The RISKS Digest
Volume 30 Issue 17

Saturday, 4th March 2017

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Michelin Star Mix-Up Throws a Working-Class Bistro Into a Media Storm
The NYTimes
Hard Drive LED Allows Data Theft From Air-Gapped PCs
Eduard Kovacs
California Law Enforcement Union Sues To Block Police Accountability
How the Secret Service Protects the President Against New Cyber-threats
The Internet is already dead
Michael Grant
Shhh! That Helpful Robot May Pose a Security Risk
John Markoff
Driverless cars have trouble seeing humans on bicycles
IEEE Spectrum
Oscars screwup and Asiana 214 crash
Phil Smith III
Use of the Red Cross in a video game
Paul Robinson
"Physical data is inherently less secure than digital"
The Register via Neil Youngman
Hacked texts from family of former Trump campaign manager surface on the dark web
What if tomorrow it's the Church of Scientology?
Kelly Bert Manning
Software Engineer detained by U.S. Customs
Google's anti-trolling AI can be defeated by typos, researchers find
Ars Technica
FCC chair wants carriers to block robocalls from spoofed numbers
Ars Technica
Human error caused Amazon Web Services outage, Apple iCloud service issues
Malcolm Owen
Full statement by Amazon regarding AWS S3 outage and actions
via LW
Radiolab podcast: CRISPR assassinations
Austin Burt via Henry Baker
A warning from Bill Gates, Elon Musk, and Stephen Hawking
Quincy Larson
Uber's data-sucking app is dangerously close to malware
Mike Isaac and Buster Hein via Henry Baker
Re: Science
Re: WiReD—Product is Mis-Identified
Re: WiReD
Mike Spencer
Re: Oscars screwup and Asiana 214 crash
Dan Skwire
Re: overloaded parentheses
Tony Finch
Re: The AI Threat Isn't Skynet
David Brodbeck
Re: Prominent medical quackery website removed from Google search results
David Damerell
Info on RISKS (comp.risks)

Michelin Star Mix-Up Throws a Working-Class Bistro Into a Media Storm

Monty Solomon <>
Sun, 26 Feb 2017 12:38:42 -0500

Le Bouche à Oreille, a modest restaurant in central France, got an accolade
intended for a high-end restaurant of the same name.

Hard Drive LED Allows Data Theft From Air-Gapped PCs (Eduard Kovacs)

"Peter G. Neumann" <>
Sun, 26 Feb 2017 14:21:48 PST
For those RISKS readers who believe air-gapping is not strong enough
protection, here is one more risk to go along with Stuxnet-like attacks.
This one involves being able to extract information with reasonable
bandwidth, rather than altering the system.

Eduard Kovacs, *Security Week*, 23 Feb 2017
Hard Drive LED Allows Data Theft From Air-Gapped PCs

Researchers at Ben-Gurion University of the Negev in Israel have disclosed
yet another method that can be used to exfiltrate data from air-gapped
computers, and this time it involves the activity LED of hard disk drives

California Law Enforcement Union Sues To Block Police Accountability

"Alister Wm Macintyre \(Wow\)" <>
Sun, 26 Feb 2017 18:24:04 -0600

The Los Angeles County Sheriff's Department has collected the names of about
300 deputies who have a history of past misconduct—such as domestic
violence, theft, bribery and brutality—that could damage their credibility
if they testify in court.

Sheriff Jim McDonnell wants to send the names to prosecutors, who can decide
whether to add them to an internal database that tracks problem officers in
case the information needs to be disclosed to defendants in criminal trials.

Prosecutors may never see this information, thanks to the police union's
belief that officers shouldn't be held accountable for anything.

The union's position is a Brady violation. [The defense is supposed to have
access to information relevant to the case, part of the constitutional right
to know the whole story behind the prosecution. AWM]

[Why are such persons even still on the payroll? AWM]

A court has ruled in favor of the union.
[This case has huge implications for other US police and justice. AWM]

The union's arguments are that sharing this information violates privacy of
officers, whose misconduct may have been so long ago that the statute of
limitations has been passed so they can no longer be held accountable for
ancient mistakes.  Plus it is additional punishment on top of what happened
when some of them were caught, long ago.

[This could be resolved by the passed info identifying the nature of the
misconduct, and when it happened. AWM]

The 300 persons are about 3% of the total 9,100 force.

