[31621] in RISKS Forum
Risks Digest 30.85
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Thu Oct 4 04:20:56 2018
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 2 Oct 2018 16:33:09 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Tuesday 2 October 2018 Volume 30 : Issue 85
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.85>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Kim Zetter, The Crisis of Election Security (NYTimes)
Voting Machine Used in Half of U.S. Is Vulnerable to Attack (WSJ)
Facebook hack exposed info on up to 50 million users (Engadget)
Don't go to New Zealand (Henry Baker)
Feds Force Suspect To Unlock Apple iPhone X With Their Face (Forbes)
Facebook wins court battle over law enforcement access to encrypted
phone calls (WashPost)
A Quebecer spoke out against the Saudis -- then learned he had spyware on
his iPhone (CBC)
"Easy way to bypass passcode lock screens on iPhones, iPads running iOS 12"
(ComputerWorld)
Criminal Behavior: How Facebook Steals Your Security Data to Violate Your
Privacy (Lauren Weinstein)
"Uber to pay $148 million in settlement over 2016 data breach and cover-up"
(ZDNet)
"Telstra refunds customers AU$9.3m for billing practices" (Corinne Reichert)
"Monero bug could have allowed hackers to steal massive amounts of
cryptocurrency" (Catalin Cimpanu)
"Wendy's faces lawsuit for unlawfully collecting employee fingerprints"
(Catalin Cimpanu)
"Man gets two years in prison for sabotaging US Army servers with 'logic
bomb'" (Catalin Cimpanu)
Coding Error Sends 2019 Subaru Ascents To the Car Crusher (Slashdot)
AI security camera detects guns and identifies shooters (zdnet)
Will LA's Anti-Terrorist Subway Scanners Be Adopted Everywhere
(Scientific American)
Delta 'Technology Issue' Temporarily Disrupts Travel and Enrages Customers
(NYTimes)
The scientific method (NPR)
Instagram has a drug problem. Its algorithms make it worse. (WashPost)
Why buy bankrupt corporate servers on craigslist when you can "rent the
room" containing them? (Kelly Bert Manning)
Road to Zero: A Vision for Achieving Zero Roadway Deaths by 2050 (NSC)
Sometimes still good to have international borders indicated on maps
(Dan Jacobson)
Tardy responses, security failings led to SingHealth breach (StraitsTimes)
Perspective: A Heart Device Can Save Lives, But Doctors Need To Explain The
Downsides (NPR.org)
Re: Randomized clinical trial of epinephrine in treatment of cardiac
arrest (Robert R. Fenichel)
Re: bloat (Dmitri Maziuk)
Re: How do you get people to trust autonomous vehicles? (Richard Stein)
Re: Bay Area city blocks 5G deployments over cancer concerns (Richard Stein)
Report on Artificial Intelligence and Human Rights: Opportunities and Risks
(Raso et al.)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 2 Oct 2018 11:12:50 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Kim Zetter, The Crisis of Election Security (NYTimes)
Kim Zetter wrote an absolutely wonderful long article, with a very clever
cover page in *The New York Times* Sunday Magazine section. For those of
you actually read the print edition, the very fine-print footnote to the
title on the cover of the Magazine section tells it all, beautifully. For
those of you who read The Times online, you will miss out on the cover --
and have to read the entire article.
As the midterms approach, America's electronic voting systems are more
vulnerable than ever. Why isn't anyone trying to fix them?
https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html
------------------------------
Date: Fri, 28 Sep 2018 12:49:04 -0400
From: ACM TechNews <technews-editor@acm.org>
Subject: Voting Machine Used in Half of U.S. Is Vulnerable to Attack (WSJ)
Robert McMillan and Dustin Volz, *The Wall Street Journal*, 27 Sep 2018
via ACM TechNews, Friday, September 28, 2018
Election machines used in more than half of U.S. states contain a decade-old
flaw that makes them vulnerable to a cyberattack, according to a report
based on research conducted last month at the Def Con hacker conference,
which was released Thursday. The vulnerability was found in the Model 650
high-speed ballot-counting machine from Election Systems & Software (ES&S),
and is one of about seven security issues identified in several models of
voting equipment described in the report. The Model 650 machine does not
have the advanced security features of more-modern systems, but ES&S says
its security is "strong enough to make it extraordinarily difficult to hack
in a real-world environment." Many of the flaws cited in the report can be
exploited only through physical access to the machines, but hackers could
exploit others via remote access. The company has said it considers
cybersecurity a top priority, and has never experienced a breach.
