[31832] in RISKS Forum
Risks Digest 31.55
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Fri Jan 31 16:25:08 2020
From: RISKS List Owner <risko@csl.sri.com>
Date: Fri, 31 Jan 2020 13:24:40 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Friday 31 January 2020 Volume 31 : Issue 55
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.55>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents: [USENET connection temporarily broken since RISKS-31.44. SORRY]
Georgia election systems could have been hacked before 2016 vote (Politico)
U.S. will look at sudden acceleration complaints involving 500,000 Tesla
vehicles (Reuters)
Alleged MSFT mega breach (Comparitech)
How the Internet helped crack the Astros' sign-stealing case (ESPN)
Australian General Practice Medical Data Aggregation Software
(outcomehealth)
Microsoft Warns of Unpatched IE Browser Zero-Day That's Under Active Attacks
(The Hacker News)
Is LongFi the Next Wireless Revolution? (LifeWire)
Elaborate Honeypot 'Factory' Network Hit with Ransomware, RAT, and
Cryptojacking (Darkreading)
Recent paychecks are smaller for some feds due to National Finance Center
error (Federal News Network)
The Secretive Company That Might End Privacy as We Know It (NYTimes)
London police to roll out live facial recognition across the city
(Janosch Delcker, Politico Europe)
The world's 2,153 billionaires are richer than 4.6 billion people combined,
Oxfam says (Business Insider)
Hospitals Give Tech Giants Access to Detailed Medical Records (WSJ)
The Navy cryptically says it has top-secret UFO briefings that would cause
'exceptionally grave damage' to US national security if published
(NYTimes)
Panicking About Your Kids' Phones: New Research Says Don't
(Nathaniel Popper)
Singapore updates AI governance model with real-world cases
(The Straits Times)
Clearview app lets strangers find your name, info with snap of a photo,
report says (CNET)
College career centers teach job applicants how to impress AI systems (CNN)
Banning Facial Recognition Isn't Enough (Bruce Schneier, NYTimes)
It May Be the Biggest Tax Heist Ever. And Europe Wants Justice
(The New York Times)
India Restores Some Internet Access in Kashmir After Long Shutdown (NYTimes)
Y2038 is here (Twitter)
Yikes, friend's LinkedIn account hacked and spamming (Google)
From a car dealer (PGN)
Re: "Don't expect a return to the browser wars" (Chris Drewe)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 17 Jan 2020 15:25:56 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Georgia election systems could have been hacked before 2016 vote
(Politico)
"[W]hat Logan's findings show us is that vulnerabilities were not just
hypothetical as the state had been claiming. Now we know that it was a very
real risk, but what we don't know is just how bad did it get. And the public
deserves to know," she said.
Georgia used the server to distribute critical election and voter
registration files to counties throughout the state. However, the state has
insisted that it never distributed files to program voting machines through
the server. Instead, it delivered these files to counties physically. But if
the server was compromised, it could have been a vehicle to distribute
malware to any county election worker who connected to it.
Georgia's secretary of state, Brad Raffensperger, did not respond
immediately to a request for comment. Kemp served as secretary of state at
the time of the 2016 election, before being elected governor in 2018.
The Center for Election Systems at Kennesaw State University, which was
responsible for programming all of the voting machines in Georgia before
every election, owned and operated the server in question. That server was
already known to have security issues.
As POLITICO first reported, months before the 2016 election, Lamb discovered
that the KSU server was improperly secured so that anyone could access
sensitive election data stored on it, and it also had an unpatched
vulnerability in so-called Drupal software the server used, which would have
allowed attackers to take control of the server and alter or delete data on
it, or to post malware that could have infected the computers of election
officials accessing the server.
Logan made the discovery by chance when he visited the Center for Election
Services website to learn more about their role in programming voting
machines for Georgia.
After the POLITICO story published in June 2017, the plaintiffs filed their
lawsuit and sought to obtain the server for evidence supporting their
contention that Georgia's election systems are not secure and could have
been tampered with in the 2016 election.
But officials at Kennesaw wiped the server clean shortly after the
plaintiffs filed their suit. The FBI had a mirror image of the server, which
had been made in March 2017, but state officials fought to prevent the
plaintiffs from obtaining it to examine. They lost that fight last year.
Only recently was Lamb able to examine the server for evidence of tampering.
In his affidavit, Lamb said the server appears to have been compromised in
December 2014, using an unpatched vulnerability called *Shellshock* that had
been publicly revealed and widely reported three months earlier.
The Shellshock vulnerability is different from the Drupal one Lamb
discovered when he visited the Center's website in 2016. Both the Shellshock
and Drupal vulnerabilities had been publicly exposed around the same time,
but despite both receiving extensive media coverage and even a Department of
Homeland Security alert in the case of Shellshock, officials at the Center
for Election Systems failed to apply a patch to close either of them when
the patches were released.