[Perhaps via FOIA, defense lawyers should seek the list. That might make it
public, which is not currently what the Sheriff Dept trying to do]

How the Secret Service Protects the President Against New Cyber-threats (Fortune)

Gabe Goldberg <>
Wed, 1 Mar 2017 23:00:38 -0500
Foiling assassins and breaking up bank scams is all in a day's work for
Secret Service agents. But in recent years, the job has grown harder.
Today, agents must also protect the President against a host of new Internet
threats and track criminals to far-flung places.

The Secret Service, which began as a Civil War anti-counterfeiting squad,
today has a mission that lies at the intersection of Washington, Wall
Street, and the Internet. To get an idea of how the storied agency is faring
in the cyber age, Fortune spoke to a long-time veteran of the service and
others familiar with its work.  Cyber Threats to the President

If you picture a Secret Service agent, he would probably look like Scott
Sarafian, a tall and clean-cut figure in a navy suit with specks of gray in
his hair. Sarafian speaks deliberately and likes to use a lot of
acronyms. We met on a cold morning at the Secret Service field office in
downtown Brooklyn, N.Y.

The office is on a top floor of a tall building and offers stunning views of
New York harbor and the banking temples of lower Manhattan.  Many people
don't know the original mission of the Secret Service, which was part of the
Treasury Department until 2003, was to solve financial crimes. It was only
in 1901, following the assassination of William McKinley, that Congress gave
the agency its second mission of protecting the President.

When it comes to protection, there is danger from lone lunatics like John
Hinckley Jr., who tried to shoot President Ronald Reagan but was foiled as
brave Secret Service agents used their bodies to block bullets. But there
also are more subtle threats, including the growing number of everyday
objects that are connected to the Internet and are susceptible to hacking.

Gabriel Goldberg, Computers and Publishing, Inc.
3401 Silver Maple Place, Falls Church, VA 22042   (703) 204-0433

The Internet is already dead

Michael Grant <>
Fri, Mar 3, 2017 at 12:46 AM
  via Geoff Goodfellow

It's been replaced by Facebook, Google, Microsoft, Apple, Twitter, Snapchat.

Soon (and it's already happening) you will see Google, MS, FB offer Internet
service itself.  It's already happening.

None of these companies have any incentive to stop cybersecurity problems.
Their answer will be to stop using email, stop using the web and only use
their own apps and this becomes the Internet.  It's already begun.

The end has already occurred, you just haven't noticed it yet.

Shhh! That Helpful Robot May Pose a Security Risk (John Markoff)

"Peter G. Neumann" <>
Fri, 3 Mar 2017 15:31:49 PST
John Markoff, *The New York Times*, 2 Mar 2017

In the coming age of robotics, many of those autonomous machines will be
Internet-connected and mobile.

What could possibly go wrong?  [...]

Driverless cars have trouble seeing humans on bicycles (ieee)

"Alister Wm Macintyre \(Wow\)" <>
Mon, 27 Feb 2017 11:10:34 -0600

Oscars screwup and Asiana 214 crash

"Phil Smith III" <>
Mon, 27 Feb 2017 14:19:41 -0500
For those who watched the Academy Awards last night, the screwup with the
Best Picture award was interesting to me, in that it show-cased how mostly
smart people are.  Beatty clearly sensed that something was wrong when he
saw a person's name as well as a film title; I assume that in the heat of
the moment, coupled with the gravity of the moment, he didn't feel it was
right to just stop and say "This has gotta be wrong". (And my sister pointed
out that he was smart enough to had it off to Dunaway—let HER get it
wrong; a kinder interpretation is "Hmm, maybe she'll understand it better,
not be confused", but that obviously didn't happen.)

This incident strikes me as similar in kind to the Asiana crash, where the
co-pilot felt that they were too low but didn't speak up. I realize there's
been lots of discussion of crew management with regard to that crash, and
obviously relating a silly 30-second confusion at an awards show to loss of
life and a $xxxM aircraft is a stretch, but there are similarities. "Trust
your instincts", we're told, but also "Don't make waves" and "The show must
go on". Cognitive dissonance, resulting in bad outcomes.

I also wonder if any Vegas bets got paid out quickly after the original
announcement, and what happened if so. I'm guessing it isn't quite that
fast-and because of just this kind of error.

Use of the Red Cross in a video game

Paul Robinson <>
Tue, 28 Feb 2017 02:15:45 +0000 (UTC)
There has been quite a bit of concern after the makers of the video game
Prison Architect were sent a (relatively polite) cease and desist e-mail
from the British Red Cross telling them not to use objects with the red
cross symbol on it as it is protected by the Geneva Convention. They chose
to make a change.

