[32332] in RISKS Forum
Risks Digest 32.52
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Mar 6 20:14:51 2021
From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 6 Mar 2021 17:14:20 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Saturday 6 March 2021 Volume 32 : Issue 52
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.52>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Fed outage shuts down U.S. payment system (Tom Van Vleck via Ars Technica)
DC Vaccine Appointment Website, Phone Line Crashes Early Thursday (DCist)
Weaknesses in FAA's certification and delegation processes hindered its
oversight of the 737 MAX 8 (DOT)
EU Report Warns AI Makes Autonomous Vehicles 'Highly Vulnerable' to Attack
(Khari Johnson)
Heavy Rain Affects Object Detection by Autonomous Vehicle LiDAR Sensors
(U.Warwick)
XC40 Recharge buyers have been told to sit tight (The Verge)
Vintage technology: 'It sounds so much cleaner' (BBC News)
Error-prone software reportedly ruined lives: Post Office scandal:
Postmasters have convictions quashed (BBC)
Software Bug Keeping Hundreds Of Inmates In Arizona Prisons Beyond Release
Dates (KJZZ)
Alexa in the car Toyota)
Experts find a way to learn what you're typing during video calls
(The Hacker News)
Israel adopts law allowing names of unvaccinated to be shared (AFP)
Judge in Google case disturbed that even *incognito* users are tracked
(Bloomberg)
Facebook will roll back its block on news posts in Australia (Engadget)
Relativity Space unveils a reusable 3D-printed rocket to compete with
SpaceX's Falcon 9 (CNBC)
Big data healthcare project raises privacy issues (M.K.McGee)
Contact-tracing apps help reduce COVID infections, data suggest (Nature)
Can Zapping Our Brains Really Cure Depression? (NYTimes)
Student Surveillance Vendor Proctorio Files SLAPP Lawsuit to Silence A
Critic (EFF)
Computers get Sundays off? (Gabe Goldberg)
Formula E's Software Communication Problem (The Register via Ben Moore)
Gig Workers Gather Their Own Data to Check the Algorithm's Math (WiReD)
'Drunk' robot vacuums spark complaints from owners (BBC News)
Predictive Text Feature Coming to Microsoft Word in March (PCMag)
Doctor joins Zoom court hearing while operating on patient (BBC News)
Carranza resigns as NYC schools chancellor; Meisha Porter will replace him
(NYTimes)
New security flaws detected in more credit cards (Leo Hermann))
"Virtual computer chip tests expose flaws, protect against hackers"
(Matthew Sparkes)
Is Your Browser Extension a Botnet Backdoor? (Krebs on Security)
When Companies Skimp on Cybersecurity (Bruce Schneier)
Former SolarWinds CEO blames intern for "solarwinds123" password leak
(CNNPolitics)
Post Office scandal: Postmasters have convictions quashed (BBC)
Objective or Biased (Bayerischer Rundfunk)
Amazon's new rotating, follow-you camera is useful —0 and invasive
(WashPost)
Vaccine passport certificates already exist (Clive Page)
Texas power outages demonstrate grid cyber-vulnerability and inadequacy of
existing regulations (Joe Weiss)
Re: His Lights Stayed on During Texas's Storm. Now He Owes $16,752
(Keith Medcalf)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 25 Feb 2021 08:19:17 -0800
From: Tom Van Vleck <thvv@multicians.org>
Subject: Fed outage shuts down U.S. payment system (Ars Technica)
I ran across this and wonder what really happened, and whether it can happen
again.
https://arstechnica.com/tech-policy/2021/02/fed-outage-shuts-down-us-payment-systems-for-more-than-an-hour/
[Of course it can, although perhaps for a slightly different reason.
PGN]
------------------------------
Date: Thu, 25 Feb 2021 18:48:16 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: DC Vaccine Appointment Website, Phone Line Crashes Early Thursday
(DCist)
The District's phone and online system crashed on Thursday morning just as
thousands of residents became newly eligible to sign up for 4,350
appointments for the COVID-19 vaccine.
Mayor Muriel Bowser said this week that appointments would open at 9 a.m. to
residents living in priority ZIP codes who are 65 or older, are 18 and older
and have a qualifying medical condition ranging from asthma to cancer, or
work in a number of essential jobs from child care to grocery stores.
But the demand almost immediately overwhelmed the city's online and phone
system, with many callers reporting that they couldn't even get through on
the phone. Others reported that even when they did get through online, the
system wasn't updated to reflect the new eligibility criteria for
pre-existing conditions and essential workers.
https://dcist.com/story/21/02/25/dc-vaccine-appointment-system-crashes-qualifying-medical-conditions/
Testing scalability -- why bother? That's what customers are for.
