[32065] in RISKS Forum
Risks Digest 32.19
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Fri Aug 14 21:20:46 2020
From: RISKS List Owner <risko@csl.sri.com>
Date: Fri, 14 Aug 2020 18:20:20 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Friday 14 August 2020 Volume 32 : Issue 19
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.19>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
The Iconic Arecibo Telescope Goes Quiet After Major Damage (WiReD)
The Tragic Physics of the Deadly Explosion in Beirut (WiReD)
North Korean Hacking Group Attacks Israeli Defense Industry (NYTimes)
Researchers discovered significant vulnerability in Amazon's Alexa
(The Hill)
Bald eagle attacks government drone and sends it to bottom of Lake Michigan
(The Guardian)
Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks
(You Tube)
Snapdragon chip flaws put >1 billion Android phones at risk of data theft
(Ars Techica)
Flaws in Samsung Phones Exposed Android Users to Remote Attacks
(The Hacker News)
Microsoft plugs at least 120 Windows security holes (Krebs on Security)
Coming Next: The Greater Recession (Paul Krugman via Randall Head)
Social media and misinformation (Rob Slade)
Deepfakes or not??? (Mark Thorson)
A protester tried to ID a police officer on Twitter. Now he faces a felony
-- along with four who retweeted him. (WashPost)
Scientists rename human genes to stop Microsoft Excel from misreading them
as dates (The Verge)
You do know you are being tracked, right? (WSJ)
Thousands of cases went unreported in California when a computer server
failed (NYTimes)
Blackstone to acquire Ancestry.com for $4.7 billion (Oguh)
USG Contractor Embedded Software in Apps to Track Phones (WSJ)
Illiterate cell phone user experience (Dan Jacobson)
Photoshop Will Help ID Images That Have Been Photoshopped (WiReD)
Is it the AI That's Racist, or is it the Humans That Create the AI?
(AI Daily)
AI bias detection ... (PGN)
Leaked Documents Reveal What TikTok Shares with Authorities -- in the U.S.
(The Intercept via Richard Forno)
Why & Where You Should You Plant Your Flag (Krebs on Security)
Postal Service warns 46 states their voters could be disenfranchised by
delayed mail-in ballots (WashPost)
Mailer To DC Voters Prompts Widespread Confusion (DCist)
Trump's lapdog Postmaster General wants to more than double costs for states
to mail ballots to voters! Crooked through and through. (Law and Crime)
Unwanted Truths: Inside Trump's Battles With U.S. Intelligence Agencies
(NYTimes)
The quest to liberate $300,000 of bitcoin from an old ZIP file
(Ars Technica)
Risk of driving while Black in conjunction with computer risks (anon)
Why climate change is about to make your bad commute worse (WashPost)
Chrome will start hiding most of URLs, but you can opt-out -- AND YOU
SHOULD! (Lauren Weinstein)
How romance scams are thriving during quarantine. (The Verge)
No to Blockchain Credentials of COVID-19 Test Results for Entry to Public
Spaces (EFF)
Virginia launches contact-tracing app COVIDWISE using Apple, Google
technology (WashPost)
The nuclear mistakes that could have ended civilisation (bbc.com)
Re: Omniviolence Is Coming and the World Isn't Ready (Eric Sosman)
Re: Blackbaud breach (A Michael W Bacon)
Re: City outage (A Michael W Bacon)
Re: Beirut explosion (A Michael W Bacon)
Re: Beirut Blast (3daygoaty)
Re: Tom's Hardware goes dark/side/ (Steve Singer)
Re: When tax prep is free, you may be paying with your privacy
(David Damerell)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 12 Aug 2020 15:52:12 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The Iconic Arecibo Telescope Goes Quiet After Major Damage (WiReD)
A cable cut a large gash into the radio telescope this week and it's
uncertain when it will be back in working order.
https://www.wired.com/story/the-iconic-arecibo-telescope-goes-quiet-after-major-damage/
------------------------------
Date: Sat, 8 Aug 2020 21:14:45 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The Tragic Physics of the Deadly Explosion in Beirut (WiReD)
A blast injury specialist explores the chemistry -- and history -- of
explosions like the one captured in videos that swept across the world.
https://www.wired.com/story/tragic-physics-deadly-explosion-beirut/
------------------------------
Date: Wed, 12 Aug 2020 20:56:34 -0400
From: Monty Solomon <monty@roscom.com>
Subject: North Korean Hacking Group Attacks Israeli Defense Industry
(NYTimes)
Israel says the attack was thwarted, but a cybersecurity firm says it was
successful. Some officials fear that classified data stolen by North Korea
could be shared with Iran.
https://www.nytimes.com/2020/08/12/world/middleeast/north-korea-hackers-israel.html
------------------------------
Date: Thu, 13 Aug 2020 13:38:45 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Researchers discovered significant vulnerability in Amazon's Alexa
(The Hill)
Researchers at cybersecurity provider Check Point uncovered a flaw in
Amazon's Alexa virtual assistant that left owner's personal information
vulnerable before it was patched in June.
The researchers detailed the vulnerability in a report released Thursday,
saying potential hackers could have hijacked the voice assistant devices
using malicious Amazon links.
Once those links were clicked, hackers would be able to install or remove
"Skills" -- essentially apps -- from Alexa devices.