------------------------------
Date: Fri, 17 Jan 2020 23:43:39 -0500
From: Monty Solomon <monty@roscom.com>
Subject: U.S. will look at sudden acceleration complaints involving
500,000 Tesla vehicles (Reuters)
WASHINGTON (Reuters) - The National Highway Traffic Safety Administration
(NHTSA) said Friday it will review a petition asking the agency to formally
investigate and recall 500,000 Tesla Inc vehicles over sudden unintended
acceleration reports.
https://www.reuters.com/article/us-tesla-probe-idUSKBN1ZG1IL
------------------------------
Date: Fri, 24 Jan 2020 4:49:32 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Alleged MSFT mega breach (Comparitech)
https://www.comparitech.com/blog/information-security/microsoft-customer-service-data-leak/
"Over the New Year, Microsoft exposed nearly 250 million Customer Service
and Support (CSS) records on the web. The records contained logs of
conversations between Microsoft support agents and customers from all over
the world, spanning a 14-year period from 2005 to December 2019. All of the
data was left accessible to anyone with a web browser, with no password or
other authentication needed."
------------------------------
Date: Sat, 18 Jan 2020 19:38:00 -0500
From: Monty Solomon <monty@roscom.com>
Subject: How the Internet helped crack the Astros' sign-stealing case (ESPN)
https://www.espn.com/mlb/story/_/id/28476354/how-internet-helped-crack-astros-sign-stealing-case
------------------------------
Date: Sun, 19 Jan 2020 21:28:37 +1100
From: "Geoffrey Sinclair" <gsinclair@froggy.com.au>
Subject: Australian General Practice Medical Data Aggregation Software
(outcomehealth)
The Australian Government has spent the last few years rolling out
MyHealthRecord, a centralised personal electronic health record for every
citizen which they and relevant medical staff can access. It has a widely
publicised opt out mechanism and around 15% of the population have done so.
The latest report indicates it is underutilised due to a variety of factors
including the usual software incompatibilities.
However a much quieter data gathering is going on. A software product
called Polar GP (and/or other suites like PEN Cat, this is about Polar GP)
is being offered free to General Practitioners as a way for big data to come
to them, enabling detailed data analysis of their practice and patients, and
has been around since early 2018 at least and went live on 1 August 2019.
Polar also installs a program called Hummingbird to copy data offsite.
This is part of an Australian Government initiative to upload GP data,
encouraged with incentive payments, all practices have a 12 month window to
comply to relevant standards. Privacy is covered by the anonymity and
public benefit parts of the privacy act. Patient records are given an ID
and practice number as part of the process of deleting individual
identifying material, but birth date and complete medical histories are
being exchanged and this is coupled with the relatively limited number of
patients at each practice.
Since the practice is considered to own the data it is they who consent to
its sharing, the patient needs to request an opt out.
Data is nominally sent via the government funded local, not for profit,
Primary Health Network company which then claims ownership of the records
and is expected to be a main user of the uploaded data, which is ultimately
copied to the Australian Institute of Health and Welfare.
The uploaded data, less the individual identifying material, is sent to a
central repository, managed/maintained by a private company called Outcome
Health, the practice sends hourly updates of the medical data, while holding
the key to link it to the local records.
The intention is to allow a number of organisations, including the practice,
to look at the aggregated data for the benefits that can bring to health
services. This idea is supported by the Royal Australian College of General
Practitioners. Reports can be generated with medical and/or financial
details.
To quote one of the websites,
"POLAR is suitable for use by all general practice staff, including
practice principals, general practitioners, nurses, practice managers,
business managers and admin staff.
POLAR performs a data collection (extracts changed data) from the practice
software every five minutes. The identified and de-identified practice
data is encrypted using industry endorsed algorithms similar as those used
in the health, banking and e-commerce sectors. The encrypted identified
data is stored locally with the POLAR software.
The encrypted de-identified data is uploaded directly to the POLAR data
warehouse (located in Australia). Overnight the accumulated de-identified
data is build into POLAR Reports and made available for the viewing by the
practice the following morning. When POLAR is opened at the practice the
locally stored identified data and the de-identified data drawn from the
POLAR Data Warehouse are unencrypted locally and matched enabling reports
to be viewed and analysed.
POLAR software is developed by Outcome Health. Outcome Health are the
custodians of the POLAR Data Warehouse. De-identified patient data is
securely stored in the POLAR Data Warehouse (in Australia) for population
health planning ....
Support for POLAR is provided free by the individual Primary Health
Networks (PHNs)."
