect (WashPost) GoToMeeting/GoToWebinar (Rob Slade) Re: Antiscience Movement Is ... Killing Thousands (Jose Maria Meteos, Amos Shapir) People Count: People Count: Contact-Tracing Apps and Public Health (Susan Landau, MIT Press 2021) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 4 Apr 2021 21:54:07 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: National Weather Service Internet systems crumbling as key platforms fail (WashPost) Most of the agency's online systems went down Tuesday, and during last week's tornado outbreak in the South, a vital resource for relaying information crashed https://www.washingtonpost.com/weather/2021/03/30/nws-internet-infrastructure-outages/ ------------------------------ Date: Sat, 10 Apr 2021 11:52:38 -0700 From: Rob Slade <rslade () gmail com> Subject: 737 MAX recidivus Some of the planes are grounded because they may not be grounded. https://lite.cnn.com/en/article/h_f62e279af56640bf9ab1bb07de9eda16 ------------------------------ Date: Mon, 5 Apr 2021 12:30:51 +0900 From: Dave Farber <farber () keio jp> Subject: Cosmic rays causing 30,000 network malfunctions in Japan each year (The Japan Times) https://www.japantimes.co.jp/news/2021/04/04/business/tech/ntt-cosmic-rays/ https://cdn-japantimes.com/wp-content/uploads/2021/04/np_file_79612.jpeg The Japan Times, 4 Apr 2021 (Bloomberg) Nippon Telegraph and Telephone Corp. has found that cosmic rays are causing an estimated 30,000 to 40,000 temporary malfunctions in domestic network communication devices in Japan every year. 9BLOOMBERG) Most so-called soft errors, or temporary malfunctions, in the firm's hardware are automatically corrected via safety devices, but experts said in some cases they may have led to disruptions. It is the first time the actual scale of soft errors in domestic information infrastructures has become evident. Soft errors occur when the data in an electronic device is corrupted after neutrons, produced when cosmic rays hit oxygen and nitrogen in the Earth's atmosphere, collide with the semiconductors within the equipment. Cases of soft errors have increased as electronic devices with small and high-performance semiconductors have become more common. Temporary malfunctions have sometimes led to computers and phones freezing, and have been regarded as the cause of some plane accidents abroad. Masanori Hashimoto, professor at Osaka University's Graduate School of Information Science and Technology and an expert in soft errors, said the malfunctions have actually affected other network communication devices and electrical machinery at factories worldwide. There is a chance that `greater issues' will arise as society's infrastructure becomes `more reliant on electronic devices' that use such technologies as artificial intelligence and automated driving, Hashimoto said. He emphasized the need for the government and businesses to further research and implement countermeasures. However, identifying the cause of soft errors and implementing measures against them can be difficult due to them not being reproducible in trials, unlike mechanical failures. NTT therefore measured the frequency of soft errors through an experiment whereby semiconductors are exposed to neutrons, and concluded there are about 100 errors per day in its domestic servers. Although NTT did not reveal if network communication disruptions have actually occurred, the company said it was ``implementing measures against major issues'' and ``confirming the quality of the safety devices and equipment design through experiments and presumptions.'' ------------------------------ Date: Wed, 14 Apr 2021 19:41:06 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: 100 Million More IoT Devices Are Exposed and They Won't Be the Last (WiReD) The Name:Wreck flaws in TCP/IP are the latest in a series of vulnerabilities with global implications. https://www.wired.com/story/namewreck-iot-vulnerabilities-tcpip-millions-devices/ ------------------------------ Date: Thu, 15 Apr 2021 13:05:27 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: GPS is endangered by a misguided FCC decision made during the Trump administration (WashPost) The Biden administration has an opportunity to undo a potentially devastating ruling that ignored government-wide, bipartisan criticism. https://www.washingtonpost.com/opinions/2021/04/14/gps-is-endangered-by-misguided-fcc-decision-made-during-trump-administration/ ------------------------------ Date: Wed, 14 Apr 2021 14:06:05 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021 (Zero Day Initiative) The 2021 spring edition of *Pwn2Own* <https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results> hacking contest concluded last week on April 8 with a three-way tie between Team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade. A total of $1.2 million was awarded for 16 high-profile exploits over the course of the three-day virtual event organized by the Zero Day Initiative (ZDI). Targets with successful attempts included Zoom, Apple Safari, Microsoft Exchange, Microsoft Teams, Parallels Desktop, Windows 10, and Ubuntu Desktop operating systems. Some of the major highlights are as follows: - Using an authentication bypass and a local privilege escalation to completely take over a Microsoft Exchange server, for which the Devcore team netted $200,000 - Chaining a pair of bugs to achieve code execution in Microsoft Teams, earning researcher OV $200,000 - A zero-click exploit targeting Zoom that employed a three-bug chain to exploit the messenger app and gain code execution on the target system. ($200,000) - The exploitation of an integer overflow flaw in Safari and an out-of-bounds write to get kernel-level code execution ($100,000) - An exploit aimed at the Chrome renderer to hack Google Chrome and Microsoft Edge (Chromium) browsers ($100,000) - Leveraging *use-after-free* <https://cwe.mitre.org/data/definitions/416.html>, race condition, and