https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1ca89x217941x072467%26
------------------------------
Date: Fri, 28 Sep 2018 14:11:29 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Facebook hack exposed info on up to 50 million users (Engadget)
[Security and Privacy Code Review FAIL]
https://www.engadget.com/2018/09/28/facebook-hack-exposed-info-on-up-to-50-million-users/
Facebook announced on Friday that it has suffered a data breach affecting
up to 50 million users. According to a report from the New York Times,
Facebook discovered the attack on Tuesday and have contacted the FBI. The
exploit reportedly enables attackers to take over control of accounts so,
as a precaution, the social network has automatically logged out more than
90 million potentially compromised accounts. "This is a really serious
security issue and we're taking it really seriously," Facebook Mark
Zuckerberg told reporters during a Friday media call.
[Gene Wirchenko noted "Facebook discloses network breach affecting 50
million user accounts", by Natalie Gagliordi
https://www.zdnet.com/article/facebook-discloses-network-breach-affecting-50-million-user-accounts/
PGN]
------------------------------
Date: Tue, 02 Oct 2018 12:14:51 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: Don't go to New Zealand
"Travelers refusing digital search now face $5000 Customs fine" [*]
I can't imagine what NZ will do to travelers with implanted digital devices,
including medical devices.
Of course, as a member of the "Five Eyes", NZ will also share all of your
digital info with the other Four.
Probably best to leave NZ to the New Zealanders, and enjoy NZ movies and
their excellent wine w/o having to be strip-searched there.
Two L with NZ, I say!
[* Speaking of TWO L, I generally change "traveller" to "traveler". My
rule is that there should be a difference between accented double
letters and unaccented double letters. TRAvelers is not traVELLers. PGN]
https://www.msn.com/en-nz/news/national/travellers-refusing-digital-search-now-face-dollar5000-customs-fine/ar-BBNLCFW
Travelers who refuse to hand over their phone or laptop passwords to Customs
officials can now be slapped with a $5000 fine. The Customs and Excise Act
2018 -- which comes into effect today -- sets guidelines around how Customs
can carry out "digital strip-searches".
Previously, Customs could stop anyone at the border and demand to see their
electronic devices. However, the law did not specify that people had to also
provide a password. The updated law makes clear that travelers must provide
access -- whether that be a password, pin-code or fingerprint -- but
officials would need to have a reasonable suspicion of wrongdoing.
"It is a file-by-file [search] on your phone. We're not going into 'the
cloud'. We'll examine your phone while it's on flight mode," Customs
spokesperson Terry Brown said.
If people refused to comply, they could be fined up to $5000 and their
device would be seized and forensically searched. Mr Brown said the law
struck the "delicate balance" between a person's right to privacy and
Customs' law enforcement responsibilities. "I personally have an e-device
and it maintains all my records -- banking data, et cetera, et cetera -- so
we understand the importance and significance of it."
Council for Civil Liberties spokesperson Thomas Beagle said the law was an
unjustified invasion of privacy. "Nowadays we've got everything on our
phones; we've got all our personal life, all our doctors' records, our
emails, absolutely everything on it, and customs can take that and keep it."
The new requirement for reasonable suspicion did not rein in the law at all,
Mr Beagle said. "They don't have to tell you what the cause of that
suspicion is, there's no way to challenge it."
Customs Minister Kris Faafoi said the power to search electronic devices was
necessary. "A lot of the organised crime groups are becoming a lot more
sophisticated in the ways they're trying to get things across the border.
"And if we do think they're up to that kind of business, then getting
intelligence from smartphones and computers can be useful for a
prosecution."
But Mr Beagle said "serious criminals" would simply store incriminating
material online. "You'd be mad to carry stuff over on your phone.
Privacy Commissioner John Edwards had some influence over the drafting of
the legislation and said he was "pretty comfortable" with where the law
stood.
"There's a good balance between ensuring that our borders are protected
... and [that people] are not subject to unreasonable search of their
devices." "You know when you come into the country that you can be asked to
open your suitcase and that a Customs officer can look at everything in
there."
