The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 18

Wednesday 15 March 2017

Contents

Hacking Our Nuclear Weapons
Bruce G. Blair
Caveat Emptor Redux: vibrations are remotely tracked!
PGN
Malware found preinstalled on 38 Android phones used by 2 companies
Gabe Goldberg
Why is it so hard to trace an anonymous bomb threat?
The Verge
Secrecy surrounds White House cybersecurity staff shakeup
ZDNet
Scamville visit
WiReD via Gabe Goldberg
The night Zombie Smartphones Took Down 911
Ryan Knutson
Police typo in IP address led to an innocent father's arrest for pedophilia
Matthew Champion
There's always a [mis]use case for data
Jeremy Epstein
FBI Director James Comey: "Americans have no right to expect absolute privacy"
CNN
Aging voting machines: an old risk
jared gottlieb
The World Wide Web's inventor warns it's in peril on 28th anniversary
Jon Swartz
92% of Federal Sites Fail to Meet Security, Performance Standards
ITIF via Gabe Goldberg
Dangerous industrial robots
Nancy Leveson
AI's PR Problem
MIT Tech Review
These Adorable Robots are Roaming DC Streets with Food Inside
Patch via Gabe Goldberg
Consumer Reports Launches Digital Standard to Measure Privacy, Security
via Gabe Goldberg
Avast Cybercapture of personal files
Benoit Goas
Prominent English-language newspaper removed from Wikipedia
Mark Thorson
Re: Hinckley and Pres. Reagan, was: How the Secret Service Protects the President ...
danny burstein
Re: Science
Sue Willis
Gerrit Muller
Re: Google's anti-trolling AI can be defeated by typos
Dave Horsfall
Re: CRISPR assassinations
Robert R. Fenichel
Re: Hard Drive LED Allows Data Theft From Air-Gapped PCs
Kelly Bert Manning
Re: California Law Enforcement Union Sues To Block Police Accountability
Sam Steingold
Re: Software Engineer detained by U.S. Customs
Kelly Bert Manning
Non-detachable "What-is-this" metadata should be included in information
David A Wheeler
Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking
Arthur Flatau
Risks of automated fast-food service
Paul Robinson
Re: The AI Threat Isn't Skynet
Chris Drewe
Re: Wired
John Alexander Stewart
GOP senators to let ISPs sell, without opt-out opportunity: your PII; geo travels; Web browsing data
Ars Tech
Info on RISKS (comp.risks)

Hacking Our Nuclear Weapons (Bruce G. Blair)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 14 Mar 2017 10:12:13 PDT
Bruce G. Blair, *The New York Times*, 14 Mar 2017)

  It is tempting for the United States to exploit its superiority in
  cyberwarfare to hobble the nuclear forces of North Korea or other
  opponents.  As a new form of missile defense, cyberwarfare seems to offer
  the possibility of preventing nuclear strikes without the firing of a
  single nuclear warhead.

  But as with many things involving nuclear weaponry, escalation of this
  strategy has a downside: U.S. forces are also vulnerable to such attacks.

The subtitle of this article is this:

  “Loose security invites a cyberattack with possibly horrific
  consequences.''

The chickens are coming home to roost—or is it the Russians and the
Chinese who have been eating our lunch?  RISKS readers know that nothing is
secure enough, and that almost everything is vulnerable.  Also,
misinformation abounds to mask or otherwise obfuscate the truth.


Caveat Emptor Redux: vibrations are remotely tracked!

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 14 Mar 2017 16:18:36 PDT
http://www.npr.org/sections/thetwo-way/2017/03/14/520123490/vibrator-maker-to-pay-millions-over-claims-it-secretly-tracked-use

http://ottawacitizen.com/business/local-business/lawsuit-over-internet-connected-sex-toys-settled-for-3-75-million-us

  [Several of you noted this egregious and flagrant privacy violation.
  Here's just one more example of trusting something that is inherently
  untrustworthy!  PGN]


Malware found preinstalled on 38 Android phones used by 2 companies

Gabe Goldberg <gabe@gabegold.com>
Mon, 13 Mar 2017 19:15:46 -0400
Interesting because these phones *come* with malware, aren't infected during
use...

https://arstechnica.com/security/2017/03/preinstalled-malware-targets-android-users-of-two-companies/


Why is it so hard to trace an anonymous bomb threat? (The Verge)

Monty Solomon <monty@roscom.com>
Wed, 15 Mar 2017 10:08:28 -0400
http://www.theverge.com/2017/3/14/14913118/jcc-bomb-threats-anonymous-phone-calls-pdx-hacking


Secrecy surrounds White House cybersecurity staff shakeup

Gabe Goldberg <gabe@gabegold.com>
Wed, 15 Mar 2017 12:31:23 -0400
The Chief Information Security Officer for the White House's Executive
Office of the President has been removed from his position, sources have
confirmed.