integer overflow bugs in Windows 10 to escalate from a regular user to SYSTEM privileges ($40,000 each) - Combining three flaws -- an uninitialized memory leak, a stack overflow, and an integer overflow -- to escape Parallels Desktop and execute code on the underlying operating system ($40,000) - Exploiting a memory corruption bug to successfully execute code on the host operating system from within Parallels Desktop ($40,000) - The exploitation of out-of-bounds access bug to elevate from a standard user to root on Ubuntu Desktop ($30,000) The *Zoom vulnerabilities* <https://twitter.com/thezdi/status/1379855435730149378> exploited by Daan Keuper and Thijs Alkemade of Computest Security are particularly noteworthy because the flaws require no interaction of the victim other than being a participant on a Zoom call. What's more, it affects both Windows and Mac versions of the app, although it's not clear if Android and iOS versions are vulnerable as well. [...] https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html ------------------------------ Date: Fri, 16 Apr 2021 17:49:35 +0300 From: Amos Shapir <amos083 () gmail com> Subject: A Casino Gets Hacked Through a Fish-Tank Thermometer (Entrepeneur) Hackers gain entry to a casino's internal net via a fish tank, and steal list of customers: https://www.entrepreneur.com/article/368943 ------------------------------ Date: Wed, 14 Apr 2021 12:09:28 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Millions of Devices at Risk From NAME:WRECK DNS Bugs (Alex Scroxton) Alex Scroxton, *Computer Weekly*, 13 Apr 2021 via ACM TechNews, 14 Apr 2021 Researchers at cybersecurity provider Forescout Research Labs and Israeli cybersecurity consultancy JSOF discovered nine new Domain Name System (DNS) vulnerabilities that could imperil more than 100 million connected Internet of Things (IoT) devices, at least a third of them located in the UK. Collectively designated NAME:WRECK, the bugs affect four popular Transmission Control Protocol/Internet Protocol (TCP/IP) stacks: FreeBSD, IPnet, Nucleus NET, and NetX. Malefactors who exploit the vulnerabilities in a denial of service or remote code execution attack could disrupt or hijack targeted networks. Forescout's Daniel dos Santos said, "Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks, and so we encourage all organizations to make sure they have the most up-to-date patches for any devices running across these affected IP stacks." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2a7bbx22a5bdx069869& ------------------------------ Date: Wed, 14 Apr 2021 14:00:06 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027) CENSUS has been investigating for some time now the exploitation potential of Man-in-the-Disk (MitD) [01] vulnerabilities in Android. Recently, CENSUS identified two such vulnerabilities in the popular WhatsApp messenger app for Android [34]. The first of these was possibly independently reported to Facebook and was found to be patched in recent versions, while the second one was communicated by CENSUS to Facebook and was tracked as CVE-2021-24027 [33]. As both vulnerabilities have now been patched, we would like to share our discoveries regarding the exploitation potential of such vulnerabilities with the rest of the community. In this article we will have a look at how a simple phishing attack through an Android messaging application could result in the direct leakage of data found in External Storage (/sdcard). Then we will show how the two aforementioned WhatsApp vulnerabilities would have made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions. With the TLS secrets at hand, we will demonstrate how a man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise [05] protocol keys used for end-to-end encryption in user communications. Android 10 introduced the scoped storage feature [13], as a proactive defense against these types of attacks. With scoped storage, apps get by default access only to their own content on External Storage. Apps bearing a certain permission [36] can also access content shared by other applications. Finally, full access to External Storage is only granted to special purpose apps (e.g. file managers) that have been audited by Google. Android 11 is the first version to fully enforce the scoped storage rules on all apps, while Android 10 included a permissive mode of operation to provide developers with the needed time to transition to the new file access scheme. The techniques presented in this article apply to mobile devices running Android versions up to and including Android 9. It is possible to perform similar attacks using file-based access in Android 10, but we have not included these for reasons of brevity. Even without Android 10 in the picture, the number of affected devices remains quite large. Appbrain statistics [35] hint that devices running Android up to and including version 9 may very well constitute a 60% of all devices running Android today. [...] https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/ ------------------------------ Date: Wed, 14 Apr 2021 14:22:31 -1000 From: geoff goodfellow <geoff () iconia com> Subject: ``How can a democracy function if we can't talk to one another?'' U.S. justices ask (Reuters) Two U.S. Supreme Court justices from opposite ends of the ideological spectrum are calling on Americans to learn to talk civilly to each other or risk lasting damage to the nation's democratic system. Speaking in a pre-recorded discussion released on Wednesday, liberal Justice Sonia Sotomayor and conservative Justice Neil Gorsuch both bemoaned the current state of public discourse, which they said was abetted by the spread of disinformation on social media. The United States in the past year has endured a contentious presidential campaign, former President Donald Trump's false claims of a stolen election, an attack on the U.S. Capitol by a pro-Trump mob and police incidents