------------------------------
Date: Fri, 26 Feb 2021 08:15:28 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Weaknesses in FAA's certification and delegation processes hindered
its oversight of the 737 MAX 8 (DOT)
(Office of Inspector General, Transportation)
https://www.oig.dot.gov/library-item/38302
"While FAA and Boeing followed the established certification process for the
737 MAX 8, we identified limitations in FAA's guidance and processes that
impacted certification and led to a significant misunderstanding of the
Maneuvering Characteristics Augmentation System (MCAS), the flight control
software identified as contributing to the two accidents. First, FAA's
certification guidance does not adequately address integrating new
technologies into existing aircraft models. Second, FAA did not have a
complete understanding of Boeing's safety assessments performed on MCAS
until after the first accident. Communication gaps further hindered the
effectiveness of the certification process. In addition, management and
oversight weaknesses limit FAA's ability to assess and mitigate risks with
the Boeing ODA. For example, FAA has not yet implemented a risk-based
approach to ODA oversight, and engineers in FAA's Boeing oversight office
continue to face challenges in balancing certification and oversight
responsibilities. Moreover, the Boeing ODA process and structure do not
ensure ODA personnel are adequately independent. While the Agency has taken
steps to develop a risk-based oversight model and address concerns of undue
pressure at the Boeing ODA, it is not clear that FAA's current oversight
structure and processes can effectively identify future high-risk safety
concerns at the ODA."
ODA == Organization Designation Authorization is the FAA designation for
delegated certification authority of 737-MAX certifications to Boeing. See
page 29 of this report for percent of delegation for certified flight
systems on the 737-MAX: Boeing performed ~30% certifications
(self-certifications) in JAN2014 to ~100% by JAN2017.
The OIG's report raises troubling questions about self-certification of
737-MAX flight systems by Boeing. Government delegation of certification
authority to industry indicates policy review is essential, and revisions to
delegation practices, are urgently required.
Risk: Self-certification authority without independent enforcement oversight
------------------------------
Date: Wed, 24 Feb 2021 12:37:38 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: EU Report Warns AI Makes Autonomous Vehicles 'Highly Vulnerable' to
Attack (Khari Johnson)
Khari Johnson, *VentureBeat*, 22 Feb 2021
via TechNews, Wednesday, February 24, 2021
EU Report Warns AI Makes Autonomous Vehicles 'Highly Vulnerable' to Attack
A report by the European Union Agency for Cybersecurity (ENISA) describes
autonomous vehicles as "highly vulnerable to a wide range of attacks" that
could jeopardize passengers, pedestrians, and people in other vehicles. The
report identifies potential threats to self-driving vehicles as including
sensor attacks with light beams, as well as adversarial machine learning
(ML) hacks. With growing use of artificial intelligence (AI) and the sensors
that power autonomous vehicles offering greater potential for attacks, the
researchers advised policymakers and businesses to foster a security culture
across the automotive supply chain, including third-party providers. The
researchers suggested AI and ML systems for autonomous vehicles "should be
designed, implemented, and deployed by teams where the automotive domain
expert, the ML expert, and the cybersecurity expert collaborate."
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-299f0x228a9ax070159&
------------------------------
Date: Fri, 26 Feb 2021 12:08:57 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Heavy Rain Affects Object Detection by Autonomous Vehicle LiDAR
Sensors (U.Warwick)
University of Warwick (U.K.) 25 Feb 2021, via ACM TechNews, 26 Feb 2021
Researchers at the University of Warwick in the U.K. have found that the
LiDAR sensors on autonomous vehicles (AVs) are less effective in detecting
objects at a distance during periods of heavy rain. The researchers used the
university's WMG 3xD simulator to test an AV's LiDAR sensors in different
intensities of rain on real roads; they found that when the rainfall
increased up to 50 mm per hour, object detection by the sensors dropped in
conjunction with a longer range in distance. Warwick's Valentina Donzella
said, "Ultimately we have confirmed that the detection of objects is
hindered to LiDAR sensors the heavier the rain and the further away they
are."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-29a98x228c44x070842&
------------------------------
Date: Mon, 1 Mar 2021 14:22:05 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: XC40 Recharge buyers have been told to sit tight
Volvo XC40 Recharge electric SUVs are currently being held at US ports
because the company is waiting to ship a crucial software update before
releasing them to customers and dealers, *The Verge *has learned.