Posters put up in the GP offices appears to be about the limit of the
publicity, the sign-up documentation list includes,
"Step 5: A3 GP Poster (option 1 for reception area) or A3 GP Poster (option
2 for reception area) documents - download, print and display in your
reception area - option 1 or option 2 - your choice. Call us and we can send
you a printed version."
The posters indicate you need to ask at reception if you do not want your
data included. The local GP practice had two posters displayed.
Despite the software being in use for over 5 months no one at the practice
had any idea of what Polar was or did, confusing it with MyHealthRecord,
contending it really did not matter and trying the "put it in writing"
approach. Even though the agreement to use the software requires the
signatures of an authorised person plus witness and appoints a nominated
administrator. In the end the practice called one of the relevant Primary
Health Network IT people who clarified the situation. The person was
acutely aware of the risk/reward equation along with the progress in
re-identifying data and agreed to send written confirmation my existing data
record had been deleted plus that no further uploads would be done. The
written confirmation was supplied promptly.
https://polarexplorer.org.au Log in page uses Javascript.
https://outcomehealth.org.au/
The GP practice also has a new booking system which uses, and staff trained
to ask for, your birth date as the primary identifier when making an
appointment, and has the booking software on the same system as email. If
you do not supply a birth date the staff generally call it out "to confirm"
it is you.
------------------------------
Date: Sat, 18 Jan 2020 09:17:27 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Microsoft Warns of Unpatched IE Browser Zero-Day That's Under
Active Attacks (The Hacker News)
EXCERPT:
Internet Explorer is dead, but not the mess it left behind.
Microsoft earlier today issued an emergency security advisory warning
millions of Windows users of a new zero-day vulnerability in Internet
Explorer (IE) browser that attackers are actively exploiting in the wild --
and there is no patch yet available for it.
The vulnerability, tracked as CVE-2020-0674 and rated moderated, is a remote
code execution issue that exists in the way the scripting engine handles
objects in memory of Internet Explorer and triggers through JScript.dll
library.
<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001>
A remote attacker can execute arbitrary code on targeted computers and take
full control over them just by convincing victims into opening a
maliciously crafted web page on the vulnerable Microsoft browser.
"The vulnerability could corrupt memory in such a way that an attacker
could execute arbitrary code in the context of the current user. An
attacker who successfully exploited the vulnerability could gain the same
user rights as the current user," the advisory says.
"If the current user is logged on with administrative user rights, an
attacker who successfully exploited the vulnerability could take control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights."
Microsoft is aware of `limited targeted attacks' in the wild and working on
a fix, but until a patch is released, affected users have been provided
with workarounds and mitigation to prevent their vulnerable systems from
cyberattacks.
The affected web browsing software includes -- Internet Explorer 9, Internet
Explorer 10, and Internet Explorer 11 running on all versions of Windows 10,
Windows 8.1, and the recently-discontinued Windows 7.
Workarounds: Defend Against Attacks Until A Patch Arrives. [...]
https://thehackernews.com/2020/01/internet-explorer-zero-day-attack.html
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001
------------------------------
From: Gabe Goldberg <gabe@gabegold.com>
Date: Tue, 21 Jan 2020 14:47:38 -0500
Subject: Is LongFi the Next Wireless Revolution? (LifeWire)
Author writes:
IoT and Our Low-Powered Sensor Future
There are, by some measures, more than 30 billion Internet of Things (IoT)
devices in use around the world. Virtually all of them live on Wi-Fi and
cellular networks, but a small number, mostly tracking devices, are
communicating in essentially a third way, on a LongFi network powered by
Helium's small, consumer hot spots. And if Helium has its way, the LongFi
network will change the way millions of low-powered devices communicate and
how widely-distributed networks are built.
Even though Helium has been around for 6 years, I’d never heard of it and
hesitated to accept a CES meeting with CEO and Co-Founder Amir Haleem. The
concept, though -- a peer-to-peer wide-area wireless network with a
crypto-currency angle -- was intriguing. Plus, the company was co-founded by
Napster founder Shawn Fanning. [...]
Building such a network, even without the infrastructure overhead of LTE or
5G is not easy, but Helium cooked up an unusual solution. The company
encourages consumers to put a Helium Hotspot in their home by making them a
participant in the economics of the network, which is where Blockchain comes
in.
In addition to helping create the LongFi network, the Helium Hotspots are
cryptocurrency mining systems and, depending on how third parties use the
encrypted network, their hotspots may mine cryptocurrency in the form of
Helium Tokens. The cryptocurrency collection is tracked in the Helium
app. Granted, a Helium Token currently has no value, but someday, possibly
depending on the scale of the Helium LongFi network, it may.