that triggered protests against racial injustice. ``We have a ... very heated debate going on. And that's not necessarily a bad thing, but it can turn into an awful thing, into something that destroys the fabric of our community, if we don't learn to talk to each other,'' Sotomayor said. [...] https://www.reuters.com/article/us-usa-court-justices-idUSKBN2C12VN ------------------------------ Date: Mon, 12 Apr 2021 18:05:11 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Texas Man Charged With Planning To Blow Up Ashburn Data Center (Arlington VA Patch) Federal prosecutors have charged Seth Aaron Pendley of Wichita Falls, Texas, with trying to blow up an Amazon data center in Ashburn. [...] Last Thursday, Pendley again met with the undercover FBI agent to pick up what he believed to be explosive devices. However, the agent gave Pendley inert devices. After the agent showed Pendley how to arm and detonate the devices, the defendant loaded them into his car, according to the complaint. Pendley was then arrested by FBI agents who monitored the delivery of the inert devices. https://patch.com/virginia/arlington-va/texas-man-charged-planning-blow-ashburn-data-center Brilliant, give street name and show picture! Fortunately, this one's a moron -- but why paint a bulls eye for someone else? ------------------------------ Date: Thu, 15 Apr 2021 13:04:33 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: NYPD's Robot Dog Returns to Work, Touching Off a Backlash (NYTimes) Deployed at a public housing building, the device drew condemnation as a stark example of police power and misplaced priorities. A group of police officers marched out of a public housing building in Manhattan on Monday with a man who they said had a gun and had been hiding in an apartment with a woman and her baby. But it was what came out of the building next that really grabbed attention while feeding into a far-reaching debate about policing in New York: a 70-pound robotic dog outfitted with lights, cameras and artificial intelligence. The four-legged device had only gone into and out of the building's lobby without playing an active role in the operation, the police said. Still, its mere presence at a public housing building ignited a fierce backlash, with many people condemning it as a stark example of police power and misplaced priorities even as calls to address both roil the United States. “You can't give me a living wage, you can't raise a minimum wage, you can't give me affordable housing; I'm working hard and I can't get paid leave, I can't get affordable child care,” Representative Jamaal Bowman, a first-term Democrat who represents parts of the Bronx and Westchester County, said in a video posted on Twitter. “Instead we got money, taxpayer money, going to robot dogs?” [...] After the New York police deployed their dog during a hostage situation in the Bronx in February, Representative Alexandria Ocasio-Cortez, a Democrat who represents parts of the borough and Queens, likened the Digidog on Twitter to a `robotic surveillance ground' drone. [...] In response to questions about the robotic dog, the Police Department on Wednesday referred to a February tweet that said New York officers had been using robots for 50 years in hostage situations and hazardous material settings where humans could be in danger. [...] “We're powerless,” she said. “We're like the scapegoats in society. To further read that they are trying it out and testing it out on us -- everything that happens bad in our community happens here first.” https://www.nytimes.com/2021/04/14/nyregion/robot-dog-nypd.html?referringSourcerticleShare Where to start, looking at this nonsense, much of it from people who should know better. Cops use robot dog to avoid putting people in danger, people are hysterical. ------------------------------ Date: Wed, 7 Apr 2021 14:25:57 +0900 From: David Farber <farber () keio jp> Subject: The Perils of Overhyping Artificial Intelligence For AI to Succeed, It First Must Be Able to Fail https://www.foreignaffairs.com/articles/united-states/2021-04-06/perils-overhyping-artificial-intelligence ------------------------------ Date: Sat, 10 Apr 2021 10:22:29 +0800 From: Richard Stein <rmstein () ieee org> Subject: Microchip security continues to confound Pentagon (Techxplorre) https://techxplore.com/news/2021-04-microchip-confound-pentagon.html "The Pentagon is trying to find out how industry does it. The department is writing into the contracts it signs with chip designers and foundries a requirement to provide access to corporate data on assessing chip reliability, according to Brett Hamilton, deputy principal director of the Pentagon's microelectronics office, which is part of the office of the undersecretary for research and engineering." Enhanced corporate transparency -- disclosure of microelectronic design, test, manufacturing data (test plans, results, design reviews, internal discussions) can reveal issues affecting intellectual property design/publication viability and/or manufactured product reliability. Over-the-shoulder inspection of commercial operations assumes the looker possesses the subject matter to intelligently assess the content for engineering merit and risk. When an unaddressed issue materializes in a supplier's product (e.g., a design defect), what action should the product designer or manufacturer, or customer, undertake to mitigate it? Who should pay for the mitigation? Risk: Risk of risks ------------------------------ Date: Fri, 9 Apr 2021 14:41:24 -0400 (EDT) From: Eli the Bearded <*@eli.users.panix.com> Subject: 'Miss'taken assumptions lead to plane incident (The Guardian) https://www.theguardian.com/world/2021/apr/09/tui-plane-serious-incident-every-miss-on-board-child-weight-birmingham-majorca An update to the airline's reservation system while its planes were grounded due to the coronavirus pandemic led to 38 passengers on the flight being allocated a