The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 77

Friday 16 September 2016

Contents

Tesla fatal crash in Baarn, The Netherlands
Erling Kristiansen
Self-driving cars would cause 4.1 million jobs to disappear
PGN
Modern healthcare commentary on medical device security
Kevin Fu
Colin Powell, in Hacked Emails, Shows Scorn for Trump and Irritation at Clinton
NYTimes
After Colin Powell's Hacked Emails, am I Next?
Shear/Fandossept via Henry Baker
Russian Hackers Leak U.S. Star Athletes' Medical Information
NYTimes
New Documents Released From Hack of Democratic Party
NYTimes
Sowing Doubt Is Seen as Prime Danger in Hacking Voting System
NYTimes
Fire drill knocks ING bank's data centre offline
paul cornish
Data center crippled by loud noise
BBC via Mark Trumpler
Free Wi-Fi Kiosks Were to Aid New Yorkers. An Unsavory Side Has Spurred a Retreat
NYTimes
'Command and Control': Common Errors, Nuclear Arms and Consequences
NYTimes via Monty Solomon
Bloomberg: This Loophole Ends the Privacy of SSNs
Gabe Goldberg
Re: Dangerous Galaxy Note 7 & AirAsia X flight from Sydney to Malaysia ends up in Melbourne
PGN
Re: PC without OS
Dimitri Maziuk
Re: How One GMO Nearly Took Down the Planet
Chris Drewe
Info on RISKS (comp.risks)

Tesla fatal crash in Baarn, The Netherlands

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Tue, 13 Sep 2016 10:21:06 +0200
A Tesla model-S car crashed into a tree at high speed on 7 September in
Baarn, The Netherlands, killing the driver. The impact caused parts of the
battery to be scattered around, causing small fires that were difficult to
extinguish.  The car itself also caught fire after some time.  The rescue
team did not dare approach the wreckage for fear of electrocution.

The driver was already dead (did the rescue workers know for sure?), but
what if there had been survivors inside the wreck?

Tesla stated within a day that telemetry showed that the speed at impact was
155 km/h (about 95 mph) and that the "autopilot" mode was not enabled.

I want to make two points:

1. The battery of electric cars, not only Tesla's, presents a hazard in case
   of a violent accident that is only starting to be realized. In particular
   if the battery is severely damaged.

2. The fact that Tesla was able to provide detailed data from telemetry
   shows the extent to which they are following their cars.  This should
   raise serious privacy concerns.  And, of course, what guarantees are
   there that the manufacturer is telling the truth?  If the car is somehow
   to blame, would they tell?

  [A little browsing turned up somewhat diverse reports.  In any event, If
  the "autopilot" was not involved, this might reinforce Don Norman's
  argument that semi-automated cars are inherently dangerous, and that total
  automation is ultimately necessary.  PGN]


Self-driving cars would cause 4.1 million jobs to disappear

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 16 Sep 2016 11:22:29 PDT
In a paper in which very large bold-faced article titles can sometimes take
up as much space than the article, the front page of today's Palo Alto and
Mid-Peninsula *Daily Post* has this squib in The Update section:

  SELF-DRIVING CARS: When the self-driving car revolution takes hold, 4.1
  million jobs will disappear, according to Wolf Richter of the Wolf of Wall
  Street blog, citing government statistics.  Among the jobs to go will be
  those of chauffeurs, truck drivers and bus drivers.  He said the jobs will
  go away faster than society is prepared to deal with it.


Modern healthcare commentary on medical device security

Kevin Fu <kevinfu@umich.edu>
Wed, 14 Sep 2016 15:55:25 -0400
Commentary: Hospitals need better cybersecurity, not more fear
http://www.modernhealthcare.com/article/20160914/NEWS/160919950/commentary-hospitals-need-better-cybersecurity-not-more-fear

Kevin Fu, EECS Department, The U. of Mich.  web.eecs.umich.edu/~kevinfu/


Colin Powell, in Hacked Emails, Shows Scorn for Trump and Irritation at Clinton

Monty Solomon <monty@roscom.com>
Thu, 15 Sep 2016 20:13:01 -0400
The disclosures ripped away the diplomatic jargon and political niceties of
a former secretary of state with a sober and thoughtful reputation.

http://www.nytimes.com/2016/09/15/us/politics/colin-powell-emails-hack-donald-trump.html


After Colin Powell's Hacked Emails, am I Next?