That pitch was, somewhat surprisingly, enough to attract a couple hundred
crypto enthusiasts in Austin, Texas (the network went live last
summer). Haleem told me they also had no trouble finding takers enmeshed in
the IoT world.
https://www.lifewire.com/is-longfi-the-next-wireless-revolution-4782141
Risk? IoT + blockchain?
------------------------------
Date: Fri, 24 Jan 2020 11:40:14 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Elaborate Honeypot 'Factory' Network Hit with Ransomware, RAT, and
Cryptojacking (Darkreading)
A fictitious industrial company with phony employees personas, website, and
PLCs sitting on a simulated factory network fooled malicious hackers -- and
raised alarms for at least one white-hat researcher who stumbled upon it.
EXCERPT:
For seven months, researchers at Trend Micro ran a legitimate-looking phony
industrial prototyping company with an advanced interactive honeypot network
to attract would-be attackers.
The goal was to create a convincing-looking network that attackers wouldn't
recognize as a honeypot so the researchers could track and study attacks
against the phony factory in order to gather intel on the real threats to
the industrial control system (ICS) sector today.
The faux company's factory network, which they purposely configured with
some ports exposed to the Internet from May through December of last year,
was mostly hit with the same types of threats that IT networks face:
ransomware, remote access Trojans (RATs), malicious cryptojacking, and
online fraud, as well as botnet-style beaconing malware that infected its
robotics workstation for possible lateral movement.
But there also were a few more alarming incidents with shades of more
targeted intent. In one attack on 25 Aug 2019, for instance, an attacker
worked its way around the robotics system, closed the HMI application, and
then powered down the system. Later that month, an attacker was able to
start up the factory network, stop the phony conveyer belt - and then shut
down the factory network. Attackers via the HMI shut down the factory and
locked the screen, while another opened the log view of the robot's optical
eye. [...]
https://www.darkreading.com/threat-intelligence/elaborate-honeypot-factory-network-hit-with-ransomware-rat-and-cryptojacking/
------------------------------
Date: Tue, 21 Jan 2020 20:53:30 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Recent paychecks are smaller for some feds due to National Finance
Center error (Federal News Network)
/This story has been updated on Friday, Jan. 17 at 9:30 a.m. to indicate
that some NFC employees have received larger paychecks than usual./
https://federalnewsnetwork.com/pay/2020/01/recent-paychecks-are-smaller-for-some-feds-due-to-national-finance-center-error/
...well, then it's OK, that balances things.
------------------------------
Date: January 19, 2020 6:03:03 JST
From: Ellen Ullman <ullman@well.com>
Subject: The Secretive Company That Might End Privacy as We Know It (NYTimes)
A little-known start-up helps law enforcement match photos of unknown people
to their online images -- and "might lead to a dystopian future or
something," a backer says."
This application scraps social media for its database of images,
approximately 3 billion photographs. It claims it can recognize individuals
wearing hats and glasses, also faces in profile. Its efficacy and accuracy
have not been independently tested, yet it is in increasing use by police
departments nationally.
https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html
------------------------------
Date: Fri, 24 Jan 2020 10:42:48 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: London police to roll out live facial recognition across the city
(Janosch Delcker, Politico Europe)
Police in the British capital are set to deploy automated facial recognition
technology across the city, it was announced today.
``The use of live facial recognition technology will be intelligence-led and
deployed to specific locations in London,'' the Metropolitan Police Service
said in a statement, arguing that this ``will help tackle serious crime,
including serious violence, gun and knife crime, child sexual exploitation
and help protect the vulnerable.''
<http://news.met.police.uk/news/met-begins-operational-use-of-live-facial-recognition-lfr-technology-392451>
Democratic governments in the West are increasingly following the example of
authoritarian regimes in deploying the technology, which allows them to scan
faces in crowds, compare the results with stored data and identify
individuals in real time.
Civil rights advocates have warned that such *live* or *automated* facial
recognition systems pave the way for mass surveillance on an unprecedented
scale, but in a landmark case earlier this year, a U.K. court ruled that
South Wales Police had used similar technology lawfully.
<https://www.politico.eu/article/uk-court-backs-police-in-facial-recognition-lawsuit/>
Earlier today, German news wire DPA reported that the German interior
ministry dropped plans to roll out similar technology at over a hundred
train stations across the country, following warnings by legal experts that
the use would likely infringe the country's constitution.
------------------------------
Date: Mon, 20 Jan 2020 10:54:13 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: The world's 2,153 billionaires are richer than 4.6 billion people
combined, Oxfam says (Business Insider)
- The world's 2,153 billionaires have more wealth than 4.6 billion
people combined, Oxfam's latest report on inequality found.
- The richest 1% are more than twice as wealthy as 6.9 billion people,
or nearly 90% of the human population, the report estimated.