child's "standard weight" of 35kg as opposed to the adult figure of 69kg. This caused the load sheet -- produced for the captain to calculate what inputs are needed for take-off -- to state that the Boeing 737 was more than 1,200kg lighter than it actually was. Investigators described the glitch as "a simple flaw" in an IT system. It was programmed in an unnamed foreign country where the title "Miss" is used for a child and "Ms" for an adult female. The fix is apparently somewhat flawed: The operator subsequently introduced manual checks to ensure adult females were referred to as `Ms' on relevant documentation. Risk is bad heuristics instead of asking for needed information ("adult or child?") from the customers. [Also noted by Rory Crispin, Kees Huyser, Paul Cornish, Wendy Grossman, and Tom Van Vleck. In addition, Lars-Henrik Eriksson noted: Cultural differences cause incorrect flight load calculation https://www.theregister.com/2021/04/08/tui_software_mistake/ David Lamkin noted: Perils of internationalisation: incorrect airline load sheet https://www.gov.uk/aaib-reports/aaib-investigation-to-boeing-737-8k5-g-tawg-21-july-2020 PGN] ------------------------------ Date: Sun, 4 Apr 2021 22:07:01 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The UK Is Trying to Stop Facebook's End-to-End Encryption (WiReD) The government's latest attack is aimed at discouraging the company from following through with its planned rollout across platforms. https://www.wired.com/story/uk-trying-to-stop-facebook-end-to-end-encryption/ ------------------------------ Date: Thu, 15 Apr 2021 18:00:33 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Coinbase Makes Its Debut -- and Bitcoin Arrives on Wall Street (WiReD) All of this means that Coinbase's listing is a little like bitcoin's stock market debut, too. Which is weird, when you think about where bitcoin started. In his 2019 book, Narrative Economics, the Nobel Prize-winning economist Robert Shiller describes the rise of bitcoin as a feat of storytelling. There was the benefit of being the first, he writes, and in the technology's unique independence from authority, which the story held made it a hedge against government collapse and inflation. Others, including Bloomberg's Joe Weisenthal, have gone so far as to call bitcoin a “faith-based” asset. Faith as in religion. It started with its pseudonymous prophet, Satoshi Nakamoto, who compiled the code and vanished. It has code words, a sacred white paper, a ritualistic schedule for `halving' the creations of new blocks on the chain. Yes, all assets require faith. But faith in the dollar is not faith in a physical paper or a coin, it's in the US government. With bitcoin, the faith is in the thing itself, the network that generates the coins and keeps them secure. The conviction of bitcoin's adherents is important, given the lack of earthly evidence for its value. Bitcoin is scarce, sure, because the code ensures only 21 million bitcoins will ever be created. But that doesn't make it an investible asset on its own. There are limited use cases. Bitcoin can't be spent efficiently, much as people are trying to make that happen. The network in which people place their faith is still somewhat immature, leading to fears that the bitcoin market could be subject to manipulation. The masses have not been resoundingly faithful to this movement. The mathematical epidemiologist Adam Kucharski, known for his work explaining the transmission of diseases like Covid-19, writes about bitcoin as a form of contagion spread through word of mouth and media mentions. But in network terms, the series of booms and busts reveals a *disconnected* contagion -- an epidemic that flares up but doesn't spread too far. During a frenzy lots of people jump in, and the value rises, for a while, but the overall impact is limited. Recent surveys suggest that fewer than 10 percent of Americans have dabbled in cryptocurrency. About half of those people said they have regrets. https://www.wired.com/story/coinbase-debut-bitcoibuildingn-arrives-wall-street/ ------------------------------ Date: Tue, 13 Apr 2021 14:42:35 -0700 From: Rob Slade <rslade () gmail com> Subject: My email account needs blockchain maintenance? OK, this is a weird one. I've got what is obviously some type of phishing spam, which reports that my email account needs some kind of blockchain maintenance in order to improve user experience and reduce the rate of spam. (Nice touch.) Yeah. I'll get on that right away. BLOCKCHAIN IS NOT THE ANSWER!!! ------------------------------ Date: Mon, 5 Apr 2021 21:03:39 +0800 From: Richard Stein <rmstein () ieee org> Subject: Scientists studying solar try solving a dusty problem (techxplore.com) https://techxplore.com/news/2021-04-scientists-solar-dusty-problem.html "Solar's getting deployed, but we're losing energy because solar's getting deployed in dusty locations. "The energy lost annually from soiling amounts to as much as 7% in parts of the United States to as high as 50% in the Middle East." Where's the Rosie, the Jetson's robot maid, when you need her (it)? The Middle East, during the heat of the day, is dangerous for human health: sunstroke, dehydration, etc. The article mentions a patent that can indicate when to deploy cleanup, which costs ~US$ 5K for a 10MW photovoltaic installation that powers ~2Khomes. Sol's photons might be free, but to catch and convert into power is costly. Risk: Housekeeping operation expense from dust accumulating on photovoltaic packages (reduced photon to electron conversion efficiency). ------------------------------ Date: Tue, 6 Apr 2021 19:25:11 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Plan to install green energy storage on Williamsburg roof raises tenants' ire (Bklyner) A proposal to install energy infrastructure on a Williamsburg roof to ease the load on north Brooklyn's power grid faces angry opposition from tenants who say they're being left