Cory Louie was appointed to the position by former President Obama in 2015,
charged with keeping safe the staff closest to the president—including
the president himself—from cyber-threats posed by hackers and
nation-state attackers.

But circumstances surrounding his departure, weeks after President Donald
Trump took office, remain unclear.

It's thought he was either fired or asked to resign last Thursday evening,
and he was escorted out from his office in the Eisenhower Executive Office
Building across the street from the West Wing.

http://www.zdnet.com/article/white-house-chief-information-security-officer-departs/

Brilliant, politicize cybersecurity.

Meanwhile, Trump was given a new smartphone, a similar lock-down device that
his predecessor had, but reportedly also uses his old, outdated Samsung
Galaxy phone to tweet—stirring frustration and mockery alike from
security experts.


Scamville visit

Gabe Goldberg <gabe@gabegold.com>
Mon, 13 Mar 2017 18:35:27 -0400
Listen to Tech Support Scam Calls That Bilk Victims Out of Millions
https://www.wired.com/2017/03/listen-tech-support-scam-calls-bilk-millions-victims/


The night Zombie Smartphones Took Down 911 (Ryan Knutson)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 4 Mar 2017 18:56:01 PST
Ryan Knutson, *The Wall Street Journal*, 3 Mar 2017
https://www.wsj.com/articles/how-a-cyberattack-overwhelmed-the-911-system-1488554972


Police typo in IP address led to an innocent father's arrest for pedophilia (Matthew Champion)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Mon, 13 Mar 2017 11:50:48 -0600
This Is What It's Like To Be Wrongly Accused Of Being A Pedophile
Because Of A Typo By Police

Matthew Champion, *BuzzFeed*, Mar. 10, 2017, at 1:06 a.m.

https://www.buzzfeed.com/matthewchampion/this-mans-life-was-destroyed-by-a-police-typo

"[Nigel Lang] was told that when police requested details about an IP
address connected to the sharing of indecent images of children, one extra
keystroke was made by mistake, sending police to entirely the wrong physical
location."


There's always a [mis]use case for data

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Thu, 9 Mar 2017 08:28:02 -0500
In my work over the past few decades, I'm often asked when I suggest that a
vulnerability might cause an unacceptable risk, "but *why* would someone
want to do that".  (I'm sure this happens to all of us in the security
business.)  And sometimes it's hard to identify a believable use case, and
as a result the risk gets dismissed.  It's frustrating, because I don't
always have a crystal ball, but readers of this list know that almost
anything good will also be used for evil at some point.

And here's an example: the risk is that tracking data for wild animals
frequently isn't encrypted.  The initial response might be "so what", they
don't have the same privacy concepts as people do.  But it turns out that
photographers are using the information to find & photograph the animals
(which makes them less afraid of people), and poachers are using the
information to find & kill the animals.

The technical risks aren't surprising at all; the use case is what I found
interesting.

https://www.helpnetsecurity.com/2017/03/06/hack-animal-tracking-systems/


FBI Director James Comey: "Americans have no right to expect absolute privacy"

geoff goodfellow <geoff@iconia.com>
Thu, 9 Mar 2017 10:49:10 -1000
FBI Director James Comey—who has previously attacked Apple for refusing
to create a weak version of iOS to allow government access to iPhones—has
said that Americans have no right to expect absolute privacy. *CNN* has a
video clip of Comey making the statement yesterday at a Boston College
conference on cybersecurity.


Aging voting machines: an old risk

jared gottlieb <jared@netspace.net.au>
Sun, 12 Mar 2017 13:53:22 -0600
In recent years computer risk discussion about voting machines has focused
on high-tech issues. A recent AP newswire item reminds us of an old risk --
obsolete media.