- A key driver of the wealth gap is that women and girls put in 12.5
billion hours of unpaid care work every day, the Oxfam researchers argued.
- Their recommendations include investing in national care, passing laws
to protect and pay care workers, and ending extreme wealth.
EXCERPT:
The world's 2,153 billionaires are richer than 4.6 billion people -- 60% of
the global population -- combined, according to "Time to Care
<https://oxfamilibrary.openrepository.com/bitstream/handle/10546/620928/bp-time-to-care-inequality-200120-en.pdf>,"
Oxfam's latest report on inequality.
"Our broken economies are lining the pockets of billionaires and big
business at the expense of ordinary men and women," Oxfam India CEO Amitabh
Behar said in a press release
<https://www.oxfam.org/en/press-releases/worlds-billionaires-have-more-wealth-46-billion-people>
ahead
of this week's World Economic Forum in Davos, an annual gathering of
business, academic, and political leaders.
"No wonder people are starting to question whether billionaires should even
exist," Behar added.
The richest 1% are more than twice as wealthy as 6.9 billion people, or
nearly 90% of the human population, the report's authors found. The 22
wealthiest men in the world, led by Amazon CEO Jeff Bezos and Microsoft
cofounder Bill Gates, possess more wealth than all the women in Africa put
together, they added.
The Oxfam researchers highlighted a key driver of the issue: women and
girls put in 12.5 billion hours of unpaid care work every day, contributing
$10.8 trillion to the global economy each year -- more than triple the size
of the global tech industry, by their estimates.
"This great divide is based on a flawed and sexist economic system that
values the wealth of the privileged few, mostly men, more than the billions
of hours of the most essential work -- the unpaid and underpaid care work
done primarily by women and girls around the world," they said.
The authors made several recommendations to narrow the gap: Invest in
national care to lessen the burden of care work shouldered by women and
girls, pass laws to protect carers' rights and pay care workers a living
wage, give carers a say in relevant decisions, challenge regressive and
sexist norms, and ensure businesses value care work...
[...]
https://markets.businessinsider.com/news/stocks/2153-billionaires-richer-than-4-6-billion-people-combined-oxfam-2020-1-1028829249
------------------------------
Date: Mon, 20 Jan 2020 11:14:51 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Hospitals Give Tech Giants Access to Detailed Medical Records (WSJ)
Deals with Microsoft, IBM and Google reveal the power medical providers have
in deciding how patients' sensitive health data is shared
Melanie Evans, *WSJ*, 20 Jan 2020
https://www.wsj.com/articles/hospitals-give-tech-giants-access-to-detailed-medical-records-11579516200
------------------------------
Date: Sat, 18 Jan 2020 15:53:46 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: The Navy cryptically says it has top-secret UFO briefings that would
cause 'exceptionally grave damage' to US national security if published
(NYTimes)
[PGNed Via Geoff Goodfellow]
- The Navy says it has material about UFOs that, if released, "would cause
exceptionally grave damage to the National Security of the United
States."
- The Navy said it "discovered certain briefing slides that are classified
TOP SECRET" in response to a freedom-of-information request, which asked
about a series of videos that showed pilots baffled by mysterious, fast
objects in the sky.
- The Navy previously confirmed it was treating these objects as UFOs --
which means they are being treated as unexplained but not necessarily
extraterrestrial.
- One of the videos was published by published by The New York Times in
2017, and pilots told *The Times* they saw the objects accelerate, stop,
and turn in ways that went beyond known aerospace technology.
<https://www.nytimes.com/2019/05/26/us/politics/ufo-sightings-navy-pilots.html>,
EXCERPT:
The Navy has said it has top-secret information about unidentified flying
objects that could cause "exceptionally grave damage to the National
Security of the United States" if released.
A Navy representative responded to a Freedom of Information Act request sent
by a researcher named Christian Lambright by saying the Navy had "discovered
certain briefing slides that are classified TOP SECRET," Vice reported last
week.
<https://www.vice.com/en_us/article/wxe54z/the-navy-has-secret-classified-video-of-an-infamous-ufo-incident>
But the representative from the Navy's Office of Naval Intelligence said
"the Original Classification Authority has determined that the release of
these materials would cause exceptionally grave damage to the National
Security of the United States."
The person also said the Navy had at least one related video classified as
"SECRET."
Vice said it independently verified the response to Lambright's request with
the Navy.
<https://www.vice.com/en_us/article/wxe54z/the-navy-has-secret-classified-video-of-an-infamous-ufo-incident>
Lambright's request for information was related to a series of videos
showing Navy pilots baffled by mysterious, fast objects in the sky.