Border officials searched roughly 540 electronic devices at New Zealand
airports in 2017.
Customs will be required to keep Parliament updated on the number of devices
searched every year. The agency said it did not expect the number to
increase.
------------------------------
Date: Tue, 2 Oct 2018 00:38:49 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Feds Force Suspect To Unlock Apple iPhone X With Their Face (Forbes)
https://www.forbes.com/sites/thomasbrewster/2018/09/30/feds-force-suspect-to-unlock-apple-iphone-x-with-their-face/%234dbbfaaa1259
------------------------------
Date: Sat, 29 Sep 2018 13:42:48 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Facebook wins court battle over law enforcement access to encrypted
phone calls (WashPost)
The ruling is a setback to the Justice Department and a victory for tech firms.
https://www.washingtonpost.com/world/national-security/facebook-wins-court-battle-over-law-enforcement-access-to-encrypted-phone-calls/2018/09/28/df438a6a-c33a-11e8-b338-a3289f6cb742_story.html
------------------------------
Date: Mon, 1 Oct 2018 20:18:13 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Subject: A Quebecer spoke out against the Saudis -- then learned he had
spyware on his iPhone (CBC)
https://www.cbc.ca/news/technology/omar-abdulaziz-spyware-saudi-arabia-nso-citizen-lab-quebec-1.4845179
It started with a tub of protein powder. Omar Abdulaziz ordered one on
Amazon in late June and was waiting for it to arrive at his Sherbrooke,
Que., apartment. Abdulaziz didn't think much of it when he received a text
message later that day from DHL with a link to a tracking number, stating
his package was on its way.
In what has become a scarily effective hacking technique, the text message
-— and the link it contained — was not what it claimed to be. Abdulaziz
believes he clicked the link, which would have let spyware burrow its way
into his iPhone. There, it could copy his contacts and messages and even
eavesdrop on calls. Its operators would have total control.
But unlike the phishing attacks that ultimately helped Russian operatives
disrupt the 2016 U.S. presidential election, the attack on Abdulaziz's phone
was deeply personal.
In a new report, researchers at the University of Toronto's Citizen Lab say
that it was very likely conducted by the government of Abdulaziz's home
country, Saudi Arabia.
------------------------------
Date: Mon, 24 Sep 2018 15:15:51 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Easy way to bypass passcode lock screens on iPhones, iPads
running iOS 12" (ComputerWorld)
Darlene Storm and Michelle Davidson, Computerworld | Sep 18, 2018
Easy way to bypass passcode lock screens on iPhones, iPads running iOS 12
The vulnerability allowing anyone to bypass the passcode lock screen
still exists in iOS 12 running on iPhones and iPads that have Touch ID.
Security Is Sexy
https://www.computerworld.com/article/3041302/security/4-new-ways-to-bypass-passcode-lock-screen-on-iphones-ipads-running-ios-9.html
[Monty Solomon found this as well.
https://www.macrumors.com/2018/09/29/iphone-passcode-bypass-contacts-photos/
PGN]
------------------------------
Date: Sun, 30 Sep 2018 09:55:14 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Criminal Behavior: How Facebook Steals Your Security Data to
Violate Your Privacy
https://lauren.vortex.com/2018/09/30/criminal-behavior-how-facebook-steals-your-security-data-to-violate-your-privacy
One of the most fundamental and crucial aspects of proper privacy
implementations is the basic concept of "data compartmentalization" --
essentially, assuring that data collected for a specific purpose is only
used for that purpose.
Reports indicate that Facebook is violating this concept in a way that is
directly detrimental to both the privacy and security of its users. I'd
consider it criminal behavior in an ethical sense. If it isn't already
actually criminal under the laws of various countries, it should be.
There's been much discussion over the last few days about reports (confirmed
by Facebook, as far as I can determine) that Facebook routinely abuses their
users' contact information, including phone numbers provided by users, to ad
target other users who may never have provided those numbers in the first
place. In other words, if a friend of yours has your number in his contacts
and lets Facebook access it, Facebook considers your number fair game for
targeting, even though you never provided it to them or gave them permission
to use it. And you have no way to tell Facebook to stop this behavior,
because your number is in someone else's contacts address book that was
shared and is under their control, not yours.
