The RISKS Digest
Volume 29 Issue 83

Monday, 10th October 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Smart machines and the future of jobs
Jeffrey D. Sachs
Dutch Police connected to private cameras
Jurjen N. E. Bos
World's largest co-op of unfiltered flight data
Dan Jacobson
More on Samsung's battery problems
USA Today
Re: Undetectable election hacking?
Mark E. Smith
Yahoo: Buggy NSA rookit; they did not install an NSA email scanner
Re: We have no Government email scanning programs
Peter Houppermans
Re: Yahoo scanned customer e-mails
Dimitri Maziuk
Re: A thought-provoking piece on collective creeping complacency
Robert I. Eachus
Info on RISKS (comp.risks)

Smart machines and the future of jobs (Jeffrey D. Sachs)

Dewayne Hendricks <>
October 10, 2016 at 7:44:11 AM EDT
[Note:  This item comes from reader Randall Head.  DLH]

Smart machines and the future of jobs
Jeffrey D. Sachs, *The Boston Globe*, 10 Oct 2016

Since the early 1800s, several waves of technological change have
transformed how we work and live. Each new technological marvel—the steam
engine, railroad, ocean steamship, telegraph, harvester, automobile, radio,
airplane, TV, computer, satellite, mobile phone, and now the Internet—has
changed our home lives, communities, workplaces, schools, and leisure
time. For two centuries we've asked whether ever-more-powerful machines
would free us from drudgery or would instead enslave us.

The question is becoming urgent. IBM's Deep Blue and other chess-playing
computers now routinely beat the world's chess champions. Google's DeepMind
defeated the European Go champion late last year. IBM's Watson has gone from
becoming the world's *Jeopardy* champion to becoming an expert medical
diagnostician. Self-driving cars on the streets of Pittsburgh are on the
verge of displacing Uber drivers. And Baxter, the industrial robot, is
carrying out an expanding range of assembly-line and warehouse operations.
Will the coming generations of smart machines deliver us leisure and
well-being or joblessness and falling wages?

The answer to this question is not simple. There is neither a consensus nor
deep understanding of the future of jobs in an economy increasingly built on
smart machines. The machines have gotten much smarter so fast that their
implications for the future of work, home life, schooling, and leisure are a
matter of open speculation.

We need to pursue policies so that the coming generation of smart machines
works for us, and our well-being, rather than humanity working for the
machines and the few who control their operating systems.

In a way, the economic effects of smarter machines are akin to the economic
effects of international trade. Trade expands the nation's economic pie but
also changes how the pie is divided. Smart machines do the same. In the
past, smarter machines have expanded the economic pie and shifted jobs and
earnings away from low-skilled workers to high-skilled workers. In the
future, robots and artificial intelligence are likely to shift national
income from all types of workers toward capitalists and from the young to
the old.

Consider England's Industrial Revolution in the first part of the 19th
century, when James Watt's steam engine, the mechanization of textile
production, and the railroad created the first industrial society. No doubt
the economic pie expanded remarkably. England's national income roughly
doubled from 1820 to 1860. Yet traditional weavers were thrown out of their
jobs; the Luddites, an early movement of English workers, tried to smash the
machines that were impoverishing them; and poet William Blake wrote of the
`dark Satanic mills' of the new industrial society. An enlarging economic
pie, yes; a new prosperity shared by all, decidedly not.

Looking back at two centuries of more and more powerful machines (and the accompanying technologies and systems to operate them), we can see one overarching truth: Technological advances made the society much richer but also continually reshuffled the winners and losers. Similarly, one overarching pattern was repeatedly replayed. The march of technology has favored those with more education and training. Smart machines require well-trained specialists to operate them. An expanded economic pie favors those with managerial and professional skills who can navigate the complexities of finance, administration, management, and technological systems.

Overall, better machines caused national income to soar and the man-hours
spent in hard physical labor to decline markedly. Seventy-hour workweeks in
1870 have become 35-hour workweeks today. An average of around six years of
schooling has become an average of 17 years. With increasing longevity, most
workers can now look forward to a decade or more of retirement years, an
idea simply unimaginable in the late 19th century. It's amazing to reflect
that for Americans 15 years and over, the average time at work each day is
now just 3 hours 11 minutes. Those at work average 7 hours and 34 minutes,
but only 42.1 percent of Americans 15 and over are at work on an average
day. The rest of the time, other than sleep and personal care, is taken up
with schooling, retirement, caring for children, leisure and sports,
shopping, and household activities.