<https://ufos-documenting-the-evidence.blogspot.com/2020/01/office-of-naval-intelligence-oni-admits.html>
The Navy previously confirmed it was treating these objects as UFOs...
https://www.businessinsider.com/navy-says-release-files-into-ufo-sightings-would-damage-security-2020-1
------------------------------
Date: Sun, 26 Jan 2020 10:21:01 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Panicking About Your Kids' Phones: New Research Says Don't
(Nathaniel Popper)
*The New York Times*, 17 Jan 2020
SAN FRANCISCO — It has become common wisdom that too much time spent on
smartphones and social media is responsible for a recent spike in anxiety,
depression and other mental health problems, especially among teenagers.
But a growing number of academic researchers have produced studies that
suggest the common wisdom is wrong.
The latest research, published on Friday by two psychology professors,
combs through about 40 studies that have examined the link between social
media use and both depression and anxiety among adolescents. That link,
according to the professors, is small and inconsistent.
"There doesn't seem to be an evidence base that would explain the level of
panic and consternation around these issues," said Candice L. Odgers, a
professor at the University of California, Irvine, and the lead author of
the paper, which was published in the Journal of Child Psychology and
Psychiatry.
https://www.nytimes.com/2020/01/17/technology/kids-smartphones-depression.html
------------------------------
Date: Wed, 22 Jan 2020 18:34:23 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Singapore updates AI governance model with real-world
cases (The Straits Times)
https://www.straitstimes.com/world/spore-updates-ai-governance-model-with-real-world-cases
The voluntary framework can be found here: https://www.imda.gov.sg/AI. It
establishes fundamentally aspirational guidelines for organizations that
adopt AI-based technology into their operations and/or products. The
framework emphasizes these two key values:
1) "Decisions made by AI should be EXPLAINABLE, TRANSPARENT & FAIR"
2) "AI systems should be HUMAN-CENTRIC"
That the framework conditionally expresses these progressive values reveals
their portentous consequence were they applied as law and regulation. AI
capabilities subject to demonstrate "EXPLAINABLE, TRANSPARENT & FAIR"
operation and outcome, without exemption, would likely impose undue
commercial liability and risk burden.
Imagine if the AI capability was investigated, and shown (via logfile,
transaction stream, sequence structures, judicial review proceedings, etc.)
to render biased data processing results that a business uses for human
capital management and hiring decisions, or performs loan approval, or
authorizes medical expense payment? The consequences would likely be costly
to both brand and valuation -- a result that strongly resonates with
for-profit organizations.
Some forms of bias are benign -- product material choice affects color-blind
individuals, but might be unavoidable. If the product label clearly
discloses this fact (not fit for use if color-blind, in black-and-white),
the manufacturer is likely free from liability.
Employment bias attributed to age, gender, ethnicity, etc. is not benign.
AI-hiring bots need to transparently disclose their justification for
candidate employment approval or rejection. Automatic trust is not merited
in this case. Human review and oversight of AI conclusions are required to
double-check machine outcome.
Malcolm Gladwell's "Talking to Strangers: What We Should Know about the
People We Don't Know," teaches that human trust between humans hinges on the
"Truth Default" concept. By default, humans believe their peers. He explores
and discusses conditions that contribute to trust determination. He explains
the elusive nature of human deception, and the challenges that burden
experienced interrogators (judges, detectives, counter-intelligence agents,
etc.) attempting to identify it.
AI algorithm decisions might one day be automatically judged for bias if an
international reference standard existed for this context. This "bias
reference standard" would be analogous to the kilogram, meter, or second,
but it would apply to AI algorithm bias detection and context.
It is doubtful that a software stack, especially one using conditional
Boolean logic, can serve in this reference capacity. It is unlikely that a
human can engineer it directly. Perhaps an artificial generalized
intelligence can evolve to serve humans in this magnanimous capacity. Until
a universal bias reference standard emerges, a bias-free AI algorithm, or
equivalent computation structure hosted via quantum, neuromorphic, and/or
analog computers, appears unlikely to materialize.
Unless governments tighten regulations and toughen enforcement, criminals
and scurrilous interests will exploit AI at the public's expense.
Scam surveillance programs, enhanced malware detection platforms, may
comprise the next technological disruption that entrepreneurs and startups
pursue. How will their unbiased trust be earned and shown to serve the
public interest? Will they yield explainable, transparent, and fair outcomes
that can withstand legal scrutiny?
------------------------------
Date: Mon, 20 Jan 2020 10:51:17 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: Clearview app lets strangers find your name, info with snap of a
photo, report says (CNET)
EXCERPT:
What if a stranger could snap your picture on the sidewalk then use an app
to quickly discover your name, address and other details? A startup called
Clearview AI <https://clearview.ai/> has made that possible, and its app is
currently being used by hundreds of law enforcement agencies in the US,
including the FBI, says a Saturday report in The New York Times.