So a number of people are somewhat concerned how no one said anything before
given the number of games where a red cross is clearly used, such as health
packs in DOOM, among other places.  The makers of Prison Architect are
British, and the UK does not have free speech protections, therefore the
British Red Cross can strongarm them about this issue.

Most video game manufacturers are American companies. Thematic elements in a
game are part of the story told, and are thus fully protected by the First
Amendment. As such, absent the material being shown on the box art or in
some fashion claiming that the use of this protected symbol was approved by
the American or International Red Cross, it is highly unlikely a court would
stop the use of the Red Cross in the gameplay as it is merely a storytelling
device and does not substantially violate the protection of the symbol with
respect to its use in combat as specified by the Geneva Convention.

Paul Robinson <>— (My blog)

"Physical data is inherently less secure than digital"

Neil Youngman <>
Tue, 28 Feb 2017 16:15:21 +0000
This quote raised a wry smile: "Physical data is inherently less secure than
digital—it's difficult to trace, goes missing easily and is often open to

The full quote goes on to add "While digital records have their own set of
challenges, with the right foresight and security and compliance mechanisms
in place, it's far less likely to go missing or be subject on this scale to
the same issues of human error".

RISKS readers will, I'm sure, have their own take on the relative security
of physical and digital records.

Hacked texts from family of former Trump campaign manager surface on the dark web (TechCrunch)

"Peter G. Neumann" <>
Tue, 28 Feb 2017 13:38:08 PST

  As Politico reports, a data dump making the rounds on the dark web reveals
  over 280,000 text messages sent and received by Paul Manafort's daughter,
  Andrea. Manafort, the former chairman of Trump's presidential campaign,
  resigned in August 2016 after increased scrutiny around his connection to
  pro-Russia figures in Ukraine.  In the texts, Andrea Manafort states that
  her father's "work and payment in Ukraine is legally questionable" and
  calls the wealth her father accumulated for his involvement with former
  President of Ukraine Viktor Yanukovyc "blood money." Yanukovyc, who faces
  treason charges in Ukraine, is now in exile in Russia.  The hack appears
  to have been carried out by accessing a backup of Andrea Manafort's iPhone
  data, which was either stored locally on a computer or synced to an iCloud
  account. Politico's report doesn't name the "hacktivist collective" that
  posted the files, nor does an earlier blog post claiming to have first
  noticed them. Last week, Politico reported that Manafort had been a
  blackmail target while serving the Trump campaign, a revelation that
  appears to be drawn from the same website as the texts.

What if tomorrow it's the Church of Scientology?

Kelly Bert Manning <>
Tue, 28 Feb 2017 18:05:29 -0500 (EST)
Mark Thorson commented about removing potential results from Google and
asked "What if tomorrow it's the Church of Scientology? "

Yeah so?

Should we expect Google to give equal time to Religious objections to
searches about the Big Bang, Evolution and Geology because some religions
take a contrary view?

Google Search Results are an opinion; as a non-governmental entity, even
operating in the USA, Google is not constrained take a neutral role in
providing opinions about religious subject searches, no matter whose ox that
may gore.

That is called Freedom of Speech / Publication.

As a secular person I see the frequent classification of Scientology as a
Money Generating Commercial Scheme cloaked in a Religious Trappings as no
different from other Religious After Life Insurance Frauds.

Reasonable people can form different opinions, starting with the same facts.

Scientology tells us that Psychiatry is bunk, trust the e-meter and Auditor
instead. Some Christian Religions tell us to Pray rather than taking our
children to doctors, or giving them insulin, antibiotics or vaccinations.

Concluding that those suggestions are superstitious frauds used to collect
cash is not an unreasonable opinion to arrive at.

Software Engineer detained by U.S. Customs (CNBC)

"Peter G. Neumann" <>
Wed, 1 Mar 2017 13:48:22 PST
A software engineer is detained for several hours by U.S. Customs—and
given a test to prove he's an engineer

  To Omin—who now hadn't slept in more than 24 hours—the questions
  seemed opaque and could have multiple answers. While he is a skilled
  software engineer with more than seven years of experience, Omin later
  tells me that the questions looked to him like someone with no technical
  background Googled something like, "Questions to ask a software engineer."
  (The U.S. Customs and Border Protection agency did not respond to multiple
  requests for comment made by LinkedIn over phone and email by the time
  this story went to press.)  With no context or guidelines on how to answer
  the questions, Omin, "too tired to even think," sat down and tried his
  best. But when he handed his answers back after about 10 minutes of work,
  the official told him his answers were wrong.  "No one would tell me why I
  was being questioned," Omin told me by phone. "Every single time I asked
  [the official] why he was asking me these questions, he hushed me... I
  wasn't prepared for this. If I had known this was happening beforehand, I
  would have tried to prepare."