The problem appears to be that these XC40 Recharge SUVs -- which is Volvo's
first all-electric vehicle -- left the company's factory without the Volvo
On Call software activated. Volvo On Call is a subscription service that
connects Volvo cars to an owner's smartphone, allowing them to remotely turn
the vehicle on and off, lock or unlock the doors, and access diagnostic
information. [...]
https://www.theverge.com/2021/3/1/22307866/volvo-xc40-recharge-delay-software-update-on-call-ota
------------------------------
Date: Fri, 26 Feb 2021 17:00:00 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Vintage technology: 'It sounds so much cleaner' (BBC News)
Air Vice Marshal Rich Maddison is a senior RAF officer with decades of
flying experience. "As an Air Force we are as high-tech as you get, but
this, this is just me."
He is referring to a miniature computer with a black and lime green screen
and minuscule memory that uses AA batteries to power a 1997 design. It is a
Psion 5 device and for AVM Maddison it represents his personal aviation
history.
The dated device is where he keeps his own flying log. Hailing from an era
when computers came with their own programming languages, the Psion invited
users to tinker with its limited applications. He could take fields in its
address book and convert them to resemble a pilot's logbook.
https://www.bbc.com/news/business-55808632
Funny, backup isn't mentioned. I guess that hadn't been invented yet.
[Cute. But Multics had a lovely backup system in the 1960s. PGN]
------------------------------
Date: Mon, 1 Mar 2021 14:24:23 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Error-prone software reportedly ruined lives: Post Office scandal:
Postmasters have convictions quashed (BBC)
Six former sub-postmasters have had fraud convictions linked to a faulty
computer system quashed in court. The long-running scandal began when the
Post Office installed a new computer system that led to hundreds of
sub-postmasters being wrongly convicted.
https://www.bbc.com/news/business-55271193
------------------------------
Date: Tue, 23 Feb 2021 16:03:42 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Software Bug Keeping Hundreds Of Inmates In Arizona Prisons Beyond
Release Dates (KJZZ)
Jimmy Jenkins, KJZZ, February 23, 2021
https://kjzz.org/content/1660988/whistleblowers-software-bug-keeping-hundreds-inmates-arizona-prisons-beyond-release
According to Arizona Department of Corrections whistleblowers, hundreds of
incarcerated people who should be eligible for release are being held in
prison because the inmate management software cannot interpret current
sentencing laws.
As of 2019, the department had spent more than $24 million contracting
with IT company Business & Decision, North America to build and maintain
the software program, known as ACIS, that is used to manage the inmate
population in state prisons.
One of the software modules within ACIS, designed to calculate release
dates for inmates, is presently unable to account for an amendment to
state law that was passed in 2019.
Senate Bill 1310, authored by former Sen. Eddie Farnsworth, amended the
Arizona Revised Statutes so that certain inmates convicted of nonviolent
offenses could earn additional release credits upon the completion of
programming in state prisons. Gov. Ducey signed the bill in June of 2019.
But department sources say the ACIS software is not still able to identify
inmates who qualify for SB 1310 programming, nor can it calculate their
new release dates upon completion of the programming.
[Also noted by Dougherty. PGN]
------------------------------
Date: Tue, 23 Feb 2021 20:40:21 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Alexa in the car (Toyota)
Toyota announced they're adding Amazon Alexa as a feature in some of their
cars, but will it be as convenient and helpful as it's supposed to be?
Ellen Previews the New Alexa Backseat Driver
https://www.youtube.com/watch?v=0HugGCoK7m0
[Someone commented: So it's just like being married.]
------------------------------
Date: Tue, 23 Feb 2021 13:07:07 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Experts find a way to learn what you're typing during video calls
()
A new attack framework aims to infer keystrokes typed by a target user at
the opposite end of a video conference call by simply leveraging the video
feed to correlate observable body movements to the text being typed.
The research was undertaken by Mohd Sabra, and Murtuza Jadliwala from the
University of Texas at San Antonio and Anindya Maiti from the University of
Oklahoma, who say the attack can be extended beyond live video feeds to
those streamed on YouTube and Twitch as long as a webcam's field-of-view
captures the target user's visible upper body movements.
"With the recent ubiquity of video capturing hardware embedded in many
consumer electronics, such as smartphones, tablets, and laptops, the threat
of information leakage through visual channel[s] has amplified," the
researchers *said*.
"The adversary's goal is to utilize the observable upper body movements
across all the recorded frames to infer the private text typed by the
target."
<https://www.ndss-symposium.org/wp-content/uploads/ndss2021_3A-1_23063_paper.pdf>.
To achieve this, the recorded video is fed into a video-based keystroke
inference framework that goes through three stages. [...]
https://thehackernews.com/2021/02/experts-find-way-to-learn-what-youre.html
------------------------------
Date: Wed, 24 Feb 2021 14:35:45 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: Israel adopts law allowing names of unvaccinated to be shared (AFP)
Israel's parliament passed a law Wednesday allowing the government to share
the identities of people not vaccinated against the coronavirus with other
authorities, raising privacy concerns for those opting out of inoculation.