They would also be able to access the user's voice history with their
device as well as personal information as sensitive as banking data and home
addresses. [...]
https://thehill.com/policy/technology/511746-researchers-discovered-significant-vulnerability-in-amazons-alexa
Also:
https://www.wired.com/story/amazon-alexa-bug-exposed-voice-history-hackers/
------------------------------
Date: Fri, 14 Aug 2020 11:24:48 -0700
From: Peter Neumann <neumann@csl.sri.com>
Subject: Bald eagle attacks government drone and sends it to bottom of Lake
Michigan (The Guardian)
There is something appropriately symbolic in this ....
https://www.theguardian.com/us-news/2020/aug/14/eagle-drone-attack-lake-michigan
------------------------------
Date: Mon, 10 Aug 2020 12:10:10 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Vulnerabilities in Qualcomm Chips Expose Billions of Devices to
Attacks (You Tube)
*Security researchers have identified hundreds of vulnerabilities that
expose devices with Qualcomm Snapdragon chips to attacks.*
During a presentation
<https://www.youtube.com/watch?v=CrLJ29quZY8&feature=youtu.be> at DEF CON
last week, Check Point security researcher Slava Makkaveev revealed how
vulnerabilities in the compute digital-signal processor (DSP) -- a subsystem
that enables the processing of data with low power consumption -- could open
the door for Android applications to perform malicious attacks.
The proprietary subsystem is licensed for programming to OEMs and a small
number of application developers, and the code running on DSP is signed,
but the security researchers have identified ways to bypass Qualcomm's
signature and run code on DSP.
Vendors can build software for DSP using the Hexagon SDK, and serious
security flaws in the development kit itself have resulted in hundreds of
vulnerabilities being introduced in code from Qualcomm and partner vendors.
According to Makkaveev, almost all of the DSP executable libraries that
come embedded in Qualcomm-based smartphones are exposed to attacks through
the issues identified in the Hexagon SDK.
The discovered flaws, over 400 in total, are tracked as CVE-2020-11201,
CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and
CVE-2020-11209 and have already been acknowledged by Qualcomm.
Check Point has yet to publish technical details on these vulnerabilities,
but says
<https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/> that
attackers able to exploit them would require no user interaction to
exfiltrate large amounts of information, including users' photos and
videos, and GPS and location data, or to spy on users by recording calls or
turning on the microphone.
Denial of service attacks are also possible, with the device remaining
permanently unresponsive, thus making the information stored on it
unavailable. Furthermore, malicious code installed on the device could hide
activities entirely and become unremovable.
With Qualcomm's chips present in approximately 40% of the smartphones out
there, including high-end devices from Google, LG, OnePlus, Samsung,
Xiaomi, and others, at least 1 billion mobile users are affected by these
vulnerabilities. [...]
https://www.securityweek.com/vulnerabilities-qualcomm-chips-expose-billions-devices-attacks
------------------------------
Date: Sun, 9 Aug 2020 14:57:23 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Snapdragon chip flaws put >1 billion Android phones at risk of data
theft (Ars Techica)
There's no word on when Google and phone makers will incorporate fix from
Qualcomm.
A billion or more Android devices are vulnerable to hacks that can turn them
into spying tools by exploiting more than 400 vulnerabilities in Qualcomm's
Snapdragon chip, researchers reported this week.
The vulnerabilities can be exploited when a target downloads a video or
other content that's rendered by the chip. Targets can also be
attacked by installing malicious apps that require no permissions at all.
From there, attackers can monitor locations and listen to nearby audio in
real time and exfiltrate photos and videos. Exploits also make it possible
to render the phone completely unresponsive. Infections can be hidden from
the operating system in a way that makes disinfecting difficult. ...
https://arstechnica.com/information-technology/2020/08/snapdragon-chip-flaws-put-1-billion-android-phones-at-risk-of-data-theft/
------------------------------
Date: Thu, 13 Aug 2020 13:37:45 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Flaws in Samsung Phones Exposed Android Users to Remote Attacks
(The Hacker News)
New research disclosed a string of severe security vulnerabilities in the
'Find My Mobile' -- an Android app that comes pre-installed on most Samsung
smartphones -- that could have allowed remote attackers to track victims'
real-time location, monitor phone calls, and messages, and even delete data
stored on the phone.
Portugal-based cybersecurity services provider Char49 revealed its findings
<https://char49.com/tech-reports/fmmx1-report.pdf> on Samsung's Find My
Mobile Android app at the DEF CON conference last week and shared details
with the Hacker News.
"This flaw, after setup, can be easily exploited and with severe
implications for the user and with a potentially catastrophic impact:
permanent denial of service via phone lock, complete data loss with factory
reset (SD card included), serious privacy implication via IMEI and location
tracking as well as call and SMS log access," Char49's Pedro Umbelino said
in technical analysis.
The flaws, which work on unpatched Samsung Galaxy S7, S8, and S9+ devices,
were addressed by Samsung after flagging the exploit as a "high impact
vulnerability."
Samsung's Find My Mobile <https://findmymobile.samsung.com/> service allows
owners of Samsung devices to remotely locate or lock their smartphone or
tablet, back up data stored on the devices to Samsung Cloud, wipe local
data, and block access to Samsung Pay.
According to Char49, there were four different vulnerabilities in the app
that could have been exploited by a malicious app installed on the targeted
device, thus creating a man-in-the-disk attack
<https://thehackernews.com/2018/08/man-in-the-disk-android-hack.html> to
hijack communication from the backend servers and snoop on the victim. [...]
https://thehackernews.com/2020/08/samsung-find-my-phone-hacking.html
------------------------------
Date: Tue, 11 Aug 2020 16:40:45 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Microsoft plugs at least 120 Windows security holes
(Krebs on Security)
Microsoft today released updates to plug at least 120 security holes in its
Windows operating systems and supported software, including two newly
discovered vulnerabilities that are actively being exploited. Yes, good
people of the Windows world, it's time once again to backup and patch up!
[...]
https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/
------------------------------
Date: August 8, 2020 at 8:48:42 PM EDT
From: Randell Head <rvh40@insightbb.com>
Subject: Coming Next: The Greater Recession (Paul Krugman)
[Via Dewayne Hendricks]
Paul Krugman, *The New York Times*, 6 Aug 2020
The suspension of federal benefits would create damage almost as terrifying as the economic effects of the coronavirus.
