[32014] in RISKS Forum
Risks Digest 32.04
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Fri Jun 26 17:48:16 2020
From: RISKS List Owner <risko@csl.sri.com>
Date: Fri, 26 Jun 2020 14:48:02 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Friday 26 June 2020 Volume 32 : Issue 04
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.04>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
The Army will soon allow users to access classified info from home
(Army Times via Gene Spafford + PGN)
CRISPR gene editing in human embryos wreaks chromosomal mayhem (Nature)
More than 1 million coronavirus stimulus checks went to dead people
according to the GAO (WashPost)
How Thousands of Misplaced Emails Took Over This Engineer's Inbox (WiReD)
Demographic report on protests shows how much info our phones give away
(Engadget)
FBI warns K12 schools of ransomware attacks via RDP (ZDNet)
Hidden Back Door Embedded in Chinese Tax Software, Firm Says (Bloomberg)
80,000 printers are exposing their IPP port online (ZDNet)
FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy (Krebs)
The US-China Battle Over the Internet Goes Under the Sea (WiReD)
Google Will Delete Your Data by Default in 18 Months (WiReD)
Re: Medical decision tools (Dr. Robert R. Fenichel)
Re: Only Sort of Wrongfully Accused by an Algorithm (John Levine)
Risks for charities, non-profits, small group (Rob Slade)
AI Ethics: IP Protection for AI-generated and AI-assisted works
(Eventbrite/Wipo via Gabe Goldberg)
Abridged info on RISKS (comp.risks)
--------------------------------------.--------------------------------
Date: Thu, 25 Jun 2020 12:22:56 -0400
From: Gene Spafford <spaf@purdue.edu>
Subject: The Army will soon allow users to access classified info from home
(Army Times)
Gee, I foresee this as a great innovation with no downsides at all. I can't
wait for phase 3, when I convert my kitchen to a SCIF.
https://www.armytimes.com/2020/06/22/the-army-will-soon-allow-users-to-access-classified-info-from-home/
[Seriously: All efforts at using untrustworthy computer-communication
systems for trusted information currently seem to be doomed by our
inherently comprimisible infrastructures. This would seem to be insane
with today's technology. PGN]
[Less seriously: This will undoubtedly create many new opportunities to
"classify" all sorts of illegal activities. Furthermore, Spaf's SCIF
would have to prevent all emanations of power usage, smoke, and scents --
and other effluents as well as everything that comes in.. Just my
two-scents worth. However, I can't wait to have access to Spaf's secret
recipes for Scytl Skittles (big in the voting business), Tarte Putin
(French gourmet), and Fits-all Schnitzel. PGN]
------------------------------
Date: Thu, 25 Jun 2020 08:04:42 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: CRISPR gene editing in human embryos wreaks chromosomal mayhem
(Nature)
https://www.nature.com/articles/d41586-020-01906-4
------------------------------
Date: Thu, 25 Jun 2020 15:53:40 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: More than 1 million coronavirus stimulus checks went to dead people
according to the GAO (WashPost)
https://www.washingtonpost.com/us-policy/2020/06/25/irs-stimulus-checks-dead-people-gao/
No time to check for dead recipients -- what could go wrong?
------------------------------
Date: Thu, 25 Jun 2020 20:44:16 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: How Thousands of Misplaced Emails Took Over This Engineer's Inbox
(WiReD)
Kenton Varda gets dozens of messages a day from Spanish-speakers around the
world, all thanks to a Gmail address he registered 16 years ago.
Two weeks ago, longtime software engineer Kenton Varda got an email that
wasn't meant for him. It was from AT&T Mexico to a customer named Jorge,
whose most recent phone bill was attached. You've probably gotten an email
intended for someone else at least once. But then Varda got another AT&T
Mexico bill for Gloria. And then a third for Humberto, who is overdue on
paying more than 6,200 pesos, about $275.