Google's anti-trolling AI can be defeated by typos, researchers find

Lauren Weinstein <>
Wed, 1 Mar 2017 10:12:32 -0800

  But that AI still needs some training, as researchers at the University of
  Washington's Network Security Lab recently demonstrated. In a paper
  published on February 27, Hossein Hosseini, Sreeram Kannan, Baosen Zhang,
  and Radha Poovendran demonstrated that they could fool the Perspective AI
  into giving a low toxicity score to comments that it would otherwise flag
  by simply misspelling key hot-button words (such as "iidiot") or inserting
  punctuation into the word ("i.diot" or "i d i o t," for example). By
  gaming the AI's parsing of text, they were able to get scores that would
  allow comments to pass a toxicity test that would normally be flagged as

It'll get better. But this still applies for now:

FCC chair wants carriers to block robocalls from spoofed numbers (Ars Technica)

Lauren Weinstein <>
Fri, 3 Mar 2017 10:19:35 -0800
Ars Technica via NNSquad

  The proposed rules would let providers "block spoofed robocalls when the
  spoofed Caller ID can't possibly be valid."  Providers would be able to
  block numbers that aren't valid under the North American Numbering Plan
  and block valid numbers that haven't been allocated to any phone company.
  They'd also be able to block valid numbers that have been allocated to a
  phone company but haven't been assigned to a subscriber.

Unfortunately, since this would apply only to illegitimate numbers, this is
likely to be of only extremely limited value.  Robocallers have long since
learned that spoofed numbers that don't look legit are likely to be
ignored. So they routinely "borrow" legit numbers of legit subscribers to
spoof, causing even more hassles for everyone.  This rule is likely to
exacerbate this problem.

Human error caused Amazon Web Services outage, Apple iCloud service issues (Malcolm Owen)

geoff goodfellow <>
Thu, 2 Mar 2017 10:31:27 -1000
Malcolm Owen,, 02 Mar 2017

Tuesday's major Amazon Web Services outage was caused through human error,
the retailer has confirmed, with the downtime that impacted a number of
online services, including Apple's, traced back to a single wrongly-entered
command performed during debugging.

The note to customers <> for the S3
(Simple Storage Service) disruption for the US-East-1 region advises the
team were working on an issue that caused the S3 billing system run slower
than expected. One team member executed a command from an "established
playbook" to take down a small number of servers used for a subsystem in the
billing process, but mistakenly took down more than required.

"Unfortunately, one of the inputs to the command was entered incorrectly and
a larger set of servers was removed than intended," the Amazon note states.

Full statement by Amazon regarding AWS S3 outage and actions

Lauren Weinstein <>
Thu, 2 Mar 2017 11:11:02 -0800
NNSquad, Amazon,

  Summary of the Amazon S3 Service Disruption in the Northern Virginia
  (US-EAST-1) Region We'd like to give you some additional information about
  the service disruption that occurred in the Northern Virginia (US-EAST-1)
  Region on the morning of February 28th. The Amazon Simple Storage Service
  (S3) team was debugging an issue causing the S3 billing system to progress
  more slowly than expected. At 9:37AM PST, an authorized S3 team member
  using an established playbook executed a command which was intended to
  remove a small number of servers for one of the S3 subsystems that is used
  by the S3 billing process.  Unfortunately, one of the inputs to the
  command was entered incorrectly and a larger set of servers was removed
  than intended. The servers that were inadvertently removed supported two
  other S3 subsystems.  One of these subsystems, the index subsystem,
  manages the metadata and location information of all S3 objects in the
  region.  This subsystem is necessary to serve all GET, LIST, PUT, and
  DELETE requests. The second subsystem, the placement subsystem, manages
  allocation of new storage and requires the index subsystem to be
  functioning properly to correctly operate. The placement subsystem is used
  during PUT requests to allocate storage for new objects. Removing a
  significant portion of the capacity caused each of these systems to
  require a full restart. While these subsystems were being restarted, S3
  was unable to service requests. Other AWS services in the US-EAST-1 Region
  that rely on S3 for storage, including the S3 console, Amazon Elastic
  Compute Cloud (EC2) new instance launches, Amazon Elastic Block Store
  (EBS) volumes (when data was needed from a S3 snapshot), and AWS Lambda
  were also impacted while the S3 APIs were unavailable.