<https://www.nytimes.com/2020/08/06/opinion/coronavirus-us-recession.html>
"Greater Recession"? Dr. K is too shy by a long shot.
Pretty much every multi-tenant office building and almost all shopping malls
in this country are owned by REITs, almost exactly all of which are
mortgaged to the limits of their bankers' tolerance.
Those mortgages are based on the assessed value of the real estate. Those
assessments assume a roughly 80% occupancy rate.
The malls are undergoing a calamity of their own, which everyone knows about
- Shopped at Sears, lately?
But the office buildings - ah, the office buildings!
Many of their tenants will not survive. Of those who do survive, all will
have noticed how much cheaper it is to give every employee a laptop and
cable modem than it is to pay rent on those downtown or suburban office
towers.
Yeah, perhaps most of them will keep some sort of office, but when it comes
time to renew the leases, they will be able to point to the hundreds of
thousands of square feet of empty space in the neighboring towers, so they
will reduce their leased space and they will largely get a lower price per
square foot. (If they don't get a reduction, they need to fire whoever is
negotiating on their behalf).
This means the office buildings are assessed too high.
If they are reassessed, most of the loans against them are suddenly unsecured.
Those REITs I mentioned?
THey're not going to be able to make their mortgage payments, once 25% of
their tenants go under or break (or fail to renew) their leases, which means
that the banks and hedge funds which hold those mortgages are suddenly
insolvent.
Few people have any sympathy for hedge funds, thinking no one they know has
any money with them, but a very large percentage of pension funds have some
money with hedge funds.
That's not the big deal, though. The big deal is the insolvent banks.
Remember the early days of the 2008 Crash? Banks were refusing to make
Guaranteed Student Loans.
Reading this, I assumed that was just your usual "Rich Folks, sticking up
the government" scam, but I was wrong - they didn't make Guaranteed Student
Loans because they COULDN'T -- insolvent banks can't lend any money, not
even when they have the Full Faith and Credit of the US Government backing
the loans.
A middling-sized bank which in January had twenty billion dollars of
commercial loans, secured by liens against $25B of office towers and
shopping malls, now has twenty billion dollars of commercial loans, secured
by liens against $18B of real property.
Sure, the property is still assessed at $25B, but what would it bring on the
open market? $18B is probably too generous.
If you thought it was fun, bailing out the FSLIC, you're gonna *love*
bailing out the FDIC, especially when every advanced economy on the planet
is busy bailing out its own banks.
------------------------------
Date: Sat, 8 Aug 2020 17:41:05 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: Social media and misinformation
This article provides laudable and important sentiments:
https://www.pressreader.com/canada/the-london-free-press/20200808/281711206997706
And the authors are dangerously over-optimistic. I've been waiting 40
years (since before the Internet was called the Internet) for people to wake
up, and it hasn't happened yet.
------------------------------
Date: Sat, 8 Aug 2020 12:07:19 -0700
From: Mark Thorson <eee@dialup4less.com>
Subject: Deepfakes or not???
I have noticed a lack of tight synchronization between the audio and picture
on commercial over-the-air broadcast television is surprisingly common, and
I'm wondering whether this may be a marker for video that has been faked.
I first noticed this around the time of conversion from analog to digital,
when one channel was particularly annoying with its poor synchronization.
The problem becomes more obvious when you develop some ability to read lips.
Certain sounds, especially "p" and "b", require the lips to come together,
and they make tracking the audio against the picture much simpler. It does
not take much practice to become proficient, though I still can't tell what
words are being said from the picture alone. Any video passing through Zoom
cannot be analyzed this way because there isn't enough temporal resolution
to make this comparison.
An argument against deepfakes is that this phenomenon is very widespread. I
can't give you anything approaching a number based on data, but my
impression is at least 20% of all broadcast television exhibits this problem
-- including a large amount for which there would be no obvious motive. Why
would you fake the talking heads on a news broadcast or the presentation of
a comedy routine? I suspect it may be a weakness of the digital video
standard, though I suppose there may be other explanations. It's either
that, or we are awash in fake video.
------------------------------
Date: Fri, 7 Aug 2020 17:42:11 -0400
From: Monty Solomon <monty@roscom.com>
Subject: A protester tried to ID a police officer on Twitter. Now he faces a
felony -- along with four who retweeted him. (WashPost)
Kevin Alfaro and four people who retweeted the post have been charged with
cyber harassment, a 4th degree felony with up to 18 months of incarceration
and a $10,000 fine.
https://www.washingtonpost.com/nation/2020/08/07/black-lives-matter-tweet-police-felony/
------------------------------
Date: Fri, 7 Aug 2020 15:13:47 -0700 (PDT)
From: Thomas Dzubin <dzubint@vcn.bc.ca>
Subject: Scientists rename human genes to stop Microsoft Excel from
misreading them as dates (The Verge)
"Excel is a behemoth in the spreadsheet world and is regularly used by
scientists to track their work and even conduct clinical trials. But its
default settings were designed with more mundane applications in mind, so
when a user inputs a gene's alphanumeric symbol into a spreadsheet, like
"MARCH1" which is short for "Membrane Associated Ring-CH-Type Finger 1",
Excel converts that into a date: "1-Mar"
https://www.theverge.com/2020/8/6/21355674/human-genes-rename-microsoft-excel-misreading-dates
And yes, I know that people can set the formatting of cells, rows & columns
of cells to be 'don't change what I entered' format, it's the defaults that
are supposed to make our lives easier which is breaking things.