This abuse by Facebook of "shadow contacts" is bad enough, but is actually
not my main concern for this post today, because Facebook is also doing
something far worse with your phone numbers.
By now you've probably gotten a bit bored of my frequent posts strongly
urging that you enable 2sv (two-step verification, 2-factor verification)
protections on your accounts whenever this capability is offered. It's
crucial to do this on all accounts where you can. Just a few days ago, I was
contacted by someone who had failed to do this on a secondary account that
they rarely used. That account has now been hijacked, and he's concerned
that someone could be conducting scams using that account -- still in his
name -- as a home base for frauds.
It's always been a hard sell to get most users to enable 2sv. Most people
just don't believe that they will be hacked -- until they are and it's too
late (please see: "How to 'Bribe' Our Way to Better Account Security" -
https://lauren.vortex.com/2018/02/11/how-to-bribe-our-way-to-better-account-security
While among the various choices that can be offered for 2sv
(phone-based, authenticator apps, U2F security keys, etc.) the
phone-based systems offer the least security, 2sv via phone-based text
messaging still greatly predominates among users with 2sv enabled,
because virtually everyone has a mobile phone that is text messaging
capable.
But many persons have been reluctant to provide their mobile numbers
for 2sv security, because they fear that those numbers will be sold to
advertisers or used for some other purpose than 2sv.
In the case of Google, such fears are groundless. Google doesn't sell
user data to anyone, and the phone numbers that you provide to them
for 2sv or account recovery purposes are only used for those
designated purposes.
But Facebook has admitted that they are taking a different, quite
horrible approach. When you provide a phone number for 2sv, they feel
free to use it as an advertising targeting vector that feeds into
their "shadow contact" system that I described above.
This is, as I suggested, so close to being criminal as to be
indistinguishable from actual criminality.
When you provide a phone number for 2sv account security to Facebook,
you should have every expectation that this is the ONLY purpose for
which that phone number will be used!
By violating the basic data compartmentalization concept, Facebook
actually encourages poor security practices, by discouraging the use
of 2sv by users who don't want to provide their phone numbers for
commercial exploitation by Facebook!
Facebook will say that they now have other ways to provide 2sv, so you
can use 2sv without providing a phone number.
But they also know damned well that most people do use mobile phones
for 2sv. There are very large numbers of people who don't even have
smartphones, just simple mobile phones with text messaging functions.
They can't run authenticator apps. Security keys are only now
beginning to make slow inroads among user populations.
So Facebook -- in sharp contrast to far more ethical companies like
Google who don't treat their users like sheep to be fleeced -- is
offering vast numbers of Facebook users a horrible Hobson's choice --
let us exploit your phone number for ad targeting, or suffer with poor
security and risk your Facebook account being hijacked.
This situation, piled on top of all the other self-made disasters now
facing Facebook, help to explain why I don't have a Facebook account.
I realize that Facebook is a tough addiction to escape. "All my
friends and family are on there!" is the usual excuse.
But if you really care about them -- not to mention yourself -- you
might consider giving Facebook the boot for good and all.
------------------------------
Date: Thu, 27 Sep 2018 20:06:22 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Uber to pay $148 million in settlement over 2016 data breach
and cover-up" (ZDNet)
Stephanie Condon for Between the Lines | 26 Sep 2018
The nationwide settlement agreement also requires Uber to implement
better data protection policies.
https://www.zdnet.com/article/uber-to-pay-148-million-in-settlment-over-2016-data-breach-and-cover-up/
opening text:
Uber has agreed to pay $148 million in a nationwide settlement agreement
over its 2016 data breach and subsequent cover-up, state attorneys general
announced Wednesday. The money will be dispersed across all 50 states and
the District of Columbia. Uber has also agreed to take specific steps to
better secure its employees' data.
------------------------------
Date: Thu, 27 Sep 2018 20:18:44 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Telstra refunds customers AU$9.3m for billing practices"
(Corinne Reichert)
Corinne Reichert, ZDNet, 28 Sep 2018
After being fined AU$10 million for misleading customers on its management
of premium direct billing services, Telstra has also had to refund customers
a total of AU$9.3 million.
https://www.zdnet.com/article/telstra-refunds-customers-au9-3m-for-billing-practices/
------------------------------
Date: Tue, 25 Sep 2018 17:24:49 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Monero bug could have allowed hackers to steal massive
amounts of cryptocurrency" (Catalin Cimpanu)
Catalin Cimpanu for Zero Day | 25 Sep 2018
Bug was discovered after a user posted a theoretical question on Reddit.