  S3 subsystems are designed to support the removal or failure of
  significant capacity with little or no customer impact. We build our
  systems with the assumption that things will occasionally fail, and we
  rely on the ability to remove and replace capacity as one of our core
  operational processes.  While this is an operation that we have relied on
  to maintain our systems since the launch of S3, we have not completely
  restarted the index subsystem or the placement subsystem in our larger
  regions for many years. S3 has experienced massive growth over the last
  several years and the process of restarting these services and running the
  necessary safety checks to validate the integrity of the metadata took
  longer than expected. The index subsystem was the first of the two
  affected subsystems that needed to be restarted. By 12:26PM PST, the index
  subsystem had activated enough capacity to begin servicing S3 GET, LIST,
  and DELETE requests. By 1:18PM PST, the index subsystem was fully
  recovered and GET, LIST, and DELETE APIs were functioning normally.  The
  S3 PUT API also required the placement subsystem. The placement subsystem
  began recovery when the index subsystem was functional and finished
  recovery at 1:54PM PST. At this point, S3 was operating normally. Other
  AWS services that were impacted by this event began recovering. Some of
  these services had accumulated a backlog of work during the S3 disruption
  and required additional time to fully recover.

  We are making several changes as a result of this operational event. While
  removal of capacity is a key operational practice, in this instance, the
  tool used allowed too much capacity to be removed too quickly. We have
  modified this tool to remove capacity more slowly and added safeguards to
  prevent capacity from being removed when it will take any subsystem below
  its minimum required capacity level. This will prevent an incorrect input
  from triggering a similar event in the future. We are also auditing our
  other operational tools to ensure we have similar safety checks. We will
  also make changes to improve the recovery time of key S3 subsystems. We
  employ multiple techniques to allow our services to recover from any
  failure quickly. One of the most important involves breaking services into
  small partitions which we call cells.  By factoring services into cells,
  engineering teams can assess and thoroughly test recovery processes of
  even the largest service or subsystem. As S3 has scaled, the team has done
  considerable work to refactor parts of the service into smaller cells to
  reduce blast radius and improve recovery.  During this event, the recovery
  time of the index subsystem still took longer than we expected. The S3
  team had planned further partitioning of the index subsystem later this
  year.  We are reprioritizing that work to begin immediately.

  From the beginning of this event until 11:37AM PST, we were unable to
  update the individual services' status on the AWS Service Health Dashboard
  (SHD) because of a dependency the SHD administration console has on Amazon
  S3. Instead, we used the AWS Twitter feed (@AWSCloud) and SHD banner text
  to communicate status until we were able to update the individual
  services' status on the SHD.  We understand that the SHD provides
  important visibility to our customers during operational events and we
  have changed the SHD administration console to run across multiple AWS

  Finally, we want to apologize for the impact this event caused for our
  customers. While we are proud of our long track record of availability
  with Amazon S3, we know how critical this service is to our customers,
  their applications and end users, and their businesses. We will do
  everything we can to learn from this event and use it to improve our
  availability even further.

Radiolab podcast: CRISPR assassinations

Henry Baker <>
Mon, 27 Feb 2017 17:26:36 -0800
Have you given your DNA to 23&me ?
You could be assassinated with your own DNA.

In addition to the risks of CRISPR already identified—e.g., "gene drive",
which enables a malware worm-like takeover of an entire species—this
Radiolab podcast (link below) mentions the ability to build a DNA-specific
killer pill.  While this killer pill was envisioned as a way to kill a
specific bacteria or cancer, it could be programmed to kill *any* organism
having a specific DNA sequence.

So, if you had someone's DNA sequence, you could fashion a pill that would
kill *only that particular person*, with no effect on everyone else.

If you were a little more sophisticated, you could fashion a pill that would
kill *every member of someone's family*, but no one else.

Finally, if you did a lot of work, after which you could reliably
distinguish a human being's *race* by his/her DNA, then you could fashion a
pill that would kill only members of that *race*, but no one else.  A 21st
Century Nazi-like government would no longer need railroad cars and showers.

If you don't think that governments have started thinking along these lines,
you're incredibly naive.  Why send helicopters and Seals to catch Bin Ladin
at great expense & risk, when you already have his (or his family's) DNA?
Just throw a little killer pill (or liquid) into his entire neighborhood --
or the local water supply, and only Bin Ladin or his close blood relatives
will die.