------------------------------
Date: Thu, 13 Aug 2020 11:37:28 +0200
From: Anthony Thorn <anthony.thorn@atss.ch>
Subject: You do know you are being tracked, right? (WSJ)
"The Wall Street Journal." 7 Aug 2020
https://www.wsj.com/articles/u-s-government-contractor-embedded-software-in-apps-to-track-phones-11596808801
"U.S. Government Contractor Embedded Software in Apps to Track Phones
Anomaly Six has ties to military, intelligence agencies and draws location
data from more than 500 apps with hundreds of millions of users
The U.S. government is using app-generated marketing data based on the
movements of millions of cellphones around the country for some forms of law
enforcement. We explain how such data is being gathered and sold.
WASHINGTON -- A small U.S. company with ties to the U.S. defense and
intelligence communities has embedded its software in numerous mobile apps,
allowing it to track the movements of hundreds of millions of mobile phones
world-wide, according to interviews and documents reviewed by The Wall
Street Journal. Anomaly Six LLC a Virginia-based company founded by two
U.S. military veterans with a background in intelligence, said in marketing
material it is able to draw location data from more than 500 mobile
applications, in part through its own software development kit, or SDK, that
is embedded directly in some of the apps. An SDK allows the company to
obtain the phone's location if consumers have allowed the app containing the
software to access the phone's GPS coordinates. App publishers often allow
third-party companies, for a fee, to insert SDKs into their apps. The SDK
maker then sells the consumer data harvested from the app, and the app
publisher gets a chunk of revenue. But consumers have no way to know
whether SDKs are embedded in apps; most privacy policies don't disclose that
information. Anomaly Six says it embeds its own SDK in some apps, and in
other cases gets location data from other partners. Anomaly Six is a
federal contractor that provides global-location-data products to branches
of the U.S. government and private-sector clients. The company told The
Wall Street Journal it restricts the sale of U.S. mobile phone movement
data only to nongovernmental, private-sector clients. Numerous agencies of
the U.S. government have concluded that mobile data acquired by federal
agencies from advertising is lawful. Several law-enforcement agencies are
using such data for criminal-law enforcement, the Journal has reported,
while numerous U.S. military and intelligence agencies also acquire this
kind of data."
------------------------------
Date: Sat, 8 Aug 2020 21:29:21 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Thousands of cases went unreported in California when a computer
server failed. (NYTimes)
https://www.nytimes.com/2020/08/07/world/covid-19-news.html
As California surpassed 10,000 coronavirus deaths this week, the head of the
state's Health and Human Services Agency, Dr. Mark Ghaly, said a breakdown
in the main disease reporting system had undercounted as many as 300,000
test results. ``Our data system failed, and that failure led to inaccurate
case numbers.''
The malfunctions in the data system were compounded in recent days by huge
backlogs in testing -- in some California counties results are taking more
than two weeks to process -- muddying the overall picture of the virus's
progression in the nation's most populous state.
------------------------------
Date: August 6, 2020 20:36:27 JST
From: Richard Forno <rforno@infowarrior.org>
Subject: Blackstone to acquire Ancestry.com for $4.7 billion (Oguh)
(You likely do NOT want your genetic data owned by China *or* a private
equity firm, even one based in America. --rick) <via Dave Farber>
Chibuike Oguh, Reuters, Blackstone to acquire Ancestry.com for $4.7B
https://www.reuters.com/article/us-ancestry-m-a-blackstone-group/blackstone-to-acquire-ancestry-com-for-4-7-billion-idUSKCN2512ES
(Reuters) - Blackstone Group Inc (BX.N) said on Wednesday it agreed to
acquire genealogy provider Ancestry.com Inc from private equity rivals for
$4.7 billion, including debt, placing a big bet on family-tree chasing as
well as personalized medicine.
Ancestry.com is the world's largest provider of DNA services,
allowing customers to trace their genealogy and identify genetic health
risks with tests sent to their home.
Blackstone is hoping that more consumers staying at home amid the COVID-19
pandemic will turn to Ancestry.com for its services.
``We believe Ancestry has significant runway for further growth as people of
all ages and backgrounds become increasingly interested in learning more
about their family histories and themselves,'' David Kestnbaum, a Blackstone
senior managing director, said in a statement.
The deal is Blackstone's first acquisition out of Blackstone Capital
Partners VIII, the largest-ever private equity fund that raised $26 billion
from investors last year.
Ancestry.com has more than 3 million paying customers in about 30 countries,
and earns more than $1 billion in annual revenue. Launched in 1996 as a
family history website, it harnessed advances in DNA testing and mobile
phone apps in the following two decades to expand its offerings.
Blackstone is buying Ancestry.com from private equity firms Silver Lake,
Spectrum Equity and Permira. Singapore's sovereign wealth fund GIC, another
Ancestry.com investor, said it will continue to maintain a significant
minority stake in the company.
The acquisition's price tag represents a significant jump to Ancestry.com's
valuation from four years ago, when Silver Lake and GIC invested in the
Lehi, Utah-based company at a $2.6 billion valuation.
------------------------------
Date: Mon, 10 Aug 2020 9:33:38 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: USG Contractor Embedded Software in Apps to Track Phones (WSJ)
*The Wall Street Journal*, 7 Aug 2020
Anomaly Six has ties to military, intelligence agencies and draws location
data from more than 500 apps with hundreds of millions of users
Consumers have no way of knowing whether software-development kits that can
track their locations are embedded in their apps.
https://www.wsj.com/articles/u-s-government-contractor-embedded-software-in-apps-to-track-phones-11596808801
Washington -- A small U.S. company with ties to the U.S. defense and
intelligence communities has embedded its software in numerous mobile apps,
allowing it to track the movements of hundreds of millions of mobile phones
world-wide, according to interviews and documents reviewed by The Wall
Street Journal.
