[32078] in RISKS Forum
Risks Digest 32.23
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Aug 25 20:04:36 2020
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 25 Aug 2020 17:04:22 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Tuesday 25 August 2020 Volume 32 : Issue 23
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.23>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Grading by algorithm results in UK debacle (Adam Satariano)
Surge staff and electronic records (Health in AU)
Commissioner of FDA admits he provided false information about COVID-19
treatment (MedicalXpress)
Profs and loss - China is killing academic freedom in Hong Kong China
(The Economist)
A Chrome feature is creating enormous load on global root DNS servers
(Ars Technica)
Mike Godwin, the Creator of Godwin's Law, Is Suing Trump Over His TikTok
Executive Order (Reason.com)
COVID-19 When Less is More (The Atlantic)
Re: Fiddling with the environment (A Michael W Bacon)
Re: Driverless cars are coming soon followup (Peter Houppermans)
Re: Date and time synchronization (Terje Mathisen)
Re: Washington Postal workers defy USPS orders and re-install mail,
sorting machines (Jack Christensen)
Re: Dicekeys (Arthur T.)
Re: Why Does California Have So Many Wildfires? (Henry Baker)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 25 Aug 2020 15:55:05 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Grading by algorithm results in UK debacle (Adam Satariano)
Adam Satariano, *The New York Times*, National Edition, 21 Aug 2020
(60% of Page A10, PGN-ed)
*Automation pitfalls hit poor hardest.
Scores are thrown out, but damage is already done.*
The British government used a computer-generated score to replace exams that
were canceled due to Covid-19. This resulted in nearly 40% of students in
England having their earned A-level exam grades lowered. By the time the
policy was changed, many students had lost their accepted university slots.
The new score ``included in its calculations a school's past performance on
tests and a student's earlier results on `mock' exams.''
``Critics say the experience shows the risks ahead as more sophisticated
tools like artificial intelligence become available and companies pitch them
to public agencies.''
[My own oversimplified summary is that this seems to have been another
risk of government oversimplification, bordering on a combination of
naivety, stupidity, and possible political motives. A colleague suggests
that this is because the government was horribly afraid that students
might get marks they *didn't deserve* -- preferring to throw away any
actual data from the schools, and just manufacture a curve. Although not
really addressed in Satariano's article, the new score seems to have been
a reaction to the loss of international students resulting from COVID-19.
But it is also just one more example of a short-sighted policy that
trusted an artificially questionable algorithm to replace human
intelligence. Furthermore, The effects on disadvantaged students have
been very profound. PGN]
------------------------------
Date: Tue, 25 Aug 2020 11:40:20 +1000
From: James Cameron <quozl@laptop.org>
Subject: Surge staff and electronic records (Health in AU)
At an aged care facility in Sydney, pandemic surge staff did not know how to
use the electronic resident-record system, which led to diminished care both
inside the facility and by local doctors outside the facility.
https://www.health.gov.au/sites/default/files/documents/2020/08/newmarch-house-covid-19-outbreak-independent-review-newmarch-house-covid-19-outbreak-independent-review-final-report.pdf
(page 21)
------------------------------
Date: Tue, 25 Aug 2020 09:59:02 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Commissioner of FDA admits he provided false information about
COVID-19 treatment (MedicalXpress)
https://medicalxpress.com/news/2020-08-health-touting-false-plasma.html
------------------------------
Date: Tue, 25 Aug 2020 08:29:42 +0900
From: farber@gmail.com
Subject: Profs and loss - China is killing academic freedom in Hong Kong
China (The Economist)
https://www.economist.com/china/2020/08/23/china-is-killing-academic-freedom-in-hong-kong
------------------------------
Date: Tue, 25 Aug 2020 12:33:43 -0400
From: Monty Solomon <monty@roscom.com>
Subject: A Chrome feature is creating enormous load on global root DNS
servers (Ars Technica)
A Chrome feature is creating enormous load on global root DNS servers
https://arstechnica.com/gadgets/2020/08/a-chrome-feature-is-creating-enormous-load-on-global-root-dns-servers/
Chromium's impact on root DNS traffic
https://blog.apnic.net/2020/08/21/chromiums-impact-on-root-dns-traffic/
------------------------------
Date: Tue, 25 Aug 2020 16:38:44 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Mike Godwin, the Creator of Godwin's Law, Is Suing Trump Over
His TikTok Executive Order (Reason.com)
Godwin: "I know what moral panics look like; they look kind of like this."