To Varda, the incident wasn't a surprise. As the owner of the email account
temporal@gmail.com, he gets dozens of messages a day from Spanish-speakers
around the world, all sent by people who thought they could use his address
as a dummy input: "Temporal" translates to "temporary." Varda says he
frequently receives private documents, even medical bills and collection
notices. Many of the most sensitive emails contain legal notices that the
messages are confidential and should not be disclosed to other parties aside
from the intended recipient. Varda doesn't speak Spanish, but he uses Google
Translate when possible to understand what's going on and reply to senders
saying they have the wrong address.
"Recently I had a few people send me what appeared to be photographs of
handwritten notes. Maybe notes from a class?" Varda says. "Also, I received
several job evaluations of one Jose Gomez, who appears to be a janitor. And
a pretty good one!"
https://www.wired.com/story/misplaced-emails-took-over-inbox-temporal/
[Also noted by Dave Lesher: NO PLATE is back again!
Maybe try /dev/null? (RISKS-37.37, RISKS-6.40)
PGN]
------------------------------
Date: Thu, 25 Jun 2020 13:58:30 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Demographic report on protests shows how much info our phones give
away (Engadget)
*Mobilewalla gathered cellphone data from Black Lives Matter protesters in
four cities.*
If you marched in recent Black Lives Matter protests in Atlanta, Los
Angeles, Minneapolis or New York, there's a chance the mobile analytics
company Mobilewalla gleaned demographic data from your cellphone use. Last
week, Mobilewalla released a report
detailing the race, age and gender breakdowns of individuals who
participated in protests in those cities during the weekend of May 29th.
What is especially disturbing is that protesters likely had no idea that the
tech company was using location data harvested from their devices.
<https://www.mobilewalla.com/about/press/new-report-reveals-demographics-of-protests>
Mobilewalla observed a total of 16,902 devices (1,866 in Atlanta, 4,527 in
Los Angeles, 2,357 in Minneapolis and 8,152 in New York).
<https://f.hubspotusercontent40.net/hubfs/4309344/Mobilewalla%20Protester%20Insights%20Methodology.pdf>
As *BuzzFeed News* explains, Mobilewalla buys data from sources like
advertisers, data brokers and ISPs. It uses AI to predict a person's
demographics (race, age, gender, zip code, etc.) based on location data,
device IDs and browser histories. The company then sells that info
<https://www.mobilewalla.com/about> to clients so they can ``better
understand their target customer.''
<https://www.buzzfeednews.com/article/carolinehaskins1/protests-tech-company-spying>
``This report shows that an enormous number of Americans -- probably without
even knowing it -- are handing over their full location history to shady
location data brokers with zero restrictions on what companies can do with
it,'' Senator Elizabeth Warren told *BuzzFeed News*. ``In an end-run around
the Constitution's limits on government surveillance, these companies can
even sell this data to the government, which can use it for law and
immigration enforcement.''
Mobilewalla CEO Anindya Datta told *BuzzFeed *that the company produced the
report to satisfy its employees' curiosity. Supposedly, Mobilewalla doesn't
plan to share info about whether specific individuals attended the protests
with clients or law enforcement.
But the incident is a reminder that data brokers have access to massive
amounts of data from unassuming individuals. There's a chance that data
could be used by law enforcement or be leaked -- as we've seen happen in
past data breaches.
<https://www.engadget.com/2018-06-28-exactis-leak-340-million-records.html>
Some fear that individuals concerned about their data being swiped might
avoid protests, so in effect, the practices of collecting data may suppress
free speech. [...]
https://www.engadget.com/mobilewalla-data-broker-demographics-protests-214841548.html
------------------------------
Date: Thu, 25 Jun 2020 13:56:30 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: FBI warns K12 schools of ransomware attacks via RDP
*The FBI has issued a security alert warning K12 schools of the "ransomware
threat" during the COVID-19 pandemic.*
The US Federal Bureau of Investigation sent out on Tuesday a security alert
to K12 schools about the increase in ransomware attacks during the
coronavirus (COVID-19) pandemic, and especially about ransomware gangs that
abuse RDP connections to break into school systems.
