[30475] in RISKS Forum
Risks Digest 30.20
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Thu Mar 30 14:05:53 2017
From: RISKS List Owner <risko@csl.sri.com>
Date: Thu, 30 Mar 2017 11:05:37 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Thursday 30 March 2017 Volume 30 : Issue 20
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.20>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Aging resident dies after Eden Prairie caregiver forgot to plug in heart
pump (Gabe Goldberg)
Self-driving Uber gets in accident in Tempe, Arizona (Business Insider)
NASA fireworks (Alister Wm Macintyre)
Evidence That Robots Are Winning the Race for American Jobs
(Claire Cain Miller)
Ransomware scammers exploited Safari bug to extort porn-viewing iOS users
(Ars Technica)
Senate votes to let ISPs sell your Web browsing history to advertisers
(Ars Technica)
For sale: Your private browsing history (Ars Technica)
UK government says Apple ``cannot get away with unbreakable encryption''
following terrorist attack (Ben Lovejoy)
Fake Sleuths: Web Gets It Wrong on London Attacker (Mark Scott)
How police unmasked suspect accused of sending seizure-inducing tweet
(Ars Technica)
DJI Proposes Electronic Identification Framework For Small Drones
(Slashdot)
Win10 Class Action ... (The Register via Alister Wm Macintyre)
Risks from falsified Data (BBC via John Murrell)
US Supreme Court Case on Toner Cartridges (Alister Wm Macintyre)
Re: self-checkout at grocery stores (Barry Gold, Mark Jackson)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 30 Mar 2017 01:16:08 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Aging resident dies after Eden Prairie caregiver forgot to plug
in heart pump
A distracted aide at an Eden Prairie assisted-living center failed to plug
in a resident's heart pump at bedtime, and the man didn't live through the
night, according to a state investigation released Wednesday.
http://www.startribune.com/aging-resident-dies-after-eden-prairie-caregiver-forgot-to-plug-in-heart-pump/413868613/
If an alarm sounds but nobody hears it...
Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
------------------------------
Date: Sat, 25 Mar 2017 11:18:03 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Self-driving Uber gets in accident in Tempe, Arizona
http://www.businessinsider.com/self-driving-uber-gets-in-accident-in-tempe-arizona-2017-3
------------------------------
Date: Thu, 23 Mar 2017 08:30:24 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: NASA fireworks
NASA's Inspector General reports: https://oig.nasa.gov/
A security patch, applied by IT staff at NASA, caused an equipment shutdown
and subsequent fire that destroyed spacecraft hardware.
The fire lasted 3.5 hours, unnoticed by anyone because the security patch
had shut down the fire alarm systems.
[The news media blame the fire on the security patch. Inspector General
finds more significant faults. The Space Agency has lost track of its
equipment needs. AWM]
This was not an isolated incident, of bad consequences of networking
hardware, without good management of the equipment's dissimilar needs..
"Vulnerability scanning used to identify software flaws, that can be
exploited by an attacker, caused equipment to fail and loss of communication
with an Earth science spacecraft during an orbital pass. A chilled-water
heating, ventilation and air-conditioning system was disabled -- which
caused IT equipment reliant on it in one of NASA's data centers to be shut
down after temperatures rapidly rose to more than 50 degrees centigrade.
Here is the IG Feb-8 report, on above challenges:
https://oig.nasa.gov/audits/reports/FY17/IG-17-011.pdf
[Many industries grew with industrial control mechanisms not designed to be
networked with computer systems vulnerable to malware, hacking etc. They
don't have good firewalls or any cyber security protections, but in the
interests of cost savings, critical infrastructure industrial systems are
being included into computer networks, often without adequate thinking to
protect all the devices in a cyber security risky world. US's Space Agency
is one of those industries. Before networking the industrial control
hardware, there were personnel familiar with its maintenance needs. If you
drop those people from the payroll, you are making your outfit more
vulnerable.. AWM]
https://fcw.com/articles/2017/02/09/nasa-iot-problems-rockwell.aspx
http://www.computing.co.uk/ctg/news/3004421/security-patch-caused-equipment-shutdown-and-fire-at-nasa?im_edp=gmail.com
[Registration required]
http://www.theinquirer.net/inquirer/news/3004427/nasa-equipment-shutdown-and-fire-blamed-on-rogue-security-patch
Lots of NASA operations get connected to the cloud, without upper management
awareness, nor approval, due to lack of good cyber security..