States scramble for funding to upgrade aging voting machines
http://bigstory.ap.org/article/0bd8b3ceec964c43865c726072eb6ac8/states-scramble-funding-upgrade-aging-voting-machines

At least once a year, staffers in one of Texas' largest election offices
scour the web for a relic from a bygone technology era: Zip disks. ...


The World Wide Web's inventor warns it's in peril on 28th anniversary (Jon Swartz)

geoff goodfellow <geoff@iconia.com>
Sat, 11 Mar 2017 17:46:45 -1000
Jon Swartz, USA Today, 11 Mar 2017

Tim Berners-Lee, who invented the World Wide Web, now wants to save it.

The computer scientist who wrote the blueprint for what would become the
World Wide Web 28 years ago today is alarmed at what has happened to it in
the past year.

"Over the past 12 months, I've become increasingly worried about three new
trends, which I believe we must tackle in order for the web to fulfill its
true potential as a tool which serves all of humanity," he said in a
statement issued from London. He cited compromised personal data and fake
news, which he says has "spread like wildfire."

"Even in countries where we believe governments have citizens' best
interests at heart, watching everyone, all the time is simply going too
far," he said, in an allusion to WikiLeaks' disclosure of what documents
claim is a vast CIA surveillance operation. "It creates a chilling effect on
free speech and stops the web from being used as a space to explore
important topics, like sensitive health issues, sexuality or religion."
<http://www.usatoday.com/story/news/2017/03/07/11-tools-tricks-and-hacks-cia-leak-target-users/98867416/>
<https://motherboard.vice.com/en_us/article/chilling-effect-of-mass-surveillance-is-silencing-dissent-online-study-says>

When Berners-Lee submitted his original proposal for the Web, he imagined it
as an open platform that would allow everyone, everywhere to share
information, access opportunities and collaborate across geographic and
cultural boundaries.

But his faith, and those of privacy advocates and cybersecurity experts, has
been badly shaken by a series of high-profile hacks and the dissemination of
fake news through the use of data science and armies of bots.
<http://www.usatoday.com/story/tech/talkingtech/2017/03/11/carl-bernstein-fake-news-cnn-sxsw/99058792/>

Front and center: The WikiLeaks bombshell. The treasure trove of more than
8,000 pages reads like a John Le Carre spy novel overrun with Edward
Snowden-like protagonists. The CIA, with sophisticated hacking tools, has
been angling to turn popular consumer devices such as iPhones, Samsung TVs
and Android smartphones into surveillance devices, the documents indicate.
<http://www.usatoday.com/story/tech/talkingtech/2017/03/11/how-keep-safe-digitally-wikileaks-age/99020126/>,

Imagine that Big Brother scenario extended to the millions of smart devices
such as digital thermostats and fire alarms feeding the Internet of Things
ecosystem, and you have a problem that could eviscerate the privacy of
billions of people, say security experts.

Berners-Lee is just the latest high-profile technologist to share concerns
over what former Cisco Systems executive Monique Morrow calls a fundamental
assault on privacy and cybersecurity, with critical infrastructure --
banking systems, the grid—hanging in the balance. "How do we use
technology responsibly?" she asked at a SXSW talk in Austin Saturday...
http://www.usatoday.com/story/tech/news/2017/03/11/world-wide-webs-inventor-warns-s-peril/99005906/


92% of Federal Sites Fail to Meet Security, Performance Standards

Gabe Goldberg <gabe@gabegold.com>
Thu, 9 Mar 2017 16:58:50 -0500
Washington, DC—A staggering 92% of federal government website fail to
meet basic standards for security, speed, mobile friendliness or
accessibility, according to a new study by the DC-based *Information
Technology and Innovation Foundation (ITIF)*, an independent research and
educational institute. To reach that figure, co-authors *Alan McQuinn
*and*Daniel Castro* analyzed 297 of the most popular federal sites --
including all U.S. government websites in the top 1 million globally --
assessing their security, speed, mobile friendliness and accessibility. In
addition to scoring them in each of these areas, the authors ranked them
using a composite score to give an overall view of how well the most popular
sites adhere to federal requirements and industry best practices. The five
highest-performing websites included healthdata.gov, healthfinder.gov,
consumerfinance.gov, whitehouse.gov (*Trump* administration) and
usembassy.gov, while the five worst were usphs.gov, fmc.gov, osti.gov,
trade.gov and ipcc-wg2.gov. "Despite years of progress in digital
government, a striking number of federal websites do not even meet many of
the U.S. government's own requirements, let alone private-sector best
practices," said McQuinn. "Considering that many constituents rely on
federal websites to interact with government, it is incumbent upon the new
administration, supported by *Congress*, to make websites more convenient,
accessible and secure."
https://itif.org/publications/2017/03/08/92-percent-most-popular-federal-government-websites-fail-meet-basic
<http://m1e.net/c?47971208-AcY751vibl2Jo%40389518396-VXriqdFjt3Qsg>