The alert, called a Private Industry Notification, or PIN, tells schools
that "cyber actors are likely to increase targeting of K-12 schools during
the COVID-19 pandemic because they represent an opportunistic target as
more of these institutions transition to distance learning."
Schools are likely to open up their infrastructure for remote staff
connections, which in many cases would mean create Remote Desktop Protocol
(RDP) accounts on internal school systems.
Over the past two-three years, many ransomware gangs have utilized
brute-force attacks or vulnerabilities in RDP to breach corporate networks
and deploy file-encrypting ransomware. [...]
https://www.zdnet.com/article/fbi-warns-k12-schools-of-ransomware-attacks-via-rdp/
------------------------------
Date: Thu, 25 Jun 2020 13:55:31 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Hidden Back Door Embedded in Chinese Tax Software, Firm Says
(Bloomberg)
** Malware targeted UK vendor starting to do business in China*
Cybersecurity firm said it has briefed FBI on its discovery*
When a U.K.-based technology vendor started doing business in China, it
hired a cybersecurity firm to proactively hunt for any digital threats that
could arise as part of doing business in the country. The firm discovered a
problem, one with such major implications that it alerted the FBI.
A state-owned bank in China had required the tech company to download
software called Intelligent Tax to facilitate the filing of local taxes.
The tax software worked as advertised, but it also installed a hidden back
door that could give hackers remote command and control of the company's
network, according to a report published Thursday by the SpiderLabs team at
Chicago-based Trustwave Holdings Inc.
<https://www.bloomberg.com/quote/TWAV:US> (The cybersecurity firm declined
to identify the bank).
``Basically, it was a wide-open door into the network with system-level
privileges and command and control server completely separate from the tax
software's network infrastructure,'' Brian Hussey, vice president of
cyber-threat detection and response at Trustwave, wrote in a blog post
<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/>,
also published Thursday. The malware, which Trustwave dubbed GoldenSpy,
isn't downloaded and installed until two hours after the tax software
installation is completed, he said.
Trustwave researchers determined that the malware connects to a server
hosted in China.
It isn't known how many other companies downloaded the malicious software,
nor is the purpose of the malware clear or who is behind it, according to
the report. Trustwave said it disrupted the intrusion at the tech company in
the early stages. ``However, it is clear the operators would have had the
ability to conduct reconnaissance, spread laterally and exfiltrate data,''
according to the report, adding that GoldenSpy had the characteristics of an
Advanced Persistent Threat campaign. Such efforts are often associated with
nation-state hacking groups. [...]
https://www.bloomberg.com/news/articles/2020-06-25/hidden-back-door-embedded-in-chinese-tax-software-firm-says
https://www.msn.com/en-us/finance/other/hidden-back-door-embedded-in-chinese-tax-software-firm-says/ar-BB15Y2So
------------------------------
Date: Thu, 25 Jun 2020 09:59:54 -0400
From: Monty Solomon <monty@roscom.com>
Subject: 80,000 printers are exposing their IPP port online (ZDNet)
Printers are leaking device names, locations, models, firmware versions,
organization names, and even WiFi SSIDs.
https://www.zdnet.com/article/80000-printers-are-exposing-their-ipp-port-online/
------------------------------
Date: Thu, 25 Jun 2020 10:04:20 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy
(Krebs)
An information technology specialist at the Federal Emergency Management
Agency (FEMA) was arrested this week on suspicion of hacking into the human
resource databases of University of Pittsburgh Medical Center (UPMC) in
2014, stealing personal data on more than 65,000 UPMC employees, and selling
the data on the dark web.
https://krebsonsecurity.com/2020/06/fema-it-specialist-charged-in-id-theft-tax-refund-fraud-conspiracy/
------------------------------
Date: Thu, 25 Jun 2020 00:41:36 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The US-China Battle Over the Internet Goes Under the Sea (WiReD)
The DOJ’s opposition to Facebook and Google's 8,000-mile cable to Hong Kong
highlights how physical infrastructure is as contentious as the virtual
world.
https://www.wired.com/story/opinion-the-us-china-battle-over-the-internet-goes-under-the-sea/
------------------------------
Date: Thu, 25 Jun 2020 00:45:12 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Google Will Delete Your Data by Default in 18 Months (WiReD)
Starting today, the search giant will make a previously opt-in auto-delete
feature the norm.