Dutch Police connected to private cameras

"Jurjen N. E. Bos" <>
Mon, 10 Oct 2016 18:20:49 +0200
The Dutch police decided it was a good idea to make a database allowing them
to connect to thousands of private surveillance cameras in order to be able
to better solve crimes.

What could possibly go wrong?

World's largest co-op of unfiltered flight data (Adsbexchange Thoughts on Security)

Dan Jacobson <>
Mon, 10 Oct 2016 08:02:52 +0800

"Currently, our feeds are unfiltered. Please note that this information is
transmitted from each aircraft, in clear text, unencrypted over the air, and
participants are merely receiving it. Any concern that "bad guys" might use
this information needs to be tempered with the fact that anyone can easily
build their own basic receiver that can grab this information for less than
$100, and deploy it themselves without any help whatsoever. The folks over
at OpenBARR also know this.

This is by far not the only way to get "unfiltered" aircraft data over the
Internet. It is the most user-friendly, however.

Implementing filters would merely be "security theater" at this point.
Such "security theater" is very popular these days, however."

More on Samsung's battery problems (USA Today)

Monty Solomon <>
Sun, 9 Oct 2016 12:40:31 -0400
Samsung investigating third Note 7 that caught fire

Replacement Samsung Galaxy Note 7 burns Minn. teen

Re: Undetectable election hacking? (RISKS-29.82)

"Mark E. Smith" <>
Sat, 8 Oct 2016 17:27:13 -0700
"Despite all the potential risks ahead, Eckhardt says, 'People should
vote. The only way that your vote for sure doesn't get counted is you don't
cast it.'"

In reality there are at least three other ways that your vote for sure
doesn't get counted:

1. The Electoral College vote does not follow the popular vote, as happened
   in 1876 and 1888, or if, as in 1824, neither candidate gets an Electoral
   College majority and the House of Representatives elects the President.

2. The Supreme Court steps in as it did in Bush v. Gore 2000 and stops the
   vote count.

3. One candidate concedes before all the votes have been counted, as then
   Presidential candidate John Kerry did in 2004.

I've excluded the many ways that hacking electronic registration systems,
voting machines, or central tabulators could ensure that votes aren't
counted or are miscounted, as most RISKS readers are certainly aware of

Elections should be a political process, not a religion. Trusting
unverifiable systems is an act of faith, not an act of responsible
citizenship. Computer professionals whose patriotism causes them to ignore
systemic faults and defects, are themselves a risk to the public and to
public policy.

If I learn that a system vital to my survival cannot be trusted, I tend to
stop using it until or unless it has been fixed. Therefore, once I
understood that there was no way I could be certain that my vote would be
counted, I stopped voting. Nobody, no matter how highly credentialed and
respected, is going to convince me to have faith in an untrustworthy
system. If you want to gamble, risk your own money, but please don't bet the
whole country on it.

Yahoo: Buggy NSA rookit; they did not install an NSA email scanner

Lauren Weinstein <>
Fri, 7 Oct 2016 09:46:19 -0700

  The picture that's emerging is pretty bizarre. Some top Yahoo executive(s)
  gave the US government the go-ahead to install a rootkit on the
  mail-processing servers. The Yahoo security team were not consulted on
  this (Alex Stamos, former Yahoo CSO, quit the company to become Facebook's
  CSO around then, and the initial Reuters report by Joseph Menn says that
  he left over this issue). The security team discovered the software
  independently, raised the alarm, and were told not to meddle with it. The
  NSA (or FBI), and anyone who figured out how to exploit the rootkit, had
  potentially unlimited, undetectable access to all Yahoo users' data.

True? False? Who the hell knows out here! What a mess.

Re: We have no Government email scanning programs (RISKS-29.82)

Peter Houppermans <>
Sun, 9 Oct 2016 15:51:42 +0200
Apologies for tabling a slightly annoying factoid, but the statement of
those companies that they have no government scanning programs is
misleading, irrelevant and in one particular case even disingenuous.

Let's start with the misleading and irrelevant part: their statement omits
the magic words "right now" or "that we are allowed to tell you about".