in the dark. https://bklyner.com/plan-to-install-green-energy-storage-on-williamsburg-roof-raises-tenants-ire/ Risks? Power infrastructure, NIMBY, landlords. ------------------------------ Date: Wed, 7 Apr 2021 20:38:35 +0800 From: Richard Stein <rmstein () ieee org> Subject: Understanding fruit fly behavior may be next step toward autonomous vehicles (techxplore.com) https://techxplore.com/news/2021-04-fruit-behavior-autonomous-vehicles.html "With over 70% of respondents to a AAA annual survey on autonomous driving reporting they would fear being in a fully self-driving car, makers like Tesla may be back to the drawing board before rolling out fully autonomous self-driving systems. But new research from Northwestern University shows us we may be better off putting fruit flies behind the wheel instead of robots." The essay discusses Drosophila's ability to learn how to navigate an environment (using heat obstacles), and applies the mechanism to simulate a DV's learning ability. The simulation incorporated a genetic algorithm to optimize evolution. It concludes: "This simulation demonstrated that 'hard-wired' vehicles eventually evolved to perform nearly as well as flies. But while real flies continued to improve performance over time and learn to adopt better strategies to become more efficient, the vehicles remain 'dumb' and inflexible." https://en.wikipedia.org/wiki/List_of_animals_by_number_of_neurons tabulates animal neuron and synapse counts, proxies for learning and intelligence capabilities. Drosophila have ~250K neurons/10M synapses. Homo sapiens have ~9.0*10^10 neurons/10^14 synapses. Order 10^5 neuron/synapse count difference. A very large neural network simulation applies ~2.5M neurons: "The four biggest challenges in brain simulation," from 24JUL2019 retrieved from https://www.nature.com/articles/d41586-019-02209-z on 07APR2014. Somewhere in the fly and homo sapien neuroanatomies, there's learning and intelligence capabilities that enable survival, despite individual mistakes. No telling what size neural network, or how many, are deployed by a commercial DVonics (driverless vehicle-onics) platforms. Clearly, environmental stimulus (obstacles and other conditions) provides valuable input to adjust behavior that minimizes harmful outcome. Risk: Neural network evolution and representation limits of complex human behaviors (aka common sense and contextual awareness). Potential news headline: Bug brain beats Buick bot at Daytona 500 ------------------------------ Date: Wed, 7 Apr 2021 11:57:32 +0800 From: Richard Stein <rmstein () ieee org> Subject: Self-driving vehicles https://www.caranddriver.com/news/a35844915/ntsb-letter-nhtsa-self-driving-vehicles/ '"NHTSA's general and voluntary guidance of emerging and evolutionary technological advancements shows a willingness to let manufacturers and operational entities define safety. We urge NHTSA to lead with detailed guidance and specific standards and requirements," the letter states."' DV industry self-regulation is a good idea, but organizational overreach introduces significant public health and safety risks that can render spectacular failures (e.g. Boeing 737-MAX). Public embrace of DV fleets summoned from handheld hailing apps will not materialize without widespread consumer trust. Brands earn trust from marketplace performance history (Alka Seltzer, anyone?), often a decades-long endeavor consisting of public trial and error, and sometimes spectacular failures that sadly teach and refine regulations affecting product design, engineering and manufacturing. These incidents comprise the technological equivalent of Niles Eldredge and Stephen J. Gould's punctuated evolution. "One of the NTSB's concerns is the testing of potential autonomous-driving technology on public roads without any sort of standard methodology for NHTSA to track vehicle data. In June 2020, the Department of Transportation (DOT) announced a voluntary Automated Vehicle Transparency and Engagement for Safe Testing (AV TEST) initiative. But without making it compulsory, there's no penalty for failing to report an issue with a test vehicle." DV software stacks are apparently opaque about decision logic that affects movement, steering, etc. NHTSA would need to see these logs for post-mortem accident triage. And so would a trial by jury. Imposing and enforcing mandatory regulations on DV industry products will establish governance accountability that partially balances profit pursuit and public safety trust. Regulatory enforcement will slow DV innovation -- the playground will close up -- as a trade that enables deployment of stable, though quirky (non-deterministic), DV fleets. DV technology's safety promise, and public trust, remains to be earned by showing a significant reduction in traffic accidents, injuries, and fatalities. Few elected officials possess the bravado, and enlightened wisdom, to approve local deployments that place their electorates in harm's way. Potentially unrecoverable losses: brand outrage and human causalities represent the DV industry's Darwinian survival challenge. (The latest reporting about Waymo's Phoenix deployment can be found here: "Angry Residents, Abrupt Stops: Waymo Vehicles Are Still Causing Problems in Arizona," 31MAR2021 https://www.phoenixnewtimes.com/news/waymo-arizona-abrupt-stops-angry-residents-are-still-a-problem-11541896 ------------------------------ Date: Wed, 7 Apr 2021 20:49:49 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Supreme Court & Facebook Unwanted Automated Texts (Consumer Reports) The court ruling could open door for a flood of unwanted robocalls and texts on consumers' cell phones The Supreme Court on Thursday unanimously ruled (PDF) in favor of Facebook in a dispute over whether unwanted text notifications sent by the social media giant violated a 30-year-old federal law designed to protect consumers from abusive telemarketing practices. ... George