The measure, which passed with 30 votes for and 13 against, gives local
governments, the director general of the education ministry and some in the
welfare ministry the right to receive the names, addresses and phone numbers
of unvaccinated citizens.
The objective of the measure -- valid for three months or until the Covid-19
pandemic is declared over -- is "to enable these bodies to encourage people
to vaccinate by personally addressing them", a parliament statement said.
[...]
https://news.yahoo.com/israel-adopts-law-allowing-names-153232886.html
------------------------------
Date: Fri, 26 Feb 2021 21:43:04 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Judge in Google case disturbed that even *incognito* users are
tracked (Bloomberg)
https://www.bloomberg.com/news/articles/2021-02-26/google-judge-disturbed-that-even-incognito-users-are-tracked
------------------------------
Date: Mon, 22 Feb 2021 20:43:14 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Facebook will roll back its block on news posts in Australia
(Engadget)
As anticipated.
https://www.engadget.com/facebook-australia-news-043441256.html
------------------------------
Date: Mon, 1 Mar 2021 11:32:04 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Relativity Space unveils a reusable 3D-printed rocket to compete
with SpaceX's Falcon 9 (CNBC)
- 3D-printing rocket builder Relativity Space is working on Terran R, a
fully reusable launch vehicle that would be near the capabilities of
SpaceX's Falcon 9 rocket.
- Terran R is ``really an obvious evolution'' from the company's Terran 1
rocket, Relativity CEO Tim Ellis told CNBC, the latter of which is
scheduled to launch for the first time later this year.
- ``I've always been a huge fan of reusability. No matter how you look at
it ... making [a reusable rocket] has got to be part of that future,'' Ellis
added. [...]
https://www.cnbc.com/2021/02/25/relativitys-reusable-terran-rocket-competitor-to-spacexs-falcon-9.html
------------------------------
Date: Mon, 1 Mar 2021 15:34:36 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: Big data healthcare project raises privacy issues (M.K.McGee)
Marianne Kolbasuk McGee (HealthInfoSec), 26 Feb 2021
(healthcareinfosecurity.com)
Truveta Initiative Involves Sharing De-Identified Data From 14 Provider
Organizations
https://www.healthcareinfosecurity.com/big-data-healthcare-project-raises-privacy-issues-a-16077
[This is scary stuff. Massive potentials for misuse. PGN]
------------------------------
Date: Tue, 23 Feb 2021 17:32:20 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Contact-tracing apps help reduce COVID infections, data suggest
(Nature)
Evaluations find apps are useful, but would benefit from better integration into health-care systems.
https://www.nature.com/articles/d41586-021-00451-y
------------------------------
Date: Thu, 25 Feb 2021 12:25:11 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Can Zapping Our Brains Really Cure Depression? (NYTimes)
https://www.nytimes.com/2021/02/24/magazine/brain-stimulation-mental-health.html
"The brain is an electrical organ. Everything that goes on in there is a
result of millivolts zipping from one neuron to another in particular
patterns. This raises the tantalizing possibility that, should we ever
decode those patterns, we could electrically adjust them to treat
neurological dysfunction -- from Alzheimers to schizophrenia -- or even
optimize desirable qualities like intelligence and resilience."
Brain tissue possesses plasticity: neural pathways can be molded. Adjust the
neural pathway, and the characteristic electrical impulses (pulse frequency
and amplitude) can modify human behavior and/or physiological response.
Exploring transcranial stimulation to treat depression suggests that
traditional therapies (talk + medicine) underachieves expected outcomes.
Depression is a significant public health disorder that requires priority
treatment.
The US CDC estimates that 4.7% of the population aged 18+ regularly
experiences feelings of depression.
(https://www.cdc.gov/nchs/fastats/depression.htm)
That's 0.047 * 255M =~ 12M people
(https://datacenter.kidscount.org/data/tables/99-total-population-by-child-and-adult-populations#detailed/1/any/false/1729,37,871,870,573,869,36,868,867,133/39,40,41/416,417) for 2019 population estimates).
The FDA assigns five product codes (OBP, OKP, QCI, QFF, QMD) for approved
medical devices based on transcranial stimulation. Visit
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm and apply
"transcranial" in the textbox to view medical device reports.
These devices typically apply electromagnetic induction (discovered by
Michael Faraday in 1831): a low-frequency, high-intensity magnetic field
therapeutically adjusts the brain's neural pathways, a personalized
electromagnetic pulse (EMP).