https://reason.com/2020/08/24/mike-godwin-the-creator-of-godwins-law-is-suing-trump-over-his-tiktok-executive-order/
------------------------------
Date: Mon, 24 Aug 2020 22:28:23 -0400
From: Sheldon <sheldon10101@gmail.com>
Subject: COVID-19 When Less is More (The Atlantic)
https://www.theatlantic.com/health/archive/2020/08/how-to-test-every-american-for-covid-19-every-day/615217/
The Plan That Could Give Us Our Lives Back
The U.S. has never had enough coronavirus tests. Now a group of
epidemiologists, economists, and dreamers is plotting a new strategy to
defeat the virus, even before a vaccine is found.
... In the past several weeks, he [Michael Mina, a professor of epidemiology
at Harvard], has become an evangelist for a total revolution in how the
U.S. controls the pandemic. Instead of restructuring daily life around the
American way of testing, he argues, the country should build testing into
the American way of life.
The wand that will accomplish this feat is a thin paper strip, no longer
than a finger. It is a coronavirus test. Mina says that the U.S. should
mass-produce these inexpensive and relatively insensitive tests -- unlike
other methods, they require only a saliva sample -- in quantities of tens of
millions a day. These tests, which can deliver a result in 15 minutes or
less, should then become a ubiquitous part of daily life. Before anyone
enters a school or an office, a movie theater or a Walmart, they must take
one of these tests. Test negative, and you may enter the public space. Test
positive, and you are sent home. In other words: Mina wants to test nearly
everyone, nearly every day.
The tests Mina describes already exist: They are sitting in the office of
e25 Bio, a small start-up in Cambridge, Massachusetts; half a dozen other
companies are working on similar products. But implementing his vision will
require changing how we think about tests. These new tests are much less
sensitive than the ones we run today, which means that regulations must be
relaxed before they can be sold or used. Their closest analogue is rapid
dengue-virus tests, used in India, which are manufactured in a quantity of
100 million a year. Mina envisions nearly as many rapid COVID-19 tests being
manufactured a day. Only the federal government, acting as customer and
controller, can accomplish such a feat. [...]
[Companies in India have developed a fancier version of a standalone
COVID-19 test which is being sold for 450 rupees ($6). This test uses the
swab up the nose until you sneeze and has a nice cassette and is harder to
use than the test from e25 bio. About half the tests in India use these $6
antigen tests. Sadly, there's a fair amount of push back on using these
tests rather than PCR.] There is no way that school kids will tolerate a
daily swab up your nose until you scream.
To begin to learn more start at rapidtests.org.
------------------------------
Date: Tue, 25 Aug 2020 08:37:35 +0100
From: A Michael W Bacon <amichaelwbacon@gmail.com>
Subject: Re: Fiddling with the environment (Stein, RISKS-32.22)
In RISKS-32.22, Richard Stein wonders what will become of Florida's release
of a genetically engineered mosquito intended to combat Dengue Fever.
It's likely that the law of unintended consequences will have effect, and
that with the clarity of hindsight many will say the effect was totally
predictable.
[With Greenland undergoing massive irreversible glacier melt, we can
expect a corresponding effect of fiddling while Nome burned. PGN]
------------------------------
Date: Tue, 25 Aug 2020 11:49:42 +0200
From: Peter Houppermans <peter@houppermans.net>
Subject: Re: Driverless cars are coming soon followup (RISKS-32.22)
There's more where that came from..
> Competition between car makers to see who can provide us the most
> distraction moves the industry in exactly the wrong direction!