Henry Baker <hbaker1@pipeline.com>
Fri, 16 Sep 2016 08:11:43 -0700
What's good for the goose is good for the gander; what took YOU
Congresspeople so long to wake up?

"There but for the grace of God go all of us"

"In Pakistan, politicians often agree to speak to reporters in person only
after removing phone batteries"

The good news: expect quick action on an email security bill without back
doors.

The bad news: expect an all-out attack on FOIA, which requires saving govt
emails for all time.

http://www.nytimes.com/2016/09/16/us/politics/email-hacking-colin-powell-congress.html

Michael D. Shear and Nicholas Fandossept. *The New York Times*, 15 Sep 2016
Concern Over Colin Powell's Hacked Emails Becomes a Fear of Being Next

A panicked network anchor went home and deleted his entire personal Gmail
account.  A Democratic senator began rethinking the virtues of a flip phone.
And a former national security official gave silent thanks that he is now
living on the West Coast.

The digital queasiness has settled heavily on the nation's capital and its
secretive political combatants this week as yet another victim, former
Secretary of State Colin L. Powell, fell prey to the embarrassment of seeing
his personal musings distributed on The Internet and highlighted in news
reports.

"There but for the grace of God go all of us," said Tommy Vietor, a former
National Security Council spokesman for President Obama who now works in San
Francisco.  He said thinking about his own email exchanges in Washington
made him cringe, even now.  "Sometimes we're snarky, sometimes we are rude,"
Mr. Vietor said, recalling a few such moments during his time at the White
House.  "The volume of hacking is a moment we all have to do a little soul
searching."

The Powell hack, which may have been conducted by a group with ties to the
Russian government, echoed the awkwardness of previous leaks of emails from
Democratic National Committee officials and the C.I.A. director, John
O. Brennan.  The messages exposed this week revealed that Mr. Powell
considered Donald J. Trump a "national disgrace," Hillary Clinton "greedy"
and former Vice President Dick Cheney an "idiot."

The latest hack could well spur a new rash of email deletions across the
country as millions of people scan their sent mail for anything
compromising, humiliating or career-destroying.  It adds to the sense that
everyone is vulnerable.

The soul searching is happening with a special urgency in Washington, where
email accounts burst with strategies, delicate political proposals, gossipy
whispers and banal details of girlfriends, husbands, bank accounts and
shopping lists.  [Long item truncated for RISKS.  PGN]


Russian Hackers Leak U.S. Star Athletes' Medical Information

Monty Solomon <monty@roscom.com>
Tue, 13 Sep 2016 22:12:58 -0400
Documents, published this week, showed Simone Biles and Serena and Venus
Williams received exemptions to use banned drugs.
http://www.nytimes.com/2016/09/14/sports/simone-biles-serena-venus-williams-russian-hackers-doping.html


New Documents Released From Hack of Democratic Party

Monty Solomon <monty@roscom.com>
Thu, 15 Sep 2016 12:34:55 -0400
New Documents Released From Hack of Democratic Party
http://www.nytimes.com/2016/09/14/us/politics/dnc-hack.html

A hacker known as Guccifer 2.0, who American officials believe has ties to
Russia, released a second batch of documents purportedly stolen from the
Democratic National Committee.


Sowing Doubt Is Seen as Prime Danger in Hacking Voting System

Monty Solomon <monty@roscom.com>
Thu, 15 Sep 2016 12:34:48 -0400
http://www.nytimes.com/2016/09/15/us/politics/sowing-doubt-is-seen-as-prime-danger-in-hacking-voting-system.html


Fire drill knocks ING bank's data centre offline

paul cornish <paul.a.cornish@googlemail.com>
Tue, 13 Sep 2016 12:59:03 +0100
Apparently the nozzles used in the fire suppression systems create sound
with enough volume to damage hard disks!
  http://www.bbc.co.uk/news/technology-37337868


Data center crippled by loud noise (BBC)

Mark Trumpler <mtrumpler@alum.syracuse.edu>
Mon, 12 Sep 2016 20:04:32 -0400
The BBC reports that the test of a fire suppression system in the Romanian
data center of ING caused many of its systems to fail, resulting in outages
of ATM and other services.  The root cause is thought to be the loud noise
(about 130 dB) emitted by the high pressure gas discharge.

http://www.bbc.com/news/technology-37337868


Free Wi-Fi Kiosks Were to Aid New Yorkers. An Unsavory Side Has Spurred a Retreat

Monty Solomon <monty@roscom.com>
Fri, 16 Sep 2016 09:49:01 -0400
http://www.nytimes.com/2016/09/15/nyregion/internet-browsers-to-be-disabled-on-new-yorks-free-wi-fi-kiosks.html