Here's IG Feb-7 report on that:
https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf
http://www.networkworld.com/article/3167609/security/nasa-has-a-shadow-it-problem.html
NASA is also involved with IoT.
https://www.fedscoop.com/nasa-forays-into-the-internet-of-things/
https://www.nasa.gov/sites/default/files/atoms/files/it-talk_oct-dec2015-v1_1.pdf
Iowa Senator Chuck Grassley reported, in 2007, that $ 1.9 billion in
hardware was stolen, thanks to hackers into NASA.
That's a significant portion of NASA's annual $ 13 billion budget.
https://www.grassley.senate.gov/news/news-releases/nasa-ig-under-fire
------------------------------
Date: Tue, Mar 28, 2017 at 7:23 PM
From: Dewayne Hendricks <dewayne@warpspeed.com>
Subject: Evidence That Robots Are Winning the Race for American Jobs
(Claire Cain Miller)
[Note: This item comes from friend Mike Cheponis. DLH]
Claire Cain Miller, *The New York Times*, 28 Mar 2017
https://www.nytimes.com/2017/03/28/upshot/evidence-that-robots-are-winning-the-race-for-american-jobs.html
Who is winning the race for jobs between robots and humans? Last year, two
leading economists described a future in which humans come out ahead. But
now they've declared a different winner: the robots.
The industry most affected by automation is manufacturing. For every robot
per thousand workers, up to six workers lost their jobs and wages fell by
as much as three-fourths of a percent, according to a new paper by the
economists, Daron Acemoglu of M.I.T. and Pascual Restrepo of Boston
University. It appears to be the first study to quantify large, direct,
negative effects of robots.
The paper is all the more significant because the researchers, whose work
is highly regarded in their field, had been more sanguine about the effect
of technology on jobs. In a paper last year, they said it was likely that
increased automation would create new, better jobs, so employment and wages
would eventually return to their previous levels. Just as cranes replaced
dockworkers but created related jobs for engineers and financiers, the
theory goes, new technology has created new jobs for software developers
and data analysts.
But that paper was a conceptual exercise. The new one uses real-world data
-- and suggests a more pessimistic future. The researchers said they were
surprised to see very little employment increase in other occupations to
offset the job losses in manufacturing. That increase could still happen,
they said, but for now there are large numbers of people out of work, with
no clear path forward -- especially blue-collar men without college degrees.
Acemoglu: ``The conclusion is that even if overall employment and wages
recover, there will be losers in the process, and it's going to take a very
long time for these communities to recover. If you've worked in Detroit for
10 years, you don't have the skills to go into health care. The market
economy is not going to create the jobs by itself for these workers who are
bearing the brunt of the change.''
The paper's evidence of job displacement from technology contrasts with a
comment from the Treasury secretary, Steve Mnuchin, who said at an Axios
event last week that artificial intelligence's displacement of human jobs
was ``not even on our radar screen,'' and ``50 to 100 more years''
away. (Not all robots use artificial intelligence, but a panel of experts --
polled by the M.I.T. Initiative on the Digital Economy in reaction to
Mr. Mnuchin's comments -- expressed the same broad concern of major job
displacement.)
The paper also helps explain a mystery that has been puzzling economists:
why, if machines are replacing human workers, productivity hasn't been
increasing. In manufacturing, productivity has been increasing more than
elsewhere -- and now we see evidence of it in the employment data, too.
The study analyzed the effect of industrial robots in local labor markets in
the United States. Robots are to blame for up to 670,000 lost manufacturing
jobs between 1990 and 2007, it concluded, and that number will rise because
industrial robots are expected to quadruple. [...]
------------------------------
Date: Wed, 29 Mar 2017 22:47:09 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Ransomware scammers exploited Safari bug to extort porn-viewing iOS
users (Ars Technica)
https://arstechnica.com/security/2017/03/ransomware-scammers-exploited-safari-bug-to-extort-porn-viewing-ios-users/
------------------------------
Date: Thu, 23 Mar 2017 13:42:39 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Senate votes to let ISPs sell your Web browsing history to advertisers
NNSquad
https://arstechnica.com/tech-policy/2017/03/senate-votes-to-let-isps-sell-your-web-browsing-history-to-advertisers/
The US Senate today voted to eliminate broadband privacy rules that would
have required ISPs to get consumers' explicit consent before selling or
sharing Web browsing data and other private information with advertisers
and other companies. The rules were approved in October 2016 by the
Federal Communications Commission's then-Democratic leadership, but are
opposed by the FCC's new Republican majority and Republicans in
Congress. The Senate today used its power under the Congressional Review
Act to ensure that the FCC rulemaking "shall have no force or effect" and
to prevent the FCC from issuing similar regulations in the future. The
House, also controlled by Republicans, would need to vote on the measure
before the privacy rules are officially eliminated. President Trump could
also preserve the privacy rules by issuing a veto. If the House and Trump
agree with the Senate's action, ISPs won't have to seek customer approval
before sharing their browsing histories and other private information with
advertisers.