I think it's time to do a little Perl-clutching regarding this risk.
Update: CRISPR
Friday, February 24, 2017—05:00 PM

Site-specific selfish genes as tools for the control and genetic engineering
of natural populations

Austin Burt
Published 7 May 2003.DOI: 10.1098/rspb.2002.2319

A warning from Bill Gates, Elon Musk, and Stephen Hawking (Quincy Larson)

Dewayne Hendricks <>
Sun, Feb 26, 2017 at 5:44 AM
[Note:  Be sure to checkout some of the videos that are linked to in the
article. For instance, the one about AmazonGo.  DLH]

Quincy Larson, FreeCodeCamp, 19 Feb 2017

Stephen Hawking: “The automation of factories has already decimated jobs in
traditional manufacturing, and the rise of artificial intelligence is likely
to extend this job destruction deep into the middle classes, with only the
most caring, creative or supervisory roles remaining.''  There's a rising
chorus of concern about how quickly robots are taking away human jobs.

Here's Elon Musk on Thursday at the the World Government Summit in Dubai:

“What to do about mass unemployment? This is going to be a massive social
challenge. There will be fewer and fewer jobs that a robot cannot do better
[than a human]. These are not things that I wish will happen. These are
simply things that I think probably will happen.''

And today Bill Gates proposed that governments start taxing robot workers
the same way we tax human workers:

“You cross the threshold of job-replacement of certain activities all sort
of at once. So, you know, warehouse work, driving, room cleanup, there's
quite a few things that are meaningful job categories that, certainly in the
next 20 years [will go away].''  Jobs are vanishing much faster than anyone
ever imagined.

In 2013, policy makers largely ignored two Oxford economists who suggested
that 45% of all US jobs could be automated away within the next 20 years.
But today that sounds all but inevitable.

Transportation and warehousing employ 5 million Americans

Those self-driving cars you keep hearing about are about to replace a lot
of human workers.

Currently in the US, there are:

  * 600,000 Uber drivers
  * 181,000 taxi drivers
  * 168,000 transit bus drivers
  * 505,000 school bus drivers

There are also around 1-million truck drivers in the US. And Uber just
bought a self-driving truck company.

As self-driving cars become legal in more states, we'll see a rapid
automation of all of these driving jobs. If a one-time $30,000 truck
retrofit can replace a $40,000 per year human trucker, there will soon be a
million truckers out of work.

And it's not just the drivers being replaced. Soon entire warehouses will be
fully automated.

I strongly recommend you invest 3 minutes in watching this video. It shows
how a fleet of small robots can replace a huge number of human warehouse

There are still some humans working in those warehouses, but it's only a
matter of time before some sort of automated system replaces them, too.

8 million Americans work as retail salespeople and cashiers.

Many of these jobs will soon be automated away.

Amazon is testing a type of store with virtually no employees. You just walk
in, grab what you want, and walk out.  [...]

Uber's data-sucking app is dangerously close to malware

Henry Baker <>
Fri, 03 Mar 2017 15:35:40 -0800
FYI—An article about the Uber app as malware is several years old, but
today's NYTimes article "How Uber Used Secret Greyball Tool to Deceive
Authorities Worldwide" explains for the first time one of the real reasons
for Uber's prurient interest in its users' data:

Mike Isaac, *The New York Times*, 3 Mar 2017
How Uber Used Secret Greyball Tool to Deceive Authorities Worldwide
Uber's Tactics to Avoid Law Enforcement

Now that we know these reasons for Uber's spying, it becomes clear what
information below could be used to track authorities who are trying to catch
Uber drivers in illegal activities.  Uber's bloated app size (215MBytes on
iOS) can be seen as an all-out assault on every user's privacy.

Buster Hein—11:22 am, November 26, 2014
Uber's data-sucking Android app is dangerously close to malware [updated]

Uber has been sideswiped by a ridiculous number of controversies lately, but
things are about to get even worse for the ride-sharing service.  A security
researcher just reverse-engineered the code of Uber's Android app and made a
startling discovery: It's "literally malware."

Digging into the app's code, GironSec discovered the Uber app "calls home"
and sends data back to Uber.  This isn't typical app data, though.  Uber has
access to users' entire SMSLog even though the app never requests
permission.  It also accesses call history, Wi-Fi connections used, GPS
locations and every type of device ID possible.

The app even checks your neighbor's Wi-Fi and retrieves info on the router's
capabilities, frequency and SSID.  News of the app's vulnerability was first
posted on Hacker News with the charming intro, "TLDR: Uber's Android app is
literally malware."  One developer commenting on the revelation said there
isn't "any reason for Google not to immediately remove this app from the
store permanently and ban whatever developer uploaded it.  There should
probably be legal action."