In their apparent desire to attach more bells and whistles to what used to
be eminently sane concepts, there is also this trend to make indicators more
fancy (at least in Europe where they're separate from brake lights) by
implementing them as an animated strip of LEDs that *grows* by lighting more
and more of them.
The problem: this delays signal awareness.
A car's brake and turn signals are there to inform other road users that
something is about to happen that may represent a risk. It is not even
possible to brake without brake lights flaring, but turn indicators are
manual, and apparently still considered optional by whole tribes of road
users.
In the past, LED brake lights were even sold as options on the premise that
it gave drivers more time to react as they light quicker. However, these
*swelling* indicator lights do the exact opposite: they delay the moment by
which the signal imparts a warning to other road users' situational
awareness. I deem them a triumph of fashion over safety fundamentals.
------------------------------
Date: Tue, 25 Aug 2020 13:11:04 +0200
From: Terje Mathisen <terje.mathisen@tmsw.no>
Subject: Re: Date and time synchronization (Robinson, RISKS-32.22)
You are going to get a *lot* of responses to this one, the idea is sound but
the implemented logic is completely broken. :-(
> Here is the procedure:
> 1. Get time.
> 2. Get date.
> 3. If the hour is not 11 (for systems that preformat time to AM/PM) or is
> not 23, exit procedure, date and time are synchronized and nothing more
> needs to be done.
Since we read time first, then date, the date might have ticked over and now
we have 2020-08-25T00:00:00 while the time read happened at
2020-08-24T23:59:59. Combining them results in 2020-08-24T00:00:00 which is
of course wrong.
The easiest fix for all such "read two counters as one atomic operation" is
to start by reading the slow one, then the fast one and then the slow one
again, i.e. the date here. If the two dates are equal then we are done,
otherwise read the time again and return that value together with the second
date.
You can of course read both counters every time and then return the second
pair only if the dates are different, this has the small but sometimes
useful benefit of being constant time as long as the return first pair vs
second pair is handled with conditional moves or other branchless code.
> 4. Get the time again
> 5. Get the date again.
If we always read both variables twice, then we can even use the suggested
order by returning the first pair unless the second time is less than the
first, i.e. it wrapped around, and then we return the second pair.
hms1 = gettime();
ymd1 = getdate();
hms2 = gettime();
ymd2 = getdate();
hms = (hms2 < hms1)? hms2 : hms1;
ymd = (hms2 < hms1)? ymd2 : ymd1;
------------------------------
Date: Mon, 24 Aug 2020 19:29:57 -0400
From: Jack Christensen <christensen.jack.a@gmail.com>
Subject: Re: Washington Postal workers defy USPS orders and re-install mail,
sorting machines (RISKS-32.22)
It would be interesting to know exactly what the "risks to the public in
computers and related systems" are perceived to be in this item. One cannot
help but wonder whether the item was submitted to Risks with some political
motivation. Our expectation should be that submissions to Risks be held to a
higher standard. Cheap political demagoguery is available anywhere.
I propose the following test for RISKS submissions. If "risks to the public
in computers and related systems" can be said to exist, then we should be
able to imagine one or more solutions, *that when applied to said computers
or related systems*, could possibly address the issue.
In the linked article, there seems to be no hint of this sort of
technological issue. Certainly mail sorting machines must be computerized,
but these days most everything is, so that in itself is too low a standard
to be useful.
------------------------------
Date: Tue, 25 Aug 2020 11:42:49 -0400
From: "Arthur T." <Risks202008.6.atsjbt@xoxy.net>
Subject: Re: Dicekeys (RISKS-32.22)
There is much to like about the Dicekeys concept, but there's also much to
criticize. (Note: I am neither a mathematician nor a security professional.)
For me, any inaccuracy makes everything else questionable. My calculations
show 2^194 rather than 2^196 possibilities. Each die has 6 sides and 4
orientations of the top for 24 possibilities. So there are 24^25 outcomes of
rolling all of them. Order counts, so multiply by 25 factorial. Log base 2
of that number is just over 193.66. I'm not sure where he's getting the
extra bits of randomness reported.