------------------------------
Date: Tue, 28 Mar 2017 15:09:10 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: For sale: Your private browsing history
via NNSquad
https://arstechnica.com/tech-policy/2017/03/for-sale-your-private-browsing-history/
The House of Representatives voted today to eliminate ISP privacy rules,
following the Senate vote to take the same action last week. The
legislation to kill the rules now heads to President Donald Trump for his
signature or veto. The White House issued a statement today supporting
the House's action, and saying that Trump's advisors will recommend that
he sign the legislation. That would make the death of the Federal
Communications Commission's privacy rules official. The rules issued by
the FCC last year would have required ISPs to get consumers' opt-in
consent before selling or sharing Web browsing history, app usage history,
and other private information with advertisers and other companies. But
lawmakers used their authority under the Congressional Review Act (CRA) to
pass a joint resolution ensuring that the rules "shall have no force or
effect" and that the FCC cannot issue similar regulations in the future.
------------------------------
Date: Mon, 27 Mar 2017 10:10:26 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: UK government says Apple ``cannot get away with unbreakable
encryption'' following terrorist attack (Ben Lovejoy)
Ben Lovejoy, 9to5mac, 27 Mar 2017
British Home Secretary Amber Rudd -- in charge of police policy in the UK --
told the BBC what is quoted in the subject line.
Rudd was speaking after it was revealed that Khalid Masood accessed WhatsApp
two minutes before ploughing through pedestrians on Westminster Bridge in a
rented car, killing three of them, before fatally stabbing a police officer
guarding the Houses of Parliament.
She described end-to-end encrypted messaging as used by WhatsApp and
Apple's Messages app as ``completely unacceptable''.
https://9to5mac.com/2017/03/27/amber-rudd-british-government-apple-messages-whatsapp-end-to-end-encryption/
[The problem is of course that dumbing down communication security just
for British law enforcment would also be completely unacceptable, and
could even be responsible for bringing down her own government as a result
of subsequent compromises! Is she Ruddy Naive? (And then I recall the
former prime minister suggesting a ban an all cryptography.) PGN]
------------------------------
Date: Sun, 26 Mar 2017 10:12:34 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Fake Sleuths: Web Gets It Wrong on London Attacker (Mark Scott)
Mark Scott, *The New York Times*, 24 Mar 2017
http://www.nytimes.com/2017/03/24/technology/london-terror-attack-suspect-social-media.html
------------------------------
Date: Thu, 23 Mar 2017 01:09:27 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How police unmasked suspect accused of sending seizure-inducing
tweet (Ars Technica)
https://arstechnica.com/tech-policy/2017/03/how-police-unmasked-suspect-accused-of-sending-seizure-inducing-tweet/
------------------------------
Date: Tue, 28 Mar 2017 16:41:51 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: DJI Proposes Electronic Identification Framework For Small Drones
(Slashdot)
https://tech.slashdot.org/story/17/03/28/213236/dji-proposes-new-electronic-license-plate-for-drones?utm_source=rss1.0mainlinkanon&utm_medium=feed
Chinese drone maker DJI proposed that drones be required to transmit a
unique identifier to assist law enforcement to identify operators where
necessary. Anyone with an appropriate receiver could receive the ID
number, but the database linking the ID with the registered owner would
only be available to government agencies.
Ridiculous idea -- bad players would simply disable this feature -- or
modify it (and you can bet that it will be possible to modify it, one
way or another). Handy for false flags! Luckily, the DJI page on this is
in such a low contrast font that you can't read it without going blind
anyway.
------------------------------
Date: Mon, 27 Mar 2017 01:34:54 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: Win10 Class Action ...
'Windows 10 destroyed our data!' Microsoft hauled into US court.
'Dodgy' unwanted operating system update sparks potential class-action lawsuit
24 Mar 2017
According to the complaint, Windows 10 installed itself onto plaintiff
Stephanie Watson's computer without her consent and then erased data, some
of it related to her work. She hired Geek Squad to repair the machine, with
only partial success, and ended up having to purchase a new computer.