Patients report immediate change in emotional state when applied. Whether
or not these therapeutic devices yield persistent palliative relief from
symptomatic depression remains to be demonstrated.
Risk: Iatrogenic result.
------------------------------
Date: Thu, 25 Feb 2021 14:38:13 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Student Surveillance Vendor Proctorio Files SLAPP Lawsuit to
Silence A Critic (EFF)
Electronic Frontier Foundation
During the pandemic, a dangerous business has prospered: invading students'
privacy with proctoring software and apps. In the last year, we've seen
universities compel students to download apps that collect their face
images, driver's license data, and network information. Students who want
to move forward with their education are sometimes forced to accept being
recorded in their own homes and having the footage reviewed for suspicious
behavior.
Given these invasions, it's no surprise that students and educators are
fighting back against these apps. Last fall, Ian Linkletter, a remote
learning specialist at the University of British Columbia, became part of a
chorus of critics concerned with this industry.
Now, he's been sued for speaking out. The outrageous lawsuit -- which relies
on a bizarre legal theory that linking to publicly viewable videos is
copyright infringement -- will become an important test of a 2019 British
Columbia law passed to defend free speech, the Protection of Public
Participation Act, or PPPA.
https://www.eff.org/deeplinks/2021/02/student-surveillance-vendor-proctorio-files-slapp-lawsuit-silence-critic
------------------------------
Date: Mon, 1 Mar 2021 15:57:19 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Computers get Sundays off?
I griped yesterday (Sunday, Feb 28) to my money manager that my February
distribution hadn't been paid:
Today is last day of month, last business day was Friday -- no expected
deposit.
This needs to be reliable -- what happened?
This should be automatic?
Response:
Unfortunately, when the date of the distribution falls on a Saturday or
Sunday, it pushes the payment to the next business day which is today.
The funds should be posted to your account this morning. For your March
28 distribution, it will post to your banking account on Monday, March 29.
My response:
But that does seem strange -- computers don't work on Sundays? Funds
transfer networks take Sundays off? Surely these payments are made
automatically so what's the reason Sundays are skipped?
So I'm waiting for some nonsense justification. Friend speculated:
Whaddaya wanna bet this is some ancient rule that these can only happen on
biz days?
Really, every day's a business day these days. Credit card companies have no
problem with billing days on weekends. And customers can't tell them that
they're delaying payment to Monday. So payments should be made on
weekends. Or should be made Friday before, not Monday after.
------------------------------
Date: Mon, 1 Mar 2021 20:23:01 -0600
From: Ben Moore <ben.moore@juno.com>
Subject: Formula E's Software Communication Problem
`Incorrect software parameter' sends Formula E's Edoardo Mortara to
hospital: Brakes' fail-safe system failed (The Register)
https://www.theregister.com/2021/03/01/formula_e_bug/
Swiss Formula E driver Edoardo Mortara ended up in hospital after a software
error left him driving into a safety wall at the ABB FIA Formula E World
Championship in Diriyah, Saudia Arabia, on Saturday.
The Mercedes-EQ Team said they've managed to correct the software problem
and convince ruling body the FIA (Federation Internationale de l'Automobile)
that the problem has been resolved.
Former Audi driver Daneil Abt, who, prior to being suspended for cheating in
an online race last May, had a similar accident also attributed to braking
software and took note of the parallel circumstances.
The Diriyah race saw also a more alarming accident, involving driver Alex
Lynn (said to be well), and a missile interception over the city that
occurred in the midst of a fireworks display.
[Also noted by Tom Van Vleck. PGN]
------------------------------
Date: Tue, 2 Mar 2021 00:22:49 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Gig workers gather their own data to check the algorithm's math
(WiReD)
Drivers for Uber, Lyft, and other firms are building apps to compare their
mileage with pay slips. One group is selling the data to government
agencies.
https://www.wired.com/story/gig-workers-gather-data-check-algorithm-math/
------------------------------
Date: Tue, 2 Mar 2021 13:33:42 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 'Drunk' robot vacuums spark complaints from owners (BBC News)
Owners of Roomba robot vacuums have complained the devices appear "drunk"
following a software update.
Problems include the machines "spinning around", constantly recharging or
not charging at all, and moving in strange directions.
The devices' maker iRobot has acknowledged its update had caused problems
for "a limited number" of its i7 and s9 Roomba models.
However, it added a fix would take "several weeks" to roll out worldwide.
In the meantime, the firm is asking those affected to share the serial
numbers of their devices so it can remove the most recent update.
Ken Munro is a cyber-security expert who specialises in security around the
Internet-of-things -- anything which is connected to the Internet. "Updates
usually add new features or fix security bugs in smart products," he said.