The operator is shutting off the Internet browsers because they have drawn
people who linger for hours, sometimes drinking, using drugs or watching
pornography.   [Is this surprising?  PGN]


'Command and Control': Common Errors, Nuclear Arms and Consequences

Monty Solomon <monty@roscom.com>
Tue, 13 Sep 2016 22:20:03 -0400
The film documents a 1980 accident in a missile silo in Arkansas that showed
just how vulnerable the nation’s most fearsome weapons can be.

http://www.nytimes.com/2016/09/14/movies/review-command-and-control-common-errors-nuclear-arms-and-consequences.html


Bloomberg: This Loophole Ends the Privacy of SSNs

Gabe Goldberg <gabe@gabegold.com>
Thu, 15 Sep 2016 22:24:06 -0400
  [Bloomberg, 15 Sep 2016]

Hold on tight to that number.

Federal law is supposed to protect the privacy of your Social Security
number from government inquiries—but apparently that doesn't extend to a
check on whether you've paid back taxes and child support. In a decision
with worrying implications for those who oppose a single national
identification number, a divided federal appeals court has rejected a
lawyer's refusal to submit his Social Security number along with his renewal
of Maryland bar membership.

To read the entire article, go to http://bv.ms/2cLpZel

Of course, Medicare numbers have for years been SSNs. Camouflaged
wonderfully by addition of a tricky trailing letter.


Re: Dangerous Galaxy Note 7 & AirAsia X flight from Sydney to Malaysia ends up in Melbourne (RISKS-29.76)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 16 Sep 2016 11:12:32 PDT
,,, and U.S. safety regulators yesterday announced a formal recall of
Samsung's Galaxy Note 7 smartphone after a spate of fires led to injuries
and property damage ...

  [Here's why Samsung Note 7 phones are catching fire:]
https://www.cnet.com/news/why-is-samsung-galaxy-note-7-exploding-overheating/


Re: PC without OS (Sayer, RISKS-29.76)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Mon, 12 Sep 2016 17:51:29 -0500
When one looks up non sequitur, one should find

> ... PC makers have no obligation to offer you a machine without an OS, the
> European Union's highest court has ruled.

 therefore

> "Consumers have no right to buy a PC without an OS, European court rules"


Re: How One GMO Nearly Took Down the Planet (Goldberg, RISKS-29.75)

Chris Drewe <e767pmk@yahoo.co.uk>
Mon, 12 Sep 2016 17:56:54 +0100
Difficult to disagree that GMOs are beyond the scope of RISKS, but I feel
that how these things are debated is very relevant.  Trouble is, people look
in terms of safe vs. dangerous, good vs. bad, wrong vs. right, etc. when of
course in real life it's risks vs. other risks, not quite safe vs. slight
danger, and possible conflicts between safety requirements and other
considerations.

> Trade-offs are fine—necessary to get anything done.

Absolutely...

Big problem with contentious subjects like GMOs (banned in the EU anyway),
nuclear power, hydraulic fracturing for shale gas & oil, and so forth is
that the actual issues are swamped by hysteria and political posturing (and
any publicity document which starts with "let's look at the facts" is pretty
sure not to contain any facts...).

One example: in the UK, trains have a good safety record, but on the rare
occasions when something bad happens, there are demands to spend huge
amounts of money on improving safety.  The railways only have two sources of
money, fares and subsidies from taxes, so spending more money on train
safety either means more-expensive fares, which may mean people deciding to
travel by road instead, putting themselves at a much greater risk, or the
Government diverting money from other health/safety-related budgets.  But of
course road deaths are just one of those things, while train crashes are a
crime against humanity.  (Most rail-related deaths are trespassers and
suicides which are effectively intentional so difficult for railway
operators to prevent.)

Another point worth debating is "profit before safety", as however much is
spent on safety, it's always possible to spend more, but money is not
unlimited.  A commercial organisation has to make a profit or it goes bust,
but also has to avoid a poor safety reputation or customers will go
elsewhere, while prices must also be competitive to attract customers in the
first place.  A fine balancing act, and when something does go wrong it's
easy to be wise after the event.  At least commercial organisations do have
to worry about their reputations, which Government monopolies don't.

The relevance of all this to RISKS is that more and more safety-related
systems are becoming software-controlled, as well as Internet-linked, thus
interconnected and potentially hackable.

Please report problems with the web pages to the maintainer

Top