Plaintiff Robert Saiger, the complaint says, consented to the Windows 10
update, only to have his computer stop functioning. He lost data, then lost
time and money, while incurring aggravation attempting to recover the data.
Plaintiff Howard Goldberg "elected to accept Windows 10 after declining over
6 months of daily prompts requesting him to download it." After three
attempts to do so, the result was a non-functional computer and lost data.
https://www.theregister.co.uk/2017/03/24/microsoft_windows_10_update/
[If a Win-7 user got add-on software for some activity, supported by Win-7
but not by Win-10, and uses the software sub-directories of the add-on for
the associated data, then:
1. Microsoft does NOT tell the user that Win-10 does not support that
stuff.
2. The Win-10 installation process erases all the non-Microsoft software,
and associated sub-directory data, that won't work with Win-10.
3. The user is not told about this erasure.
Other OS are much more polite to the user, giving the opportunity to save
the software and data, not supported by the OS upgrade, so that the user
can seek some add-on that is supported by the latest OS upgrade, and also
provides a conversion path to move the data into any replacement format
needed.
Documentation regarding the OS upgrade also gives warning what is no
longer supported, and will need some software from some from other than
the OS company, to facilitate such conversions.
Microsoft is not a believer in such user-friendly conversion info
standards. AWM]
------------------------------
Date: Mon, 27 Mar 2017 22:12:57 +0100
From: "John Murrell" <mail@johnmurrell.org.uk>
Subject: Risks from falsified Data (BBC)
http://www.bbc.co.uk/news/business-38254362
There is an interesting article on the BBC website at that discusses an
alternative and much more subtle version of Malware. This involves
infiltrating systems and making changes to data which while being too small
to notice immediately result in system failure.
Their conclusion is that data integrity from start to end is just as
important as any other form of security.
I had a quick search through the Risks Digests and could not find any
evidence of this being discussed. Has anyone any evidence that they are
willing and able to discuss of this type of attack ?
[Is this not just one more example of faked news, perhaps more subtle
than flagrant fake news, but still disinformation. PGN]
------------------------------
Date: Mon, 27 Mar 2017 00:31:16 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: US Supreme Court Case on Toner Cartridges
You Should Care about the Supreme Court Case on Toner Cartridges.
The verdict could have consequences on practically any purchased product.
[PC printer manufacturers make most of their money selling toner & other ink
systems, often at ridiculous high prices.
Various 3rd party outfits sell apparently identical ink cartridges for much
less money.
I turn in my used cartridges to a recycling outfit, which refills them, with
much lower cost to me than buying the printer manufacturer cartridges.
The printer manufacturers want to put a stop to that competition, make you
use theirs exclusively, then they can jack up the prices even more.
https://www.hardocp.com/news/2017/03/25/you_should_care_about_supreme_court_case_on_toner_cartridges/
http://gizmodo.com/supreme-court-printer-cartridge-case-could-be-the-citiz-1793643311
http://www.scotusblog.com/case-files/cases/impression-products-inc-v-lexmark-international-inc/
<https://www.hardocp.com/news/2017/03/25/you_should_care_about_supreme_court_case_on_toner_cartridges/%0b%0bThe%20case:%0dhttp:/www.scotusblog.com/case-files/cases/impression-products-inc-v-lexmark-international-inc/%20%0b>
https://consumerist.com/2017/03/23/why-you-should-care-about-the-supreme-court-case-on-toner-cartridges/
------------------------------
Date: Tue, 21 Mar 2017 17:45:59 -0700
From: Barry Gold <barrydgold@ca.rr.com>
Subject: Re: self-checkout at grocery stores [???]
I avoid self-checkout lanes unless the queues get *very* long or I have only
a single item because:
1. I'm nowhere near as fast as a trained checker in the whole scan-and-bag
thing.
2. I want the checkers to keep their jobs.
And I *never* use self-checkout if I have produce or anything else that
needs to be weighed, because there's no way I can do the
enter-the-proper-code-and-weigh the thing as a checker who has usually
memorized the code for every single produce item in the store.
------------------------------
Date: Wed, 22 Mar 2017 20:26:24 -0400
From: Mark Jackson <mjackson@alumni.caltech.edu>
Subject: Re: self-checkout at grocery stores (Lamkin, RISKS-30.19)
That looks like the same system deployed in some of their stores by Stop
& Shop, a not-particularly-high-end grocery chain serving much of the U.S.
Northeast:
https://stopandshop.com/shopping/shopping-tools/scanit/
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.20
************************