"They don't always go to plan though, sometimes introducing new bugs.
https://www.bbc.com/news/technology-56239454
What could ever go wrong with over-the-air updates of automotive software?
It'll be OK as long as it doesn't touch anything related to engine,
handling, navigation, safety, or infotainment. I can't wait.
------------------------------
Date: Tue, 23 Feb 2021 01:18:19 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Predictive Text Feature Coming to Microsoft Word in March (PCMag)
Over time, Word will learn and adapt to users' writing style while reducing
spelling and grammatical errors.
Redmond first tipped the text-prediction feature in September, when it had a
limited rollout for Word beta testers and Microsoft 365 Word on the web
users, as well as Outlook.com and Outlook on the web users in North
America. The idea is to help users "write more efficiently by predicting
text quickly and accurately," Microsoft said at the time.
https://www.pcmag.com/news/predictive-text-feature-coming-to-microsoft-word-in-march
What COULD go wrong with this... paving the way to even worse things than
demented spelling checkers.
------------------------------
Date: Sun, 28 Feb 2021 20:29:41 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Doctor joins Zoom court hearing while operating on patient
(BBC News)
A doctor in Sacramento, California joined a traffic court hearing on Zoom
while performing surgery on a patient.
Scott Green was dressed in surgical scrubs in an operating theatre when
he appeared at his virtual trial on Thursday, the Sacramento Bee reported.
When questioned by the judge, Mr Green said he was happy to go ahead, and
that he had "another surgeon right here who's doing the surgery with me".
The judge said that would not be "appropriate" and postponed the trial.
The Medical Board of California has now said in a statement that it would
look into the incident, adding that it "expects physicians to follow the
standard of care when treating their patients".
https://www.bbc.com/news/world-us-canada-56222317
The risk?
https://www.tvfanatic.com/quotes/whats-the-difference-between-god-and-a-doctor-god-knows-hes-not/
------------------------------
Date: Fri, 26 Feb 2021 16:55:46 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Carranza resigns as NYC schools chancellor; Meisha Porter will
replace him (NYTimes)
The New York Times
At issue was whether the city should continue to sort 4-year-olds into
gifted and talented classes through a selective admissions process. Mr. de
Blasio had said that the city would continue to offer an admissions exam for
toddlers this year, then announce a new admissions system before he leaves
office in January.
https://www.nytimes.com/2021/02/26/nyregion/richard-carranza-nyc-schools.html
What could go wrong with selecting 4-year old kids for enhanced learning,
leaving others behind?
Other issues here are desegregation and entrance criteria for New York's
specialized schools (one of which I attended, so have opinion on entrance
exams for them).
------------------------------
Date: Fri, 26 Feb 2021 12:08:57 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: New security flaws detected in more credit cards (Leo Hermann))
Leo Hermann, ETH Zurich (Switzerland), 22 Reb 2021
Security Flaw Detected for 2nd Time in Credit Cards
via ACM TechNews, Friday, February 26, 2021
A method for bypassing security measures to use certain credit and debit
cards without a PIN code has been uncovered by researchers at Switzerland's
ETH Zurich. Previously, the researchers had demonstrated that bypassing
security was possible using Visa cards, while the new research shows
security methods may be bypassed with Mastercard and Maestro cards by
exploiting the data exchanged between the card and the card terminal. The
method initially worked only with Visa cards, but the researchers were able
to manipulate the payment process so the card terminal performed a Visa
transaction and the card itself performed a Mastercard or Maestro
transaction. The researchers informed Mastercard of their findings, after
which the company updated the relevant safeguards.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-29a98x228c4ax070842&
------------------------------
Date: Fri, 26 Feb 2021 12:08:57 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: "Virtual computer chip tests expose flaws, protect against hackers"
(Matthew Sparkes)
Matthew Sparkes, *New Scientist*, 24 Feb 2021
via ACM TechNews, Friday, February 26, 2021
Researchers at the University of Michigan, Virginia Polytechnic Institute
and State University, and Google have accelerated computer-chip testing by
simulating chips and applying advanced software testing tools for analysis
of the simulations. Virtual testing lets engineers utilize fuzzing, a method
that monitors for unexpected results or crashes that can be reviewed and
corrected. The researchers had to modify software fuzzers to run over time,
rather than trigger a single input and wait for the response. This approach
enabled a chip that would usually take 100 days to test to be analyzed in
one day. The researchers think faster hardware testing could reduce
development time and bring more reliable, more secure next-generation chips
to market faster.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-29a98x228c4dx070842&
------------------------------
Date: Mon, 1 Mar 2021 11:21:05 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Is Your Browser Extension a Botnet Backdoor? (Krebs on Security)
A company that rents out access to more than 10 million Web browsers so that
clients can hide their true Internet addresses has built its network by
paying browser extension makers to quietly include its code in their
creations. This story examines the lopsided economics of extension
development, and why installing an extension can be such a risky
proposition.