<https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html>
The app, says *The Times*, works by comparing a photo to a database of more
than 3 billion pictures that Clearview says it's scraped off Facebook,
Venmo, YouTube and other sites. It then serves up matches, along with links
to the sites where those database photos originally appeared. A name might
easily be unearthed, and from there other info could be dug up online.
The size of the Clearview database dwarfs others in use by law enforcement.
The FBI's own database, which taps passport and driver's license photos, is
one of the largest, with over 641 million images of US citizens.
The Clearview app isn't currently available to the public, but the Times
says police officers and Clearview investors think it will be in the
future. [...]
https://www.cnet.com/news/clearview-app-lets-strangers-find-your-name-info-with-snap-of-a-photo-report-says/
------------------------------
Date: Sat, 18 Jan 2020 10:58:10 +0200
From: Amos Shapir <amos083@gmail.com>
Subject: College career centers teach job applicants how to impress AI
systems (CNN)
It seems that hiring companies use AI system to analyze not just CV's, but
also video job interviews.
Full story:
https://edition.cnn.com/2020/01/15/tech/ai-job-interview/?utm_source=join1440&utm_medium=email&utm_placement=etcetera
------------------------------
Date: January 20, 2020 22:49:51 JST
From: Dewayne Hendricks <dewayne@warpspeed.com>
Subject: Banning Facial Recognition Isn't Enough (Bruce Schneier, NYTimes)
[via Dave Farber]
Bruce Schneier, 20 Jan 2020
The whole point of modern surveillance is to treat people differently, and
facial recognition technologies are only a small part of that.
https://www.nytimes.com/2020/01/20/opinion/facial-recognition-ban-privacy.html
Communities across the United States are starting to ban facial recognition
technologies. In May of last year, San Francisco banned facial recognition;
the neighboring city of Oakland soon followed, as did Somerville and
Brookline in Massachusetts (a statewide ban may follow). In December, San
Diego suspended a facial recognition program in advance of a new statewide
law, which declared it illegal, coming into effect. Forty major music
festivals pledgednot to use the technology, and activists are calling for a
nationwide ban. Many Democratic presidential candidates support at least a
partial ban on the technology.
These efforts are well intentioned, but facial recognition bans are the
wrong way to fight against modern surveillance. Focusing on one particular
identification method misconstrues the nature of the surveillance society
we're in the process of building. Ubiquitous mass surveillance is
increasingly the norm. In countries like China, a surveillance
infrastructure is being built by the government for social control. In
countries like the United States, it's being built by corporations in order
to influence our buying behavior, and is incidentally used by the
government.
In all cases, modern mass surveillance has three broad components:
identification, correlation and discrimination. Let's take them in turn.
Facial recognition is a technology that can be used to identify people
without their knowledge or consent. It relies on the prevalence of cameras,
which are becoming both more powerful and smaller, and machine learning
technologies that can match the output of these cameras with images from a
database of existing photos.
But that's just one identification technology among many. People can be
identified at a distance by their heart beat or by their gait, using a
laser-based system. Cameras are so good that they can read fingerprints and
iris patterns from meters away. And even without any of these technologies,
we can always be identified because our smartphones broadcast unique numbers
called MAC addresses. Other things identify us as well: our phone numbers,
our credit card numbers, the license plates on our cars. China, for example,
uses multiple identification technologies to support its surveillance state.
Once we are identified, the data about who we are and what we are doing can
be correlated with other data collected at other times. This might be
movement data, which can be used to *follow* us as we move throughout our
day. It can be purchasing data, internet browsing data, or data about who we
talk to via email or text. It might be data about our income, ethnicity,
lifestyle, profession and interests. There is an entire industry of data
brokers who make a living analyzing and augmenting data about who we are --
using surveillance data collected by all sorts of companies and then sold
without our knowledge or consent.
There is a huge -- and almost entirely unregulated -- data broker industry
in the United States that trades on our information. This is how large
internet companies like Google and Facebook make their money. It's not just
that they know who we are, it's that they correlate what they know about us
to create profiles about who we are and what our interests are. This is why
many companies buy license plate data from states. It's also why companies
like Google are buying health records, and part of the reason Google bought
the company Fitbit, along with all of its data.
The whole purpose of this process is for companies -- and governments -- to
treat individuals differently. We are shown different ads on the internet
and receive different offers for credit cards. Smart billboards display
different advertisements based on who we are. In the future, we might be
treated differently when we walk into a store, just as we currently are when
we visit websites.