------------------------------
Date: Thu, 13 Aug 2020 07:26:20 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: Illiterate cell phone user experience
A web search finds lots of articles about illiterate cellphone users.
Usually the elderly or people in undeveloped countries.
My first experience instructing one over the phone: "OK, under my picture
there should be a Add Friend button." "Probably red and green
buttons... push the green one." They said: "Oops, I already pushed the red
one." (Which blocked me. The block list being within a menu that they
needed to be literate to find. Alas...)
------------------------------
Date: Thu, 13 Aug 2020 18:36:54 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Photoshop Will Help ID Images That Have Been Photoshopped (WiReD)
Adobe is adding technology to tag images with metadata, part of an effort to
identify deepfakes and other efforts at manipulation.
https://www.wired.com/story/photoshop-id-images-photoshopped-deepfake/
------------------------------
Date: Tue, 11 Aug 2020 16:38:45 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Is it the AI That's Racist, or is it the Humans That Create the AI?
(AI Daily)
Racism is a poison in our society, one which until recently, AI was thought
immune to. Underlying this is the notion that AI are incapable of conscious
thought, so they cannot consciously discriminate. However, much like humans
can have unconscious bias, so can AI. Over the last decade there have been
countless examples of racial bias displayed in AI algorithms, or AI learning
racism through machine learning. As a mixed-race individual, I want to know
where AI has been racist and why this was the case.
MIT were embarrassed in July this year, when they were forced to take
offline an AI training data-set which, following an investigation by *The
Register*, was found to be describing people with racist, misogynistic and
discriminatory language. The data-set had been used to train machine
learning models to identify people and items in images. However, the
descriptions of those people were often highly derogatory and contained
highly offensive language. The issue here was, due to a lack of oversight,
that the models were accidentally trained using discriminatory data. While
this problem is easily rectified once identified, it does highlight the risk
that machine learning algorithms with poorly constructed data-sets pose,
especially if the *racism* in those data-sets is more subtle, such as an
machine learning algorithm which scores negative points for *non-British
names* on CVs.
Google was forced to apologise in April after its *Vision AI*, an algorithm
which labels images based on their content, was found to come up with very
different results dependent on the skin colour of people in the image. This
is demonstrable by the image below, where when a black person holds a
thermometer, it is labeled as a *gun* but when a white person holds the
same thermometer, it is labeled as a *tool*. This result purports the
racial stereotype that black people are violent, leading to concerns that
the algorithm was racially biased. Yet again, we see an issue with a poor
dataset used to train the algorithm unintentionally leading to racial bias,
which further affirms just how important it is that the datasets are
properly curated before training. [...]
https://aidaily.co.uk/articles/is-the-ai-racist-or-is-it-the-humans-that-create-it
------------------------------
Date: Sat, 8 Aug 2020 11:24:48 -0700
From: Peter Neumann <neumann@csl.sri.com>
Subject: AI bias detection ... (RISKS-32.18)
I had a complaint out of band, which applies to all items that deal
broadly with specific aspects of AI:
It would be very nice if the people who post numbers like these would
provide the definition of *AI* that they are using. A definition that
allows us to look at a program and tell whether it is AI or not is
necessary to make such numbers meaningful.
More generally, I think it is difficult to argue about trustworthiness of
AI overall, especially when the systems in which it is embedded are not
trustworthy. PGN
------------------------------
Date: August 11, 2020 8:52:32 JST
From: Richard Forno <rforno@infowarrior.org>
Subject: Leaked Documents Reveal What TikTok Shares with Authorities -- in
the U.S.
[Via Dave Farber]
A glimpse at what the social media platform does in the U.S. underscores
that data privacy issues extend beyond China.
https://theintercept.com/2020/08/10/blueleaks-tiktok-law-enforcement-privacy/
------------------------------
Date: Thu, 13 Aug 2020 13:36:41 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Why & Where You Should You Plant Your Flag (Krebs on Security)
Several stories here have highlighted the importance of creating accounts
online tied to your various identity, financial and communications services
before identity thieves do it for you. This post examines some of the key
places where everyone should plant their virtual flags.
As KrebsOnSecurity observed back in 2018
<https://krebsonsecurity.com/2018/06/plant-your-flag-mark-your-territory/>,
many people -- particularly older folks -- proudly declare they avoid using
the Web to manage various accounts tied to their personal and financial
data -- including everything from utilities and mobile phones to retirement
benefits and online banking services. From that story:
``The reasoning behind this strategy is as simple as it is alluring: What's
not put online can't be hacked. But increasingly, adherents to this mantra
are finding out the hard way that if you don't plant your flag online,
fraudsters and identity thieves may do it for you.''
``The crux of the problem is that while most types of customer accounts
these days can be managed online, the process of tying one's account number
to a specific email address and/or mobile device typically involves
supplying personal data that can easily be found or purchased online -- such
as Social Security numbers, birthdays and addresses.''
In short, although you may not be required to create online accounts to
manage your affairs at your ISP, the U.S. Postal Service, the credit
bureaus or the Social Security Administration, it's a good idea to do so
for several reasons.
Most importantly, the majority of the entities I'll discuss here allow just
one registrant per person/customer. Thus, even if you have no intention of
using that account, establishing one will be far easier than trying to
dislodge an impostor who gets there first using your identity data and an
email address they control.
Also, the cost of planting your flag is virtually nil apart from your
investment of time. In contrast, failing to plant one's flag can allow
ne'er-do-wells to create a great deal of mischief for you, whether it be
misdirecting your service or benefits elsewhere, or canceling them
altogether.