Singapore-based *Infatica[.]io* is part of a growing industry of shadowy
firms trying to woo developers who maintain popular browser extensions --
desktop and mobile device software add-ons available for download from
*Apple*, *Google*, *Microsoft* and *Mozilla* designed to add functionality
or customization to one's browsing experience.
Some of these extensions have garnered hundreds of thousands or even
millions of users. But here's the rub: As an extension's user base grows,
maintaining them with software updates and responding to user support
requests tends to take up an inordinate amount of the author's time. Yet
extension authors have few options for earning financial compensation for
their work.
So when a company comes along and offers to buy the extension -- or pay the
author to silently include some extra code -- that proposal is frequently
too good to pass up.
For its part, Infatica seeks out authors with extensions that have at least
50,000 users. An extension maker who agrees to incorporate Infatica's
computer code can earn anywhere from $15 to $45 each month for every 1,000
active users. [...]
https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/
------------------------------
Date: Thu, 25 Feb 2021 15:16:49 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: When Companies Skimp on Cybersecurity (Bruce Schneier)
Why was SolarWinds so vulnerable to hackers?
Bruce Schneier, *The New York Times*, Op-Ed, 24 Feb 2021
Worth reading! Last paragraph:
In today's unregulated markets, it's just too easy for software companies
like SolarWinds to save money by skimping on security and to hope for the
best[*]. That's a rational decision in our free-market world, and the
only way to change that is to change the economic incentives.
[* Note: "Hoping for the *best*" is totally unrealistic. It's really more
like hoping that they get away with it even if there are failures that are
not too serious! However, RISKS readers know that everything can
potentially be compromised (at least by insiders, if not from outsiders). I
keep harping on the underlying problem that even the software is not flawed,
total-system compromises may result from exploitation of hardware
vulnerabilities or errors. Thus the total-system supply chain is
particularly critical. PGN]
------------------------------
Date: Sun, 28 Feb 2021 13:06:56 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Former SolarWinds CEO blames intern for "solarwinds123" password
leak (CNNPolitics)
Washington (CNN) Current and former top executives at SolarWinds are blaming
a company intern for a critical lapse in password security that apparently
went undiagnosed for years.
The password in question, "solarwinds123," was discovered in 2019 on the
public Internet by an independent security researcher who warned the company
that the leak had exposed a SolarWinds file server.
https://www.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html
A system so insecure that an intern can compromise it.
------------------------------
Date: Mon, 1 Mar 2021 09:56:06 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Post Office scandal: Postmasters have convictions quashed
[Re: Error-prone software that reportedly ruined lives]
https://www.bbc.com/news/business-55271193
------------------------------
Date: Sat, 27 Feb 2021 20:30:15 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Objective or Biased
Less prejudice, more objectivity: An application process that is not
influenced by the personal preferences of a recruiter. That is the promise
of many AI companies entering the market worldwide, including a start-up
based in Munich.
According to the software developer, the artificial intelligence analyzes
tone of voice, language, gestures and facial expressions and creates a
behavioural personality profile. The application process will not only be
``faster, but also more objective and fair'', according to the start-up.
Apparently that sounds promising: the company has just received a
seven-digit funding from investors. The start-up states that it cooperates
with DAX-listed companies, the brand logos of Lufthansa, BMW Group and ADAC
can be found on the website.
Similar products are already in use in the US. Hirevue, a company from the
US state of Utah, claims to have 700 companies as customers. Hirevue
products have drawn criticism from AI experts, the software's results were
considered to be opaque.
And yet, AI is considered a key technology and already now it's hard to
imagine a future without it =93 =AFalso in recruiting.
For this reason, a team of reporters from Bayerischer Rundfunk (German
Public Broadcasting), performed several experiments with such a product in
taking a closer look at the software of a Munich based start-up. [...]
https://web.br.de/interaktiv/ki-bewerbung/en/
------------------------------
Date: Sun, 28 Feb 2021 17:09:42 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Amazon's new rotating, follow-you camera is useful —- and invasive
(WashPost)
The Echo Show 10 tracks your movement to make sure you're always in the
frame on video calls. But it also doubles as a surveillance camera inside
your home.
https://www.washingtonpost.com/technology/2021/02/26/amazon-echo-show-10/
------------------------------
Date: Wed, 24 Feb 2021 10:50:58 +0000
From: Clive Page <clivegpage@gmail.com>
Subject: Vaccine passport certificates already exist (Re: Slade, RISKS-32.50)
I'd like to point out vaccine certificates have existed for many years, and
I've just dug mine out of the filing cabinet to look at it carefully. It is
a bright yellow booklet about the size of a passport but much thinner. It
is labeled in English and French "International Certificate of Vaccination
In accordance with the International Health Regulations of the World Health
Organisation". It is primarily for Yellow Fever, of course, but has pages
dedicated for Typhoid, Cholera, and "Other" which could surely cover
Covid-19. Mine has stamps on several pages, and I've carried it a few times
when visiting countries where Yellow Fever vaccination might be required.