For non-techies, physical randomization may seem more secure than
computer-generated. But if the dice are not extremely well made, they'll be
a bit less random than theory suggests. Techies will easily find
cryptographically secure random number generators, and 59 digits yields
about 2^196 bits (as does a 32-character string made up of upper case, lower
case, numbers, and 8 symbols).
If you want a very long-term master password, you want to be able to back up
its generator. You can do that by taking a picture of the dice box, but then
you're no more (or less) secure than you were with non-physical keys. If you
generate a long number or symbol key, you can print a more standard bar code
that doesn't require trusting someone else's special programming. And then a
secure hash hides your original number. I expect that readers for
general-use bar codes will be around for a long time, whereas I'd worry
about the longevity of the special-use scanner developed for Dicekeys.
So I admire the concept and the work and thought that went into making it a
real product. But I won't be a customer, and I wouldn't recommend it to
anyone I know. In addition to the above considerations, computer-generated
random numbers are free.
------------------------------
Date: Tue, 25 Aug 2020 07:54:29 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: Why Does California Have So Many Wildfires? (NYTimes)
This NYTimes article hasn't a clue.
The short answer is: *fire SUPPRESSION* and too few *controlled burns*.
As a resident of Southern California for ~40 years and having lived in the
vicinity of at least 40 wildfires, I've studied this issue a bit.
The white colonists who destroyed the indigenous native American way of life
were 'know-it-alls' who never comprehended the clever and quite efficient
fire management strategies of these 'primitive' people, and the folly of our
'expert' mismanagement of the ecosystem in the past 300 years has sown the
seeds of our wildfire problems today.
Here in Southern California, you only get the following (egrep) choices
for annual behavior for essentially all un-cultivated land:
1. (rain/growth/){1,3}burn
2. (rain/growth/){4,75}wildfire
3. (rain/growth/){76,}apocalyptic firestorm
Notice that burn|wildfire|firestorm is a necessary consequent to
'rain/growth'.
Of course, you can always eliminate 'rain', hence eliminating 'growth'
and 'fire', but then you get an Atacama-like desert.
So if we intend to continue living here in Southern California, I vote
for option #1.
https://www.theguardian.com/us-news/2019/nov/21/wildfire-prescribed-burns-california-native-americans
"For more than 13,000 years, the Yurek, Karuk, Hupa, Miwok, Chumash and
hundreds of other tribes across California and the world used small
intentional burns to renew local food, medicinal and cultural resources,
create habitat for animals, and reduce the risk of larger, more dangerous
*wild* fires."
"The Spanish were the first California colonizers to prevent the indigenous
people from burning the land. In 1850, the US government passed the Act for
Government and Protection of Indians, which *outlawed intentional burning*
in California even before it was a state."
"Early National Forest Service officials considered "the Indian way" of
"light-burning" to be a *primitive*, 'essentially destructive theory'."
"For native people, the land is a renewing resource, and they feel a
responsibility to keep it healthy. Light, frequent burning of the forest
understory maintains oak tree health ... Fire clears and maintains prairie
landscapes as habitat for elk and deer, and visibility through the dense
woods for hunting them."
https://en.wikipedia.org/wiki/Native_American_use_of_fire_in_ecosystems
"When first encountered by Europeans, many ecosystems were the result of
repeated fires every *one to three years,* resulting in the replacement of
forests with grassland or savanna, or opening up the forest by removing
undergrowth."
"By the time that European explorers first arrived in North America,
millions of acres of 'natural' landscapes were already manipulated and
maintained for human use. *Fires indicated the presence of humans to many
European explorers and settlers arriving on ship.*"
"By the 17th century, native populations were on the verge of collapse due
to the introduction of European diseases (such as smallpox) and widespread
epidemics (the flu) against which the indigenous peoples had no
immunity. ... As Native people were forced off their traditional landbases
or killed, traditional land management practices were abandoned."
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.23
************************