Slover, senior policy counsel at Consumer Reports, which joined in an amicus brief in the case, says that in winning the case, Facebook has “succeeded in punching a huge loophole in the law's core protection.” https://www.consumerreports.org/robocalls/supreme-court-sides-with-facebook-over-unwanted-automated-texts/ ------------------------------ Date: Wed, 07 Apr 2021 11:40:20 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Foreign intel services could abuse ad networks for spying When a *bipartisan* group of lawmakers suddenly develops a respect for privacy, I suddenly become suspicious. I can only assume that there was an 'Oh Sh*t' moment(*) that occurred during a classified briefing. The last time I can recall such a *bipartisan* interest in privacy was the hastily passed "Video Privacy Protection Act (1988)", when a Supreme Court nominee's video rental preferences became public. (*) A technical term describing temporary loss of bowel control in a SCIF as a result of receiving disquieting information. https://www.vice.com/en/article/88aw73/congress-foreign-intelligence-agencies-bidstream-real-time-bidding Congress Says Foreign Intel Services Could Abuse Ad Networks for Spying A group of bipartisan lawmakers asked Google, Twitter, and others about the transfer of bidstream data to foreign entities. by Joseph Cox April 6, 2021, 1:00pm A group of bipartisan lawmakers, including the chairman of the intelligence committee, have asked ad networks such as Google and Twitter what foreign companies they provide user data to, over concerns that foreign intelligence agencies could be leveraging them to harvest sensitive information on U.S. users, including their location. "This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns," a letter signed by Senators Ron Wyden, Mark Warner, Kirsten Gillibrand, Sherrod Brown, Elizabeth Warren, and Bill Cassidy, reads. The lawmakers sent the letter last week to AT&T, Verizon, Google, Twitter, and a number of other companies that maintain advertisement platforms. The concerns center around the process of so-called real-time bidding, and the flow of "bidstream" data. Before an advertisement is displayed inside of an app or a browsing session, different companies bid to get their ad into that slot. As part of that process, participating companies obtain sensitive data on the user, even if they don't win the ad placement. "Few Americans realize that some auction participants are siphoning off and storing 'bidstream' data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments," the letter continued. Venntel, a government contractor that sells location data to Immigration and Customs Enforcement (ICE) and other law enforcement agencies obtains bidstream data, Motherboard previously reported. Israeli surveillance companies Rayzone and Bsightful also source this sort of data, Forbes reported. "This is a deeply problematic practice when Western governments are abusing the data flows, and it becomes a national security emergency when these same global advertising companies are not vetting their own partners," Zach Edwards, a researcher who has closely followed the supply chain of various sources of data, told Motherboard in an online chat. "It's long overdue for Congress to begin asking the largest tech companies in the world tough questions about their real-time-data-breach technology that underpins global advertising auctions and user data supply chains," Edwards continued. "Every time a person loads a website or a mobile app, it's likely that their data is being shared with at least dozens of companies, and when that user is interacting with an app or site with banner ads, typically several thousand companies could be receiving data about that visit in order to give those companies 'the opportunity to bid to show ads to that user.'" The letter asked the ad companies to name the foreign-headquartered or foreign-majority owned firms that they have provided bidstream data from users in the U.S. to in the past three years. The other companies the lawmakers sent the letter to were Index Exchange, Magnite, OpenX, and PubMatic. Mark Tallman, assistant professor at the Department of Emergency Management and Homeland Security at the Massachusetts Maritime Academy, told Motherboard in an email that "It's difficult to imagine any policy solution or technical sorcery that can fully 'secure' consumers' private data such that applications and platforms can collect it, and the publishing and advertising industries can access it, while guaranteeing that cybercriminals and foreign intelligence agencies will never get it. Our adversaries already know that they can buy (or steal) data from our marketplace that they could only dream of collecting on such a broad swath of Americans twenty years ago." In March lawyers filed a class action suit against Google for what they described as selling users' data as part of the real-time bidding process. ------------------------------ Date: Thu, 8 Apr 2021 12:06:21 +0000 () From: danny burstein <dannyb () panix com> Subject: NJ town: Our IT vendor ate our e-mails (North Jersey) https://www.northjersey.com/story/news/bergen/englewood-cliffs/2021/04/07/englewood-cliffs-nj-sues-intrep-solutions-over-lost-emails/7111650002/ ------------------------------ Date: Tue, 6 Apr 2021 10:57:10 +0800 From: Richard Stein <rmstein () ieee org> Subject: Loot boxes in video games deemed close enough to gambling to warrant regulation (medicalxpress.com) https://medicalxpress.com/news/2021-04-loot-video-games-deemed-gambling.html "One of the biggest concerns about loot boxes is that they are very often used by children. The researchers suggest that not only do children sometimes spend amounts of money their parents were not expecting, but some show early signs of gambling addiction." Risk: Adolescent gambling addiction Similar to nicotine in cigarettes: once the dopamine starts flowing, it is difficult to stop