What Yahoo disclosed was something that any provider can be legally
compelled to, and not just in the US.  Providers may fight any such demands,
but the fact remains that what happened with and to Yahoo was perfectly
legal.  What makes this troublesome is not that law enforcement has the
tools to fight crime, but the fact that in many countries it is possible to
force surveillance on a company without much in the way of due process,
transparency or protection of the rights of the people under surveillance
(imagine, for instance, their messages getting into other hands, a staple of
most government espionage programs).  This makes their statements are pretty
much irrelevant—you will never be able to tell otherwise.

The disingenuous one in this lineup is Google, as that *does* have an email
scanning program, just not a *government* one (that it can tell anyone
about), see "Your content in our services" at
<>.  You'll the relevant bit of text right
after the part where they changed "in perpetuity" to something less alarming
but which has still the same meaning.  I guess their hope is that people
eventually forget this.

Re: Yahoo scanned customer e-mails (Marking, RISKS-29.82)

Dimitri Maziuk <>
Sun, 9 Oct 2016 13:52:52 -0500
> Why can't we have a new standard, designed to work with the major browsers
> and e-mail vendors—maybe built on PGP—that would take the encryption
> responsibility out of the hands of the e-mail providers,

For one thing, because encryption is downright illegal in Chernarus and
requires a separate government license in Freedom.

If an e-mail vendor automagically pushes encrypting javascript into
customer's browser, the customer now possesses a potentially restricted
and/or illegal content in their browser's caches.

There is any number of interesting musings here:

* Can I successfully argue my innocence argue in court by denying any
knowledge of illegal content on my hard drive? Think kiddie pr0n in browser

* Is the vendor legally responsible? Think about search engines being sued
for content they find—Yahoo being both search and e-mail vendor (not only
Yahoo of course).

* Do vendors provide different services in different jurisdictions (and/or
refuse to operate in some), effectively turning the Ein Internet into a set
of walled enclaves? Some decry it as the end of the world as we know
it. Personally I think it already happened when ICANN approved international
domain names: there is a whole lot of sites out there whose names I couldn't
read, understand, and/or type on my keyboard. As far as I'm concerned they
never existed and I've never missed any of them. Not to mention all those
Google in the PRC stories.

* And then of course there's history of PGP itself, in which sending
encryption javascript from a server in Takistan to a browser in any other
country makes the vendor guilty of treason. But writing that same javascript
down on a piece of paper and flying it out of the country in checked luggage
is apparently OK.

Encryption is fun.

Re: A thought-provoking piece on collective creeping complacency (RISKS-29.81)

"Robert I. Eachus" <>
Wed, 5 Oct 2016 09:46:06 -0400
Sigh!  There were a lot of mistakes made before the Deepwater Horizon's well
blew out.  There were even more errors during the months before the well was
successfully capped.  But most articles miss entirely the major failure both
before and after the blowout.  The Macondo Prospect contains perhaps the
highest proportion of methane of any deep undersea well.  As was discovered
when the first "Top Hat" attempt was made to cap the well, some of this
methane was in the form of methane clathrate.  In other words, there was
water in the Macondo formation, and as a result, what the well produced was
a clathrate/oil slurry which changed from free flowing to molasses with a
few degrees change in temperature--or with a change in pressure.

About a month before the Macondo blowout, new metastable forms of methane
clathrate [familiarly known as *hydrate* in the industry.  PGN] were found
to have significantly different densities, both above and below 1.0 (density
of water).  The result was that the wellhead crew had no clue as to what was
below them, liquid, solid, or gas.  And once some of the clathrate got warm
enough to emit methane gas, the fate of the Deepwater Horizon was sealed. [*]
If the BOP had successfully cut the downhole pipe, the amount of gas and oil
spilled would have been much less.  But once you have gas forming deep in
the well string, there will be a blowout.  And in this case, the blowout
apparently occurred above the BOP.

* The pressure in the top few thousand feet of pipe would drop.  When it
  dropped below the pressure at which the clathrate in the pipe was stable,
  there would be an explosion.  This is the significance of the new
  metastable clathrates.  They could only form below 5000 feet, but one is
  metastable up to about 10 atmospheres (100 meters).

    [This may seem a little less "computer-related" than usual for RISKS,
    but it is still highly relevant to the total-system "what went wrong"
    scenarios, as discussed in extraordinary detail by Boebert and Blossom.
    There is also apparently some dispute in the industry as to the dynamics
    of hydrate capture and release as described here by Robert, but such
    details are rather out of scope for RISKS.  PGN]

Please report problems with the web pages to the maintainer