Here's the full list of all the data Uber is collecting through its Android
app (we're checking to see if the iOS version works the same way):

-- Accounts log (Email)
-- App Activity (Name, PackageName, Process Number of activity, Processed id)
-- App Data Usage (Cache size, code size, data size, name, package name)
-- App Install (installed at, name, package name, unknown sources enabled, version code, version name)
-- Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
-- Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, IP, MAC address, manufacturer, model, OS platform, product, SDK code, total disk space, unknown sources enabled)
-- GPS (accuracy, altitude, latitude, longitude, provider, speed)
-- MMS (from number, MMS at, MMS type, service number, to number)
-- NetData (bytes received, bytes sent, connection type, interface type)
-- PhoneCall (call duration, called at, from number, phone call type, to number)
-- SMS (from number, service number, SMS at, SMS type, to number)
-- TelephonyInfo (cell tower ID, cell tower latitude, cell tower longitude, IMEI, ISO country code, local area code, MEID, mobile country code, mobile network code, network name, network type, phone type, SIM serial number, SIM state, subscriber ID)
-- WifiConnection (BSSID, IP, linkspeed, MAC addr, network ID, RSSI, SSID)
-- WifiNeighbors (BSSID, capabilities, frequency, level, SSID)
-- Root Check (root status code, root status reason code, root version, sig file version)
-- Malware Info (algorithm confidence, app list, found malware, malware SDK version, package list, reason code, service list, sigfile version)

Uber might have a legitimate reason to use most of this info in the app,
perhaps for fraud detection or an intelligence-gathering tool.  The problem
is that the information is being sent and collected by Uber's servers
without users' knowledge or permission.

Sen. Al Franken sent a letter to Uber CEO Travis Kalanick last week
demanding the company account to the public for its data gathering.  The
letter came as a response to a recent controversy where an Uber executive
threatened to spy on and blackmail journalists who wrote unfavorable
articles about the company.  Uber's "God View" tool, which gives company
insiders unlimited access to riders' data, has also been a cause of concern
in recent weeks.

Cult of Mac asked Uber for comment on the collection and transmission of the
data its Android and iOS apps are performing, but haven't received a

Update: Uber has provided some clarification to the company's data
gathering, noting that the blanket access is actually a requirement from
Google, which forces Android developers to ask for privacy permissions up

Uber spokeswoman Lara Sasken released the following statement to Cult of Mac:

"Access to permissions including Wifi networks and camera are included so
that users can experience full functionality of the Uber app.  This is not
unique to Uber, and downloading the Uber app is of course optional."

Recode notes that Uber-competitor Lyft requests access to the same data on
Android.  Unlike iOS and Windows, Android developers are encouraged to
request access to more user data than their apps actually need.  The Uber
app on Android exposes some the mobile operating system's weakness in
privacy compared to iOS and Windows, both of which allow users to refuse
access to data on an case-by-case basis.

Additional information on Android permissions can be found on Uber's site
here, but not every feature is explained.

Re: Science (Lauren Weinstein, RISKS-30.16)

Wols Lists <>
Sun, 26 Feb 2017 22:29:23 +0000
My beef with the modern Science world is that so much scientific stuff
is written in the third person. As such, it actively avoids personal
responsibility, and it claims an authoritative air—which often is a
smokescreen for pretending to be in the know, rather than actually being

If you read lectures by famous scientists of old, I suspect you will
find they are mostly in the first person, and are much more accessible
to the general public as a result.

Re: WiReD—Product is Mis-Identified (Bechtel, RISKS-30.15)

westhawk <>
Sun, 26 Feb 2017 20:34:20 +0000
>> wired sells articles
> No.  It sells eyeballs.

It does both.

If you don’t want to see ads, you can pay and subscribe to the ad-free
version of Wired, which I’ve done. I enjoy a much quicker page load time, no
distracting animations and the satisfaction that I’m not the product…
Reduced malware risks are an additional bonus.

Re: WiReD (Bechtel, RISKS-30.15)

Mike Spencer
Mon, 27 Feb 2017 03:34:45 -0400
Overlooked here have been those of us still on dialup or other slow
connections.  The web becomes unusable if to read, say, 45K of text, your
browser attempts to fetch 2M or more of assorted javascript, video, cycling
image sequences and more.  It's bad enough that there is a trend to put all
that into the base page—say, 450K of inline SVG image data, font
definitions, js, style blocks etc. around that 45K of text.