The developers of the Monero anonymous cryptocurrency have rolled out a
patch today that addresses a bug that could have been used by hackers to
obtain funds from exchanges illegally.
https://www.zdnet.com/article/monero-bug-could-have-allowed-hackers-to-steal-massive-amounts-of-cryptocurrency/
------------------------------
Date: Mon, 24 Sep 2018 15:24:41 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Wendy's faces lawsuit for unlawfully collecting employee
fingerprints" (Catalin Cimpanu)
Catalin Cimpanu for Zero Day | 23 Sep 2018
Wendy's faces lawsuit for unlawfully collecting employee fingerprints
Restaurant chain faces class-action lawsuit in Illinois for breaking
BIPA state law.
https://www.zdnet.com/article/wendys-faces-lawsuit-for-unlawfully-collecting-employee-fingerprints/
A class-action lawsuit has been filed in Illinois against fast food
restaurant chain Wendy's accusing the company of breaking state laws in
regards to the way it stores and handles employee fingerprints.
The complaint is centered around Wendy's practice of using biometric clocks
that scan employees' fingerprints when they arrive at work, when they leave,
and when they use the Point-Of-Sale and cash register systems.
------------------------------
Date: Tue, 25 Sep 2018 17:16:10 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Man gets two years in prison for sabotaging US Army servers
with 'logic bomb'" (Catalin Cimpanu)
Catalin Cimpanu for Zero Day | 25 Sep 2018
Server sabotage resulted in 17 days of delay in US Army Reserve pay.
https://www.zdnet.com/article/man-gets-two-years-in-prison-for-sabotaging-us-army-servers-with-logic-bomb/
A US judge has sentenced an Atlanta man to two years in prison followed by
three years of supervised release for sabotaging one of the US Army's
payroll databases with a "logic bomb."
According to investigators, Das didn't appear to take this handover lightly,
and at some time before the changeover, he placed malicious code on the RLAS
database that would execute days after the new company took over and would
destroy locally-stored records.
------------------------------
Date: Tue, 25 Sep 2018 21:34:08 -0500
From: Ben Moore <ben.moore@juno.com>
Subject: Coding Error Sends 2019 Subaru Ascents To the Car Crusher
(Slashdot)
"All 293 of the [2019 Subaru Ascent] SUVs that were built in July will be
scrapped because they are missing critical spot welds. According to
Subaru's recall notice filed with the U.S. National Highway Transportation
Safety Administration, the welding robots at the Subaru Indiana Automotive
plant in Lafayette, Ind., were improperly coded, which meant the robots
omitted the spot welds required on the Ascents' B-pillar."
https://developers.slashdot.org/story/18/09/23/0311221/coding-error-sends-2019-subaru-ascents-to-the-car-crusher
------------------------------
Date: Fri, 28 Sep 2018 09:52:26 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: AI security camera detects guns and identifies shooters (zdnet)
https://www.zdnet.com/article/ai-security-camera-detects-guns-and-identifies-shooters/
False positives may lead to unintentional shootings.
------------------------------
Date: Wed, 26 Sep 2018 07:40:51 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Will LA's Anti-Terrorist Subway Scanners Be Adopted Everywhere
(Scientific American)
https://www.scientificamerican.com/article/will-l-a-s-anti-terrorist-subway-scanners-be-adopted-everywhere/
Terahertz millimeter-wave screening devices scan crowded public spaces to
detect weapons/explosives.
'How the technology works in practice depends heavily on the operator's
training. According to Evans, "A lot of tradecraft goes into understanding
where the threat item is likely to be on the body." He sees the crucial role
played by the operator as giving back control to security guards and
allowing them to use their common sense.'