My certificate reminds me to get another Yellow Fever vaccination by the end
of November 2021.
So the format exists, is WHO approved, and internationally recognised. It
is very easy to carry and read, does not require data connectivity, has no
battery to run down, and will never prompt me to update its software. No
doubt the current document format is easy to forge but that could easily be
improved as we know from modern plastic banknotes bearing holograms that
many countries now use (but perhaps not the USA yet?). Is it really
necessary to adopt a brand-new digital format that would require lengthy
negotiations to achieve international recognition when we already have
something in printed form that appears to work well?
[Clive, I was waiting for someone to post what you did since i ran Rob's
item. I did not have time to dig into the predecessors the way you have.
Thanks. PGN]
------------------------------
Date: Mon, 1 Mar 2021 15:51:48 +0000 (UTC)
From: Joe Weiss <joe.weiss@realtimeacs.com>
Subject: Texas power outages demonstrate grid cyber-vulnerability and
inadequacy of existing regulations (Control Global)
Following severe man-made or natural disasters, the grid and other critical
infrastructure are subject to cyberthreats but with much less
cyberprotection than normal. The recent Texas outages that were caused by
severe storms could have had the outages and recovery significantly impacted
by cyberthreats. The existing regulations and standards such as the NERC
CIPs were shown to be dangerously lacking. These gaps apply to all US
utilities and have been exploited resulting in wide-spread outages and
equipment damage. There is an opportunity to use the Texasexperience to make
needed changes to regulations and guidance on cybersecurity of critical
infrastructures. It is evident that our adversaries are watching what
happened, how we are responding, and what is being done to prevent future
grid impacts. As such, resilience means addressing what could possibly be
expected. The solution to building and operating a more resilient grid and
other critical infrastructures lies with leadership in industry, government,
Congress, and stakeholders such as credit rating agencies and insurance
companies.
https://www.controlglobal.com/blogs/unfettered/texas-power-outages-demonstrate-grid-cyber-vulnerability-and-inadequacy-of-existing-regulations/
Respectfully,Joe
------------------------------
Date: Fri, 26 Feb 2021 08:16:15 -0700
From: "Keith Medcalf" <kmedcalf@dessus.com>
Subject: Re: His Lights Stayed on During Texas's Storm. Now He Owes $16,752
(RISKS-32.51)
> Under some of the plans, when demand increases, prices rise. The goal,
> architects of the system say, is to balance the market by encouraging
> >consumers to reduce their usage and power suppliers to create more
> >electricity.
This is the simplified view for the proletariat.
The market clearing price represents the marginal cost to "generate" one
additional mWh of power in the current clearing period for the current
supply and demand.
When fully operational this marginal price system (which is used in the
pricing of all demand-produced commodities ranging from Natural Gas, Oil and
Gasoline, to Electricity) is used to balance a more-or-less theoretical
price sensitive demand above baseload against the cost of production of that
commodity.
>But when last week's crisis hit and power systems faltered, the state's
>Public Utilities Commission ordered that the price cap be raised to its
>maximum limit of $9 per kilowatt-hour, easily pushing many customers' daily
>electric costs above $100. And in some cases, like Mr. Willoughby's bills
>rose by more than 50 times the normal cost.
And this is the root of the problem -- political interference in the
operation of a perfectly good system by artificial setting of the marginal
price such that it did not represent current operational conditions.
It is entirely possible to have low demand and rolling blackouts and
at the same time a low (or negative) marginal price. Just because large
segments of the grid are offline does not affect the marginal price
of the supply/demand balance for the parts that are working.
> Many of the people who have reported extremely high charges, including
> Mr. Willoughby, are customers of Griddy, a small company in Houston that
> provides electricity at wholesale prices, which can quickly change based
> on supply and demand.
This is because it is obvious to anyone with even half a working brain-cell
that in the long run paying the marginal price is more cost effective than
paying a fixed price. If this were not the case, then all the offerers of
fixed pricing would be bankrupt because they would not be charging their
markup.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.52
************************