Before we dive into the list, a couple of important caveats. Adding
multi-factor authentication (MFA) at these various providers (where
available) and/or establishing a customer-specific personal identification
number (PIN) also can help secure online access. For those who can't be
convinced to use a password manager, even writing down all of the account
details and passwords on a slip of paper can be helpful, provided the
document is secured in a safe place. [...]
https://krebsonsecurity.com/2020/08/why-where-you-should-you-plant-your-flag/
------------------------------
Date: Fri, 14 Aug 2020 12:11:57 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Postal Service warns 46 states their voters could be
disenfranchised by delayed mail-in ballots [as desired by Trump]
https://www.washingtonpost.com/local/md-politics/usps-states-delayed-mail-in-ballots/2020/08/14/64bf3c3c-dcc7-11ea-8051-d5f887d73381_story.html?utm_campaign=wp_main&utm_source=twitter&utm_medium=social
------------------------------
Date: Thu, 13 Aug 2020 19:36:49 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Mailer To DC Voters Prompts Widespread Confusion (DCist)
A mailer from the DC Board of Elections was supposed to help registered
voters confirm that their address was correct. Instead, it has prompted
confusion over how exactly voters can notify the board that their address
has changed or that a person listed at their address no longer lives there.
And that could raise additional concerns ahead of the city's plan to mail
every registered voter -- there are more than 460,000 of them on file -- a
ballot ahead of November's election.
The mailer started hitting mailboxes across D.C. in recent days, and seemed
straightforward enough. People who received it at the address where they
live did not need to take further action -- that's where the ballot will be
sent in the coming weeks. But it was flummoxing for people who need to
update their address (if, for instance, they want the ballot forwarded
elsewhere, or would be moving in the coming weeks) or want to let the
elections board know the mailer was sent to someone who once lived at the
address but is no longer there.
The instructions prompt voters to fill out one half of the mailer, detach it
from the other half, and send it back to the elections board. But some
voters started noticing that in so doing, they'd be sending the board the
part of the mailer that has no information identifying who it was sent to to
begin with. That's because that information -- the recipient's name, address
and a unique barcode -- is on the half of the mailer that isn't supposed to
be sent back in. ...
Terrible design by [the D.C. Board of Elections] that is going to cause a
lot of problems. Do they not test/review these?'' tweeted Southwest D.C.
resident Stacy Cloyd.
Rachel Coll, a spokeswoman for the elections board, said in an email that
problem was a ``design flaw'' from an outside vendor that produced the
mailers. She said the board had already gotten at least 100 of the mailers
back from voters with no issues, but the board was forced to tweet out new
instructions on Wednesday. ...
This isn't the first time the elections board has had issues with official
documents it has mailed to voters. Earlier this year, the board sent new
voter registration cards to more than 25,000 voters with the wrong primary
date listed on them. In 2018, it failed to notify absentee voters that they
had to include postage on their envelopes to send ballots back in. And in a
particularly infamous error in 2014, the board sent out hundreds of
thousands of official voter guides with an upside-down D.C. flag ---
commonly known as a sign of distress -- on the cover.
https://dcist.com/story/20/08/13/dc-elections-board-mailer-confusion/
------------------------------
Date: Sat, 8 Aug 2020 10:00:38 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Trump's lapdog Postmaster General wants to more than double costs
for states to mail ballots to voters! Crooked through and through.
https://lawandcrime.com/opinion/if-trumps-postmaster-general-raises-mail-in-ballot-stamp-price-that-could-be-an-unconstitutional-poll-tax/
------------------------------
Date: Sat, 8 Aug 2020 23:24:37 -0600
From: "Matthew Kruk" <mkrukg@gmail.com>
Subject: Unwanted Truths: Inside Trump's Battles With U.S. Intelligence
Agencies (NYTimes)
Last year, intelligence officials gathered to write a classified report on
Russia's interest in the 2020 election. An investigation from the magazine
uncovered what happened next.
https://www.nytimes.com/2020/08/08/magazine/us-russia-intelligence.html?action=click&module=Top%20Stories&pgtype=Homepage
------------------------------
Date: Sun, 9 Aug 2020 19:00:12 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The quest to liberate $300,000 of bitcoin from an old ZIP file
(Ars Technica)
A few quintillion possible decryption keys stand between a man and his
cryptocurrency.
In October, Michael Stay got a weird message on LinkedIn. A total stranger
had lost access to his bitcoin private keys -- and wanted Stay's help
getting his $300,000 back.
https://arstechnica.com/information-technology/2020/08/the-quest-to-liberate-300000-of-bitcoin-from-an-old-zip-file/
https://www.wired.com/story/quest-to-liberate-bitcoin-from-old-zip-file/
------------------------------
Date: Sun, 9 Aug 2020 10:50:07 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Risk of driving while Black in conjunction with computer risks
[This was submitted by someone who did not want to be identified. PGN]
An automated scanner recorded a vehicle's plate number but the scanner
determines neither the issuing state nor the type of vehicle. The plate
number was flagged because just the number matched a USA national list of
stolen vehicles. Computer risk 1 is a device by design gathering less than
the full set of data needed. In this case the police user of scanner data is
allocated the task of checking the further details of the plate, i.e.,
comparing the state on the theft report *Montana* with the state on the
plate of the scanned vehicle *Colorado* and comparing the sort of vehicle on
the report *motorcycle* with the vehicle observed *passenger car*. This
design assumption is computer risk 2. The manual comparison reportedly did
not occur. The driver said she asked the police to compare her name on her
driver licence to her name on the car registration but the police continued
to assume that the car was stolen. Perhaps the usual blind faith in the
computer (risk 3).
The woman's children, as young as six years, were in the car and were
ordered to lie on the street facedown. Two were handcuffed. The family is
black. The risk here is not a computer risk but rather being black while
driving.
https://www.denverpost.com/2020/08/04/aurora-police-handcuff-children-video/
Note that the Denver Post newspaper's site does not allow using a private or
incognito mode of a browser. It litters the browser with cookies, a file
system, database storage, local storage, service workers. It will attempt to
sign up the browser for notification spam.