The point is that it doesn't matter which technology is used to identify
people. That there currently is no comprehensive database of heart beats or
gaits doesn't make the technologies that gather them any less effective. And
most of the time, it doesn't matter if identification isn't tied to a real
name. What's important is that we can be consistently identified over
time. We might be completely anonymous in a system that uses unique cookies
to track us as we browse the internet, but the same process of correlation
and discrimination still occurs. It's the same with faces; we can be tracked
as we move around a store or shopping mall, even if that tracking isn't tied
to a specific name. And that anonymity is fragile: If we ever order
something online with a credit card, or purchase something with a credit
card in a store, then suddenly our real names are attached to what was
anonymous tracking information.
------------------------------
Date: Sun, 26 Jan 2020 12:31:45 -0500
From: Monty Solomon <monty@roscom.com>
Subject: It May Be the Biggest Tax Heist Ever. And Europe Wants Justice
(The New York Times)
Stock traders are accused of siphoning $60 billion from state coffers, in a
scheme that one called `the devil's machine'. Germany is the first country
to try to get its money back.
https://www.nytimes.com/2020/01/23/business/cum-ex.html
------------------------------
Date: Sun, 26 Jan 2020 16:15:47 -0500
From: Monty Solomon <monty@roscom.com>
Subject: India Restores Some Internet Access in Kashmir After Long Shutdown
(NYTimes)
https://www.nytimes.com/2020/01/26/world/asia/kashmir-internet-shutdown-india.html
------------------------------
Date: Tue, 21 Jan 2020 20:35:47 -0500
From: Steve Golson <sgolson@trilobyte.com>
Subject: Y2038 is here (Twitter)
Wonderful and scary story about Y2038. It's here, now.
https://twitter.com/jxxf/status/1219009308438024200
Summary: a batch script that does financial projections 20 years out, dies
on January 19, 2018.
No one knew what was wrong at first. This batch job had never, ever
crashed before, as far as anyone remembered or had logs for. The person
who originally wrote it had been dead for at least 15 years, and in any
case hadn't been employed by the firm for decades.
[Unix Redux. 2034 seemed fairly far ahead when Ken Thompson chose that
end date. Unix systems will still be around, and we will here more
beforehand, and then after the fixes don't last, just like Y2K. PLAN
AHEAD means different things to different folks. PGN]
------------------------------
Date: Mon, 27 Jan 2020 12:21:54 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Yikes, friend's LinkedIn account hacked and spamming (Google)
... sending messages within LinkedIn with dodgy links. No reason LinkedIn
accounts would be immune, so be alert.
Plenty of previous reports:
https://www.google.com/search?client=firefox-b-1-d&q=linkedin+account+hacked
------------------------------
Date: Mon, 27 Jan 2020 15:49:04 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: From a car dealer
Your Recent Service Experience
TMNA_GEO_NAME_ENUM and BP_EXTERNAL_NAME_TXT would like to thank you for
choosing a new TMNA_MODEL_NAME_AUTO. We appreciate your business and value
you as a customer.
About two weeks ago, we sent an email requesting your feedback. The
information you provide will help TMNA_GEO_NAME_ENUM, its distributors, its
affiliates, and BP_EXTERNAL_NAME_TXT continuously improve customer
experiences.
If you have already shared your feedback, please disregard this email.
This survey will be active through TMNA_SURVEY_EXPIRATION_DATE_TEXT_EMAILS=
Please begin by responding to the question below. [...]
Please do not reply to this e-mail as we are not able to respond to messages
sent to this address.
------------------------------
Date: Tue, 21 Jan 2020 22:17:25 +0000
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: Re: "Don't expect a return to the browser wars".
I spotted this in a newspaper -- summary follows
https://www.telegraph.co.uk/technology/2020/01/20/dont-expect-return-browser-wars/
*The Telgraph*, 20 January 2020
Don't expect a return to the browser wars. It has been two decades since
Microsoft and the US government went to war over the former's efforts to
crush challengers to its Internet Explorer web browser. Explorer's market
share peaked at around 95pc in 2004 before heading rapidly down with the
rise of superior rivals such as Mozilla's Firefox, Opera and then Google's
Chrome. Whether Microsoft lost because of intervention or because free
market innovation did its job is still a matter of debate. But the firm
was relegated to an afterthought in the browser wars. Explorer remains the
butt of many jokes. [Edge] runs on Chromium, the engine built by Google
for the search company's own Chrome browser. Most net users are
unconcerned about which web engines they use but they have been a key part
of the battle between major software companies. Microsoft's [IE] browser
-- once so dominant it triggered monopoly investigations on two continents
-- managed to become so irrelevant it was not worth working to
support. Quite a fall.
I had to feel a twinge of sympathy for Microsoft as the EU court case
dragged on for years, and when they paid the fine, hardly anybody was still
using Internet Explorer anyway...
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.55
************************