consumption. https://en.wikipedia.org/wiki/Problem_gambling#Prevalence (retrieved on 06APR2021) indicates ~0.6 to ~2.5% of population are either problem or pathological gamblers. In the US, that's ~10M people with a gambling problem. Regulating Internet games for content seems problematic. Product terms of service often include age access restrictions, but enforcement mechanisms (corporate fines, CxO indictment, personal account lockout or exclusions) are challenging to uniformly apply. ------------------------------ Date: Wed, 7 Apr 2021 12:01:21 -0700 From: Rob Slade <rslade () gmail com> Subject: "Work From Home" being blamed for security risks A report from Verizon says that WFH policies are harming information security. However, there doesn't seem to be any evidence of anything harmful happening, and I strongly suspect that the report is yet another opinion survey. https://lite.cnn.com/en/article/h_b2745246f3d05396ac778da686852fff If there *is* any increase in security threats, I'm sure the real culprits are: - a huge surge in spam, fraud, and phishing emails. This has been going on ever since the pandemic started, and it's gotten worse in the past couple of months. - a lack of "work from home" policies on the part of businesses, and no real thought about the risks involved in simply sending people home and telling them to carry on as usual (in a highly unusual situation). - no provision or budget for the computers, devices, and security software that might be needed to provide extra protection in WFH situations. ------------------------------ Date: Mon, 5 Apr 2021 16:53:32 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: He Built a $10 Billion Investment Firm. It Fell Apart in Days. (NYTimes) https://www.nytimes.com/2021/04/03/business/bill-hwang-archegos.html Leverage and inexplicable derivatives, what could go wrong? ------------------------------ Date: Thu, 8 Apr 2021 20:50:18 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Marylanders could soon be fined $100 for intentionally releasing balloons (DCist) The Balloon Council, a national balloon trade group, supports efforts to prevent balloon releases, but argues that balloon release bans are not the answer. “It's really people's behavior that needs to change,” Lorna O'Hara, the council's executive director, told WAMU/DCist last year when the balloon bill was first introduced in the Maryland legislature. “Balloons are not the culprit.” O'Hara said mass balloon releases are not nearly as common as they were in decades past, and she credits education efforts. She said more education is what's needed now, not a balloon release ban. “It's a slippery slope from a release ban to banning the product altogether.” Several other states already have some sort of balloon release ban in place, including Virginia, which prohibits the release of more than 50 balloons within one hour, subject to a fine of up to $5 per balloon. https://dcist.com/story/21/04/08/marylanders-could-soon-be-fined-100-for-intentionally-releasing-balloons/ Don't pick on innocent balloons, says the Balloon Council, who should know. First they'll ban releasing balloons, then they'll register them, then the ultimate goal -- confiscating them. ------------------------------ Date: Wed, 7 Apr 2021 20:45:11 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: She called off her Wedding. The Internet will never forget (WiReD) In 2019, she made a painful decision. But to the algorithms that drive Facebook, Pinterest, and a million other apps, she's forever getting married. https://www.wired.com/story/weddings-social-media-apps-photos-memories-miscarriage-problem/ The risk? Too much remembering. Like getting LinkedIn nudges to congratulate dead people on their work anniversaries. ------------------------------ Date: Fri, 9 Apr 2021 11:49:55 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Scientists Create Online Games to Show Risks of AI Emotion Recognition (Nicola Davis) Nicola Davis, *The Guardian*, 4 Apr 2021 via ACM TechNews 9 Apr 2021 Scientists at the U.K.'s University of Cambridge have created emojify.info, a website where the public can test emotion recognition systems via online games, using their own computer cameras. One game has players make faces to fake emotions in an attempt to fool the systems; another challenges the technology to interpret facial expressions contextually. Cambridge's Alexa Hagerty cited a lack of public awareness of how widespread the technology is, adding that its potential benefits should be weighed against concerns about accuracy, racial bias, and suitability. Hagerty said although the technology's developers claim these systems can read emotions, in reality they read facial movements and combine them with existing assumptions that these movements embody emotions (as in, a smile means one is happy). The researchers said their goal is to raise awareness of the technology and to encourage dialogue about its use. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2a66dx22a2fcx069908& ------------------------------ Date: Wed, 14 Apr 2021 19:39:17 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: AI Comes to Car Repair, and Body Shop Owners Aren't Happy (WiReD) During the pandemic, insurers accelerated the use of automated tools to estimate repair costs. Garage operators say the numbers can be wildly inaccurate. https://www.wired.com/story/ai-car-repair-shop-owners-not-happy/ ------------------------------ Date: Mon, 5 Apr 2021 18:52:45 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The Foundations of AI Are Riddled With Errors (WiReD) The labels attached to images used to train machine-vision systems are often wrong. That could mean bad decisions by self-driving cars and medical algorithms. https://www.wired.com/story/foundations-ai-riddled-errors/ ------------------------------ Date: Thu, 15 Apr 2021 17:40:02 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: We tested the first