------------------------------
Date: Sun, 9 Aug 2020 15:24:20 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Why climate change is about to make your bad commute worse
(WashPost)
``Everything that is built around you is built with some consideration for
how much environmental exposure it's going to be able to tolerate,'' Chester
explained. ``When it comes to roads, for example, the American Association
of State Highway and Transportation Officials has guidelines that say
asphalt should be engineered to withstand the hottest week on record during
a certain historical period — say, 1970 and 2000. In Arizona,
that might be 115 degrees, and in Chicago, it might be 105 degrees.''
The problem is, thanks to climate change, past is no longer prologue.
``We're not going to shut off CO2 emissions overnight, so the climate is
going to continue changing. The question is, by how much and in which
direction?'' Chester said.
``Let's say you design a road in Chicago for the hottest week on record,
which might be 105 degrees. Well, the hottest week going forward might be
108 degrees, or it could be 120 degrees,'' he said.
Faced with uncertainty, civil engineers can do little but guess. And the
wrong guess could be costly.
https://www.washingtonpost.com/local/trafficandcommuting/why-climate-change-is-about-to-make-your-bad-commute-worse/2020/08/08/7ad97ba8-d5b6-11ea-aff6-220dd3a14741_story.html
------------------------------
Date: Fri, 14 Aug 2020 09:35:20 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Chrome will start hiding most of URLs, but you can opt-out -- AND
YOU SHOULD!
Google is moving ahead with what I've long considered to be a poorly-conceived
plan to hide most of Chrome brower URLs by default. My original blog posts
regarding this issue began two years ago, at:
https://lauren.vortex.com/2018/07/10/chrome-is-hiding-url-details-and-its-confusing-people-already
and you can read those posts to see my discussion of the problems involved
with this move.
The current situation is summarized in:
Google resumes its attack on the URL bar, hides full addresses on Chrome 86
https://www.androidpolice.com/2020/08/13/google-resumes-its-senseless-attack-on-the-url-bar-hides-full-addresses-on-chrome-canary/#2
The one saving grace is that reportedly (at least for now) a right click
menu item will provide an opt-out for this behavior, and I'd urge you to
take advantage of that opt-out when these versions of the browser reach
you. Unfortunately, the users most at risk from this new default behavior
are also probably the most unlikely to ever hear about this opt-out or use
it.
------------------------------
Date: Fri, 14 Aug 2020 16:09:31 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How romance scams are thriving during quarantine
https://www.theverge.com/21366576/dating-app-scams-romance-women-quarantine-coronavirus-scheme
------------------------------
Date: Sun, 9 Aug 2020 20:27:17 -0400
From: Monty Solomon <monty@roscom.com>
Subject: No to Blockchain Credentials of COVID-19 Test Results for Entry to
Public Spaces (EFF)
An ill-conceived California bill endorses a blockchain-based system that
would turn COVID-19 test results into permanent records that could be used
to grant access to public places.
https://www.eff.org/deeplinks/2020/08/no-blockchain-credentials-covid-19-test-results-entry-public-spaces
------------------------------
Date: Sun, 9 Aug 2020 15:21:22 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Virginia launches contact-tracing app COVIDWISE using Apple, Google
technology (WashPost)
``If enough Virginians use this app, we can identify cases early and slow
the spread of this virus. We have to continue to fight #COVID19 from every
possible angle -- COVIDWISE is another tool we have to protect ourselves,
our families, and our communities during this pandemic.''
The reaction:
``Not falling for this one? keep your tracker!'' read one response.
``Why would I willingly give the VDH permission to track who I have spent 15
minutes with?'' read another, using the initials for the Virginia Department
of Health. ``No thanks, Hard pass. I value both my privacy and liberty.''
``This is ridiculous,'' read yet another. ``Never gonna happen here.'' ...
And yet, people are still refusing to put a slip of cloth over their faces
because they'd rather make a political statement than protect the most
vulnerable around them.
They'd rather immediately dismiss an app as an invasion of their privacy
than take a moment to consider that maybe it will help keep some people
around them from getting sick or worse.
https://www.washingtonpost.com/local/a-new-app-offers-virginians-the-chance-to-show-the-country-how-to-contain-coronavirus-cases-will-they-blow-it/
------------------------------
Date: Mon, 10 Aug 2020 09:27:06 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: The nuclear mistakes that could have ended civilisation (bbc.com)
https://www.bbc.com/future/article/20200807-the-nuclear-mistakes-that-could-have-ended-civilisation
"From invading animals to a faulty computer chip worth less than a dollar,
the alarmingly long list of close calls shows just how easily nuclear war
could happen by mistake."
------------------------------
Date: Mon, 10 Aug 2020 18:02:11 -0400
From: Eric Sosman <esosman@comcast.net>
Subject: Re: Omniviolence Is Coming and the World Isn't Ready (Nautilus)
In RISKS 32.18, Richard Stein quotes Nautilus concerning the possibility
of using bomb-carrying drones against populations: "A [mini-quadcopter]
can carry a one-or two-gram shaped charge [...] You can drive up I-95
with three trucks and have 10 million weapons attacking New York City."
How much does it cost to acquire, program, and arm ten million drones?
Perhaps the RISK here is not so much the damage New York might suffer,
but the attackers' likely bankruptcy, plus the dangers inherent in
fitting ten million bombs to ten million drones ...
Maybe the lure of technological overkill (sorry) is not really a RISK, but a
mitigation? Probably not: Attackers aren't *that* stupid, and will likely
seek cheaper and deadlier weapons.