'Ultimately will these devices make public places safer? Opinions vary
drastically. Schneier, for one, is a skeptic. "It makes no sense, because
all it does is force an attacker to make minor changes to their plans,"
adding that he sees the technology as a step toward "militarization of the
police." Evans responds: The scanners offer an alternative to leaving mass
transit unprotected or increasing the visible police presence as terrorists
shift their focus away from airports. "It's part of the solution," he
says. "We don't claim it's the whole solution, and anyone who does is
over-claiming their technology." But the enormity of the problem makes even
that more modest goal a challenge. "A bomb can be set off anywhere in a free
society," Stanley says. "When and where is the trade-off worth it? A lot of
terrorism is not really very fussy about what's attacked. Are we going to
screen everybody every time people get together in one place?"'
------------------------------
Date: Tue, 25 Sep 2018 23:51:17 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Delta 'Technology Issue' Temporarily Disrupts Travel and Enrages
Customers (NYTimes)
The problems caused widespread confusion, and many customers demanded to
know why they could not book flights, print tickets or board their planes.
https://www.nytimes.com/2018/09/25/business/delta-airlines-outage.html
------------------------------
Date: Wed, 26 Sep 2018 16:56:51 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: The scientific method (NPR)
So this scientist has taken a fall for rather questionable methods in
directing scientific experiments.
https://www.npr.org/sections/thesalt/2018/09/26/651849441/cornell-food-researchers-downfall-raises-larger-questions-for-science
or https://is.gd/RC6Fju
So what has this to do with security? Well, it sorta falls into the realm
of integrity. Kinda like fake news.
And what's wrong with what he was doing? After all, we teach about data
warehousing, right? You got a bunch of data: what's wrong with using it to
learn things aside from what you originally thought you were going to learn?
That's sort of OK if you don't stray too far, but, at some point, you get
into the realms of "shoot first: draw the target afterward."
------------------------------
Date: Wed, 26 Sep 2018 10:12:25 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Instagram has a drug problem. Its algorithms make it worse.
(WashPost)
If you express interest in buying drugs illicitly, expect a flood of
solicitations to be funneled to you.
https://www.washingtonpost.com/business/economy/instagram-has-a-drug-problem-its-algorithms-make-it-worse/2018/09/25/c45bf730-bdbf-11e8-b7d2-0773aa1e33da_story.html
------------------------------
Date: Sat, 22 Sep 2018 12:00:50 -0400
From: Kelly Bert Manning <bo774@freenet.carleton.ca>
Subject: Why buy bankrupt corporate servers on craigslist when you can
"rent the room" containing them?
We have seen bankruptcy trustees and Judges in some jurisdictions contend
that the personal information held by failed companies is an asset that can
be bought and sold, but "renting the room" containing the servers for
$15,000 takes that to a whole new level.
The relevant General Principles in Codes of Fair Information Practices and
most Privacy Regulations are that Personal Information must only be used for
the purposes for which it was originally collected, and cannot be passed
along without the informed consent of the person involved.
https://boingboing.net/2018/09/21/unencrypted-data.html
"When Vancouver tech retailer NCIX went bankrupt, it stopped paying its
bills, including the bills for the storage where its servers were being
kept; that led to the servers being auctioned off without being wiped first,
containing sensitive data -- addresses, phone numbers, credit card numbers,
passwords, etc -- for thousands of customers. Also on the servers: tax and
payroll information for the company's employees."
https://www.bleepingcomputer.com/news/security/unwiped-drives-and-servers-from-ncix-retailer-for-sale-on-craigslist/
------------------------------
Date: Sat, 22 Sep 2018 18:21:06 -0700
From: Richard Stein <rmstein@ieee.org>
Subject: Road to Zero: A Vision for Achieving Zero Roadway Deaths by 2050
(NSC)
https://www.nsc.org/Portals/0/Documents/DistractedDrivingDocuments/Driver-Tech/Road%2520to%2520Zero/The-Report.pdf%3Fver%3D2018-04-17-111652-263
Fascinating report prepared by the Rand Corporation. Some of the acronyms
used:
3HF Three-Horizons Foresight
AACN advanced automatic crash notification
ABP assumption-based planning
ADAS advanced driver assistance systems
AEB automatic emergency braking
DADSS Driver Alcohol Detection System for Safety
EMS emergency medical services
FARS Fatality Analysis Reporting System
HAV highly automated vehicle
IIHS Insurance Institute for Highway Safety
V2V vehicle-to-vehicle
V2X vehicle-to-everything
Will 3HF correct ABP vision and align the CRM-114 discriminator POE?