Google already announced security and privacy upgrades to Android 11 earlier
this month. But Wednesday's changes focus on the data that Google services
like Maps and YouTube can access -- and how long they keep it for.
Pichai wrote in a blog post: ``We’re guided by the principle that products
should keep information only for as long as it’s useful to you. Privacy is
personal, which is why we're always working to give you control on your
terms.''
Google has been criticized for collecting and retaining data that users
don't even realize it has. A year ago, the company added auto-delete
controls that allowed you to set your Google account to delete history --
like Web and App Activity and location -- every three months or 18
months. Such a mechanism was long overdue, but Google would still collect
this data indefinitely by default. You had to find the right toggle in your
settings to set the auto-delete in motion.
Google's announcements on Wednesday flips this policy around. Newly formed
Google accounts will auto-delete activity and location every 18 months by
default. YouTube history will delete every 36 months. Existing accounts,
though, will still need to proactively turn on the feature, as Google
doesn't want to force a change on users who, for whatever reason, want the
company to maintain a forever-record of their activity. (You can find our
complete guide to limiting Google's tracking here.) As soon as you do, the
company will nuke your accumulated activity and location data that's 18
months or older, and continue to do so going forward. Google will also push
notifications and email reminders to get existing customers to review their
data retention settings.
https://www.wired.com/story/google-auto-delete-data/
------------------------------
Date: Wed, 24 Jun 2020 22:44:52 -0700
From: "Robert R. Fenichel" <bob@fenichel.net>
Subject: Re: Medical decision tools (RISKS-32.03)
The NYT article cited by Monty Solomon was ill-informed. In a nutshell, it
confused decision rules with estimation tools.
One of its central examples had to do with the glomerular filtration rate
(GFR), an important measure of renal function. To measure the GFR
accurately, one infuses a specialized, non-physiological, non-metabolized
substance and observes how rapidly it is cleared into the urine. This is a
tricky procedure, rarely done outside research laboratories.
Medical decisions are often made on the basis of an *estimated* GFR (eGFR),
obtained by measuring the serum concentration of some physiological solute
that is (mostly) eliminated into the urine. The solute most frequently used
is creatinine, a byproduct of muscle metabolism. With creatinine data and a
body of true GFR data, it is a curve-fitting exercise to see what eGFR
formula best predicts the true GFR.
As a matter of empirical fact, the fit is improved by formulas that include
age, sex, and self-reported race. Decisions about medical care (for
example, when to begin hemodialysis) should be based on the best estimates
of patients' physiological state. If GFR were estimated using simpler
formulas, blind to sex, age, and race, patient care would be worse.
The conventional eGFR formulas are not restricted to medical systems that,
like those of private medical care in the US, have been credibly charged
with providing poor service to racial minorities and to women.. The same
formulas are used in socialized systems, including that of the US military
and, of course, those of developed countries around the world.
Robert R. Fenichel, M.D.: http://www.fenichel.net
------------------------------
Date: 25 Jun 2020 16:46:01 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: Only Sort of Wrongfully Accused by an Algorithm (RISKS-32.03)
> In what may be the first known case of its kind, a faulty facial
> recognition >match led to a Michigan man's arrest for a crime he did not
> commit.