------------------------------
Date: Sun, 9 Aug 2020 13:29:22 +0100
From: A Michael W Bacon <amichaelwbacon@gmail.com>
Subject: Re: Blackbaud breach (RISKS-32.18)
Writing about the Blackbaud breach, Gabe Goldberg cites a notification email
from "the Freedom Forum and our affiliates, the Newseum and the Freedom
Forum Institute". I was amused by this part: 'Blackbaud is the global
market leader in not-for-profit software, and their products are commonly
used to manage relationships and communications with constituents and
donors'; the style of which is (rather predictably) emerging as the excuse:
"Don't blame us; they are the 'global market leader' so we didn't bother
validating their security."
------------------------------
Date: Sun, 9 Aug 2020 13:30:24 +0100
From: A Michael W Bacon <amichaelwbacon@gmail.com>
Subject: Re: City outage (RISKS-32.18)
In 'Cyberattack causes Lafayette, CO city computer outage', Jim Reisert AD1C
asks, "Does this mean that the attackers requested too little ransom for the
key to unlock the data?"
Maybe one should wonder whether the "kidnappers" are estimating the cost of
the disruption and rebuilding, and asking below that figure to encourage
payment.
------------------------------
Date: Sun, 9 Aug 2020 13:31:32 +0100
From: A Michael W Bacon <amichaelwbacon@gmail.com>
Subject: Re: Beirut explosion (RISKS-32.18)
Although details of the immediate events leading to the detonation of some
2,750 tons of Ammonium Nitrate (AN) are unclear, and might remain so, some
facts are established.
The AN was unloaded from a Russian-owned ship the MV Rhosus, following the
owner's inability to pay mooring and other fees. Out of Batumi, Georgia, in
late September 2013 the Rhosus was loaded with AN and reportedly bound for
Beira, Mozambique. The vessel stopped in Athens for some four weeks while
the owner sought additional carbo to pay the fee for the Suez Canal. It then
detoured to Beirut to pick up one such new cargo, road-making equipment.
However, the 27-year old ship was poorly-maintained and the rusting deck
hatches began to buckle under the weight of a road-roller. That cargo was
then refused loading by the worried captain.
Captain Prokoshev decided to head for Cyprus to sort things out with the
owner, Cyprus-based Russian businessman, Igor Grechushkin. But before the
MV Rhosus could set sail, the Lebanese authorities intervened and seized it
on 4 February 2014, with unpaid bills reportedly totaling 100,000 USD.
The aging Rhosus was by now taking on water that had to be bailed out every
day. After a lengthy court process, the remaining crew closed all the
compartments, locked them and handed the keys to immigration at the port,
and Prokoshev and his colleagues left Beirut in September 2014, one year
after the ship's arrival.
Some [as yet unclear] time afterward, with the Rhosus deteriorating further
and taking on more water, the authorities unloaded the cargo into a dockside
warehouse, the port authorities of Beirut forbid the unloading or reloading
of cargo from one vessel to another. Reportedly, the vessel subsequently
sank, but its resting-place is unclear.
Fast forward to 4 August 2020 and the currently revealed facts are that a
fire was burning for some time near, on or in the warehouse, some flashes
were observed, then there was the detonation. What started the fire remains
speculation.
The Lebanese government moved quickly to announce they would find whoever
was responsible, but later began to raise the spectre of a deliberate attack
by rocket or bomb ... possibly once they realised they were responsible for
the AN being stored there.
The ensuing denials of responsibility reminded me inversely (and perversely)
of British Nuclear Fuel's claim following the 'Act of God' explosion in the
late, great Douglas Adam's book, The Long Dark Teatime of the Soul.
------------------------------
Date: Sat, 8 Aug 2020 13:58:23 +1000
From: 3daygoaty <threedaygoaty@gmail.com>
Subject: Re: Beirut Blast (RISKS-32.18)
Nice back story covering a range of processes and risks that led to the
blast.
To me it looks like the judiciary failing to grant permission to move the
chemical in a timely manner greatly increased the risk.
https://www.bbc.com/news/extra/x2iutcqf1g/beirut-blast
------------------------------
Date: Fri, 7 Aug 2020 21:01:04 -0400
From: Steve Singer <sws@dedicatedresponse.com>
Subject: Re: Tom's Hardware goes dark/side/ (RISKS-32.18)
If one follows Forno's / Farber's link with NoScript enabled on Firefox, the
following message appears:
AD BLOCKER INTERFERENCE DETECTED
Thank you for visiting this site. Unfortunately we have detected that you
might be running custom adblocking scripts or installations that might
interfere with the running of the site.
We don't mind you running adblocker, but could you please either disable
these scripts or alternatively whitelist the site, in order to continue.
Thanks for your support!
It's possible to work around this, but not worth the risk or bother to me.
My Tom's Hardware bookmark: poof!
------------------------------
Date: Mon, 10 Aug 2020 12:14:46 +0100
From: David Damerell <damerell@chiark.greenend.org.uk>
Subject: Re: When tax prep is free, you may be paying with your privacy.
(Drewe, RISKS-32.18)
He omits mentioning that around 2/3 of UK taxpayers never interact with the
complications. Of the UK's circa 32 million taxpayers, only around 10
million fill out tax returns. An ordinary employee has tax deducted and sent
to HMRC by their employer, and has nothing to do save read their payslips.
Furthermore, those 10 million are disproportionately likely to be wealthy
(the criteria for self-assessment include earning over £100,000 per
annum); and while legend may say the system here is the most complicated,
I'm told by friends fortunate enough to be in that group that they do not
find it difficult to fill out their own forms, whereas I understand the
process is nightmarish in the US.
Hence I think essentially no-one is being put in the position of being
snooped on by "free" tax preparation services because they need a service
but cannot afford it.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.19
************************