------------------------------
Date: Sun, 23 Sep 2018 18:22:23 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: Sometimes still good to have international borders indicated on maps
Yes, I know say in Europe international borders might just clutter up
maps, but in other parts of the world well, they are a more serious matter
and shouldn't be removed from maps just yet...
https://github.com/openstreetmap/openstreetmap-website/issues/2002
------------------------------
Date: Mon, 24 Sep 2018 18:27:40 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Tardy responses, security failings led to SingHealth breach
(StraitsTimes)
https://www.straitstimes.com/singapore/tardy-responses-security-failings-led-to-singhealth-breach
"Tardy responses owing to a lack of awareness of how critical the situation
was and multiple security inadequacies contributed to the factors that led
to a massive SingHealth cyber-attack compromising the personal data of 1.5
million patients."
An embarrassing wakeup call for Singapore where medical tourism is a big
draw throughout the APAC region. Deficient employee cybersecurity training
practices, data breach reporting procedure gaps, temporary database
connections left open across the network, malware implantation undetected,
password specification weaknesses, etc.
------------------------------
Date: Mon, 1 Oct 2018 08:57:12 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Perspective: A Heart Device Can Save Lives, But Doctors Need To
Explain The Downsides (NPR.org)
https://www.npr.org/sections/health-shots/2018/09/30/652201204/perspective-a-heart-device-can-save-lives-but-doctors-need-to-explain-the-downsi
[SafeLinks munged url?]
Another cautionary tale about implantable devices. The piece discusses
quality of life (QOL) outcome probabilities, and attempts to educate
patients about informed choice selection: to implant or not to implant.
Also mentioned are the "incentives" that device manufacturers offer
physicians and medical centers to promote their products.
Device implantation QOL outcomes (enhanced or diminished) are not
predictably deterministic.
"Of course, technology improves with time. A clinical trial published in May
showed that a newer-model LVAD (left-ventricle assist device) had
significantly fewer complications. This is encouraging, but it will be
important to see whether these outcomes hold true in practice --
particularly because almost on the day that study was published, the
manufacturer recalled the device to deal with technical problems."
Technology does not always 'improve' with time; it changes, sometimes for
good, sometimes for bad. The Hassle Factor (something like Murphy's Law) is
immutable. This outcome is especially pronounced for software stacks.
When implantable device manufacturers are compelled to disclose and publish
at least this life cycle collateral: (a) a device test plan; (b) the device
test results (conducted via a random control trial protocol); (c) wall clock
to qualify each candidate change pushed into the stack; and, (d) top-10
reported defect escapes for their released, version-controlled implantable
device, consumers will then be empowered to make a rational choice based on
data, not a video packaged as manufacturer's propaganda.
Granted, most consumers only want implanted devices to "work" -- produce a
favorable QOL outcome. Most implantation candidates would likely prefer an
informed and conflict-free, independent 3rd party to assess the device test
life cycle outcomes for them, and make a recommendation. Consumer Reports
or Underwriters Laboratory are candidate organizations that can fulfill this
public interest.
------------------------------
Date: Sun, 30 Sep 2018 22:47:26 -0700
From: "Robert R. Fenichel" <bob@fenichel.net>
Subject: Re: Randomized clinical trial of epinephrine in treatment of cardiac
arrest (RISKS-28.17)
This trial, organized several years ago, was discussed here starting with
RISKS 28.17.
RISKS followers may be interested to learn that the trial has been
completed, with a result that hardly anyone anticipated. As described in
the New England Journal of Medicine (379(8): 711-721, 787-788 (2018-08-23)),
administering epinephrine in conventional doses to patients in cardiac
arrest results in improved 30-day survival, but no improvement in
neurological outcome.
------------------------------
Date: Sat, 29 Sep 2018 12:37:18 -0500
From: Dmitri Maziuk <dmaziuk@bmrb.wisc.edu>
Subject: Re: bloat (Slade, RISKS-30.84)
I think you're forgetting the bit where we had to have single-core CPUs
pumping bloat so fast they melted themselves blowing fuses city-wide... and
sales went down. So the chipmakers went with more-slower-cores instead and
for a short while were decrying the programmers' inability to program in
parallel. Until the software industry called and asked if they ever heard
about biting the hand that feeds them.