I have a wobbly congeries of hacks and workarounds using, as well, an old
browser that simply doesn't support or can disable some of the useless bumpf
including js.  Occasionally a page will accuse me of running an ad blocker
but it's detecting that I'm just not fetching all the useless crap
referenced by the page.

It's getting harder and harder to use the web on a slow connection.  I just
scratch the worst-offending sites from my life and carry on.  Sadly, some of
those sites are major news sites or otherwise of significance.  Too bad, I'm

Michael Spencer, Nova Scotia, Canada

Re: Oscars screwup and Asiana 214 crash

Dan Skwire <>
Mon, 27 Feb 2017 15:19:59 -0500

Yes we saw the awards. Come to think of it I didn't see the usual dog and
pony show bringing out the Price Waterhouse accountants. Did they?

And are they the ones who stuff the envelopes? Probably not. So who is
legally "liable" for the damages to the Academy Awards show? Were there any
"damages" at all? Was there economic loss of any sort or is there a net gain
because more people will watch next year, hoping for a similar car crash?

We did a lot of skipping back and forth during the show but didn't want to
miss *The New York Times* commercial. We didn't. Not a spectacular multimedia
deal but to the point and really appreciated by us.

4800 Country Meadows Boulevard, Sarasota,FL 34235
"First Fault Software Problem Solving"

Re: overloaded parentheses (O'Keefe, RISKS 30.16)

Tony Finch <>
Sun, 26 Feb 2017 22:07:06 +0000
Possibly the language with the most enthusiastic overloading of parentheses
was ALGOL 68. Together with other punctuation, they could be used as
abbreviations for:

( )          expression grouping
( ; )        begin ... ; ... end
( | )        if ... then ... fi
( | | )      if ... then ... else ... fi
( | |: | )   if ... then ... elif ... else ... fi
( | | )      case ... in ... out ... esac
( | |: | | ) case ... in ... ouse ... in ... out ... esac

I think `if` and `case` are disambiguated by the type (mode, in Algol 68
terminology) of the controlling expression, boolean or integer.

Re: The AI Threat Isn't Skynet (RISKS-30.16)

David Brodbeck <>
Sun, 26 Feb 2017 19:41:15 -0800
In RISKS 30.16, Chris Drewe asked, "so what did happen to the leisure
boom?"  Which is a question I've thought about quite a bit, because I
remember being promised the same thing by futurists when I was young.

I think it pretty clearly ran into the fact that it's generally preferable
for a business to employ a small number of full-time workers, or better yet
non-employee contractors, instead of a large number of part-time staff.
This is both for microeconomic reasons (administrative costs, etc.) and
macroeconomic ones (keeping the supply/demand ratio for labor high,
ensuring low wages.)

Futurists simply didn't see the perverse incentives involved in the labor

The result of higher worker productivity, then, is the same work is being
accomplished while employing fewer people.  In an efficient free market
wages would drop, the supply of labor would decrease in response, and the
market would re-balance.  But people can't just leave the labor force,
because they need money to buy food and shelter.

The result is a win/win for employers.  Not only do they employ fewer
people, they can drive wages down!  The money saved, of course, goes to the
business owners and shareholders, concentrating money at the top.

So in the end, instead of a leisure boom, automation led to a whole segment
of society either living precariously from contract job to contract job, or
living with relatives because they can't make enough money to live on their
own. It's led to wealth concentration.  Circumstantial evidence suggests
it's even led to shorter lifespans, at least in certain areas of the US.

AI can only make this worse. If AI researchers are over-optimistic, then it
will be slightly less worse than is currently projected, but that's about
the best we can hope for.

I'm not sure what the end game is, or how to make it better.  Basic income
has a certain logic to it, but runs smack into powerful cultural ideas
about work and morality.  As politicians in the US often remind us, the
Bible says, "he who will not work, neither shall he eat."  I'm genuinely
worried it will end with a lot of people starving.

Re: Prominent medical quackery website removed from Google search results (Thorson, RISKS-30.16)

David Damerell <>
Wed, 1 Mar 2017 00:28:09 +0000
> On the one hand, I agree with the anti-quackery motive, but removing quite
> possibly the most trafficked "alternative" medicine website from search
> results is disturbing to me.

There was no "anti-quackery motive", nor even the familiar story of
some piece of automation somewhere going crazy, but instead some piece
of automation acting in a reasonable fashion and as intended.

There's a risk in jumping to conclusions.

Please report problems with the web pages to the maintainer