If you read the article, you will find that the headline doesn't match what
actually happened:
After Ms. Coulson, of the state police, ran her search of the probe image,
the system would have provided a row of results generated by NEC and a row
from Rank One, along with confidence scores. Mr. Williams's driver's
license photo was among the matches. Ms. Coulson sent it to the Detroit
police as an *Investigative Lead Report*.
``THIS DOCUMENT IS NOT A POSITIVE IDENTIFICATION. IT IS AN INVESTIGATIVE
LEAD ONLY AND IS NOT PROBABLE CAUSE FOR ARREST.'' [The file says this in
bold capital letters at the top.]
This is what technology providers and law enforcement always emphasize when
defending facial recognition: It is only supposed to be a clue in the case,
not a smoking gun. Before arresting Mr. Williams, investigators might have
sought other evidence that he committed the theft, such as eyewitness
testimony, location data from his phone or proof that he owned the clothing
that the suspect was wearing.
In this case, however, according to the Detroit police report, investigators
simply included Mr. Williams's picture in a *6-pack photo lineup* they
created and showed to Ms. Johnston, Shinola's loss-prevention contractor,
and she identified him. (Ms. Johnston declined to comment.)
The photo match algorithm indeed did a lousy job, but the people who used
the picture did a worse job. False identification from photo lineups has
been a problem for a very long time. There are some well known mitigations
that they didn't use here, in particular showing the pictures one at a time
rather than in a group. The latter tends to make people pick the closest
match even if the match isn't close at all.
------------------------------
Date: Fri, 26 Jun 2020 10:26:45 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: Risks for charities, non-profits, small groups
Gloria belongs to a quilting group and an embroidery group. Neither group
is meeting right now. The church where both groups normally meet is giving
them a break on rent, because of the public health restrictions on meetings,
but there are still some ongoing expenses. In addition, with no meetings
going on, some members are starting to question their membership and dues.
They aren't alone. This article focuses on charities, but a number of small
groups are in serious trouble over the pandemic. Many amateur sports
leagues are already collapsing.
https://www.cbc.ca/news/business/nonprofits-charities-pandemic-closures-1.5625165
http://newsletters.cbc.ca/c/1172n42cXIEJwxO1WDX0kiIMyBQ
Our industry and technical groups are facing related issues. We may be in a
slightly different situation, since most of us have the technical chops to
set up virtual meetings, but getting people to attend these meetings is
surprisingly difficult. (Apparently if nobody is providing free coffee and
donuts, we won't go.)
We need contacts. We need to get ideas from peers. We need to bounce ideas
off each other. We need to mentor, even if informally, the newcomers to our
profession (and recruit students in technical areas *into* our profession).
Support your local chapter, LUG, SIG, meetup or whatever.
------------------------------
Date: Thu, 25 Jun 2020 19:33:47 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: AI Ethics: IP Protection for AI-generated and AI-assisted works
Tickets, Sun, 5 Jul 2020 at 11:45 AM | Eventbrite
Session to share our insights with World Intellectual Property Organization
on IP protection for AI-generated and AI-assisted work
About this Event
We are hosting this session to share our insights with the World
Intellectual Property Organization on IP protections for AI-generated and
AI-assisted works drawing from our diverse perspectives and experience and
having done so before for various other public consultations. Given that
this will be a shorter session and focused on providing concrete
recommendations, we encourage you to read the document beforehand and frame
your contributions in line with the questions.
Link to the reading:
https://www.wipo.int/edocs/mdocs/mdocs/en/wipo_ip_ai_2_ge_20/wipo_ip_ai_2_ge_20_1_rev.pdf
Questions that we will cover in the session:
1. Should the law require that a human being be named as the inventor or
should the law permit an AI application to be named as the inventor?
https://www.eventbrite.ca/e/ai-ethics-ip-protection-for-ai-generated-and-ai-assisted-works-tickets-110841044548
New horizons in AI planning... AI is a tool; naming it as inventor seems to
make as much sense as naming the computer on which a patent application is
typed.
------------------------------
Date: Mon, 1 Jun 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.04
************************