On the plus side I can finally run the original Master of Orion complete
with the original Sound Blaster emulation in DosBox. Again. Because let's
face it: the sequels, especially the latest cellphone glitz version,
are... just bloat.
------------------------------
Date: Sat, 22 Sep 2018 17:48:12 -0700
From: Richard Stein <rmstein@ieee.org>
Subject: Re: How do you get people to trust autonomous vehicles?
(Stein, RISKS-30.82)
Martyn, Thanks correcting my garbled interpretation of the NHTSA statistic
The NHTSA's metrics (see
https://crashstats.nhtsa.dot.gov/Api/Public/Publication/812456), comprise a
factual reporting source. The metrics discriminate among vehicle type (SUV,
passenger car, pickup truck, motorcycle, etc.). Deaths per 100 million
vehicle miles traveled, be they carbon or silicon driven, comprise an
aggregate key indicator.
Segregating this indicator (e.g., carbon v. silicon driven) may be valuable,
provided that comparison reporting is accurate. If, hypothetically, NTHSA
reported:
CB (Carbon-based) 100VMT for 2016: 1.2 (~270M registered vehicles)*
SB (Silicon-based) 100VMT for 2016: 3 (~100 registered vehicles)^
This hypothetical statistic demonstrates a safety disadvantage for AVs. Not
a likely selling point for consumers currently. Also, the AV sample size is
at least 4 orders of magnitude smaller than the CB population.
Not hard to imagine AV vendors trivializing or spinning this statistic.
Also, many consumers are mathematically challenged by the term "order of
magnitude."
https://www.statista.com/statistics/183505/number-of-vehicles-in-the-united-states-since-1990/
https://static.googleusercontent.com/media/www.google.com/en//selfdrivingcar/files/reports/report-0916.pdf
I also note that Alphabet/Waymo is apparently "throwing down the
gauntlet" for AV deployment in 2020. See
https://www.recode.net/2018/3/27/17167906/alphabet-waymo-self-driving-jaguar-electric-ride-hail
Perhaps the NHTSA will introduce the SB statistic after 2020 go-live (or
go-dead)!
------------------------------
Date: Mon, 1 Oct 2018 13:12:27 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Re: Bay Area city blocks 5G deployments over cancer concerns
(Goldberg, RISKS-30.84)
Politicians and physics do not mix, except when a nuclear issue arises...
The energy of photon, E = h * f, or h * c/lambda, where h is Planck's
constant and f is the photon frequency, lambda the wavelength, establishes
photo-ionization potential -- the ability of a photon to eject an electron
from an atom (in a DNA molecule for instance) and potentially initiate
cancer formation.
Cellphone frequencies range from ~0.45 to 6GHz. Doing the math per
https://www.1728.org/freqwave.htm
0.45 GHz or ~66.6 cm or ~1.86 microvolts
6.0 GHz or ~4.9 cm or ~25 microvolts
Ionization potential for carbon, hydrogen, and oxygen atoms: 11.2/13.6/13.6
eVolts. These values are 5-6 orders of magnitude larger than cell phone
energy radiation. 5G spectrum might approach ~30GHz, but the radiated energy
remains in the trivial range compared to ionization energy. A cellphone
might be used to warm croissant crumbs @ 2 GHz.
------------------------------
Date: Fri, 28 Sep 2018 14:47:24 +0200
From: Diego Latella <Diego.Latella@isti.cnr.it>
Subject: Report on Artificial Intelligence and Human Rights:
Opportunities and Risks (Raso et al.)
Berkman Klein Center for Internet & Society at Harvard
A report that is worth reading:
Artificial Intelligence & Human Rights: Opportunities & Risks
https://cyber.harvard.edu/publication/2018/artificial-intelligence-human-rights
F. Raso, H. Hilligoss, V. Krishnamurthy, C. Bavitz, L. Kim
Berkman Klein Center for Internet & Society at Harvard University
- Readable for non-computer-scientists, thanks to the clean & clear language
used;
- Interesting for computer scientists, because helps them elaborating on the
potential impacts of their work.
------------------------------
Date: Tue, 5 May 2018 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks have done to URLs. I have
tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.85
************************