state's vaccine passport: Here's what to expect (WashPost) New York's Excelsior Pass has some solid privacy protections. But it's complicated to use and easy to fake. Vaccine passports could leave us exposed to the “worst of both worlds,” says Cahn — a complicated digital system that puts up new barriers to access businesses, while not actually stopping fraudsters. “Despite its invasiveness, Excelsior Pass won't advance the underlying public health goals it claims to support,” he says. It isn't clear how wide a problem vaccine passport fraud could become, or how dangerous it would be. Passports could persuade people to let down their guard about masks and other protections. Madison Square Garden, for one, says it wasn't aware of any cases of people trying to enter the venue with an Excelsior Pass that wasn't their own. “To be clear, Excelsior Pass is a voluntary system that creates a digital copy of a preexisting paper record — it is not a standalone identification document,” said Kristin Devoe, a spokeswoman for Empire State Development, the umbrella organization that created Excelsior Pass. To fight fraud, New York says venues accepting Excelsior Pass are supposed to check people's photo IDs. But instituting new ID checks at businesses that didn't used to require them creates new social barriers. One senior citizen tester was too old to have a driver's license. https://www.washingtonpost.com/technology/2021/04/08/vaccine-passport-new-york-excelsior-pass/ ------------------------------ Date: Fri, 9 Apr 2021 11:54:03 -0700 From: Rob Slade <rslade () gmail com> Subject: GoToMeeting/GoToWebinar OK, I've presented on Zoom, and Teams, and Meet, and some others during this crisis. And, tomorrow, I'm doing yet another pres, and they are using GoToWebinar (I think. One of the two.) So I asked for a test run. First off, unlike Zoom and Teams (and unnecessary on Meet) the GoToMeeting link didn't automatically download the app. (A "button," on the weirdly formatted reminder the system sent, did, so there is obviously some additional stuff in there besides the meeting link.) When I *did* get the app installed on the laptop, I got on to the test meeting, but obviously nobody could hear me. Through a variety of testing, involving switching my (one) microphone back and forth between computers, and a phone call, I finally figured out that GoToWebinar (at least) doesn't check or even allow for external microphones (even if you try and get Windows to tell it to). (Except that it *would* accept the external microphone on my desktop, which has no built-in microphone.) I am hypothesizing that this might be in regard to the extremely tight control that GoToWebinar seems to provide, by default, completely cutting off presenters from any form of contact with attendees. We did, eventually figure out a kludge, where I could run the slides and set up the microphone on my desktop, and simply use the laptop for the Webcam so people could see me. However, they finally decided nobody needed to see me (which is no great loss). Isn't videoconferencing fun? (NOT!) ------------------------------ Date: Mon, 5 Apr 2021 20:33:06 -0400 From: =?iso-8859-1?Q?Jos=E9 Mar=EDa?= Mateos <chema () rinzewind org> Subject: Re: Antiscience Movement Is ... Killing Thousands (RISKS-32.59) I had just finished reading "The Revolt of the Public and the Crisis of Authority in the New Millennium" by Margin Gurri (https://en.wikipedia.org/wiki/Martin_Gurri); I started reading it after Matt Taibbi brought it to my attention in this article https://taibbi.substack.com/p/interview-with-martin-gurri-a-short. While I found the book to be worse than I expected (there are a few factual errors I could catch, and it can definitely be way shorter), the thesis is interesting. It can be summarized pretty closely by that quote by Henry or in the author's own words (opening of Chapter 5): ``My story -- I repeat -- concerns the tectonic collision between a public which will not rule and institutions of authority progressively less able to do so.'' The "will not rule" is a very important part of the thesis: the public is protesting (yes, against the elites), but there's no apparent long-term plan. Echoes of January 6th, in South Park form: 1. Storm the Capitol. 2. ??? 3. Victory! José María (Chema) Mateos || https://rinzewind.org ------------------------------ Date: Mon, 5 Apr 2021 11:52:52 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Antiscience Movement Is ... Killing Thousands (RISKS-32.59) Henry Baker's reply is a serious analysis, but it seems to be more about anti-economism than antiscience. I think that the original article was about the attitude made popular lately by interest groups, which debases science by using any scientific division or debate (which is the lifeline of science) as an excuse to claim "these so-called "experts" don't know what they're talking about!". Such attitudes, about any subject related to science -- moon landings, climate change, vaccines, 5G -- are often manifested by declarations like "We don't care that these elitist scientists had spent years studying their fields, relying on data gathered by thousands of people who went to the ends of the Earth to collect it; WE have read an *internet article*!" ------------------------------ Date: Sat, 17 Apr 2021 13:22:58 PDT From: Peter G Neumann <neumann () csl sri com> Subject: People Count: Contact-Tracing Apps and Public Health (Susan Landau, MIT Press 2021) This a rather short new book that nevertheless manages to nontrivially address diverse privacy-relevant topics including pandemics, the role of contact tracing in ending disease, how the apps work, and the policy issues of efficacy and equity. <https://mitpress.mit.edu/books/people-count> Susan Landau <susan.landau () privacyink org> ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.60 ************************
Current thread:
- Risks Digest 32.60 RISKS List Owner (Apr 17)