Dangerous industrial robots

<Nancy Leveson>
Tue, 14 Mar 2017 10:03:17 -0400
A rogue robot is blamed for a human colleague's gruesome death.
https://qz.com/931304/a-robot-is-blamed-in-death-of-a-maintenance-technician-at-ventra-ionia-main-in-michigan/?utm_source=qzfb

Usually when people worry about machines and work, they are concerned that
automation will take away their livelihoods, not their lives. But a new
lawsuit claiming a rogue robot is responsible for killing a human colleague
reveals additional nightmarish possibilities.

In July 2015, Wanda Holbrook, a maintenance technician performing routine
duties on an assembly line at Ventra Ionia Main, an auto-parts maker in
Ionia, Michigan, was “trapped by robotic machinery'' and crushed to death.
On March 7, her husband, William Holbrook, filed a wrongful death complaint
in Michigan federal court, naming five North American robotics companies
involved in engineering and integrating the machines and parts used at the
plant: Prodomax, Flex-N-Gate, FANUC, Nachi, and Lincoln Electric.

Holbrook's job involved keeping robots in working order. She routinely
inspected and adjusted processes on the assembly line at Ventra, which
makes bumpers and trailer hitches. One day, Holbrook was performing her
regular duties when a machine acted very irregularly, according to the
lawsuit reported in Courthouse News.

Holbrook was in the plant's six-cell 100 section when a robot unexpectedly
activated, taking her by surprise. The cells are separated by safety doors
and the robot should not have been able to move. But it somehow reached
Holbrook, and was intent on loading a trailer-hitch assembly part right
where she stood over a similar part in another cell.

The machine loaded the hardware onto Holbrook's head. She was unable to
escape, and her skull was crushed. Co-workers who eventually noticed that
something seemed amiss found Holbrook dead.

“The robot from section 130 should have never entered section 140, and
should have never attempted to load a hitch assembly within a fixture that
was already loaded with a hitch assembly. A failure of one or more of
defendants' safety systems or devices had taken place, causing Wanda's
death,'' the lawsuit alleges.

William Holbrook seeks an unspecified amount of damages, arguing that before
her gruesome death, his wife “suffered tremendous fright, shock and
conscious pain and suffering.''  He also names three of the defendants --
FANUC, Nachi, and Lincoln Electric—in two additional claims of product
liability and breach of implied warranty. He argues that the robots, tools,
controllers, and associated parts were not properly designed, manufactured
or tested, and not fit for use.

“At all relevant times, technically feasible alternative design and
engineering practices were available that could have prevented the harm
without significantly impairing the usefulness or desirability of the
automation system to users and without creating equal or greater risk of
harm to others,'' Holbrook's family argues.

According to the US Department of Labor's Occupation Safety and Health
Administration, robots are “generally used to perform unsafe, hazardous,
highly repetitive, and unpleasant tasks.''  But despite any potential safety
advantages, OSHA writes, “studies indicate that many robot accidents occur
during non-routine operating conditions, such as programming, maintenance,
testing, setup, or adjustment. During many of these operations the worker
may temporarily be within the robot's working envelope where unintended
operations could result in injuries.''


AI's PR Problem (MIT Tech Review)

Lauren Weinstein <lauren@vortex.com>
Sun, 12 Mar 2017 14:21:56 -0700
via NNSquad
https://www.technologyreview.com/s/603761/ais-pr-problem/

  Artificial intelligence, it seems, has a PR problem.  While it's true that
  today's machines can credibly perform many tasks (playing chess, driving
  cars) that were once reserved for humans, that doesn't mean that the
  machines are growing more intelligent and ambitious. It just means they're
  doing what we built them to do.  The robots may be coming, but they are
  not coming for us--because there is no "they."  Machines are not people,
  and there's no persuasive evidence that they are on a path toward
  sentience.


These Adorable Robots are Roaming DC Streets with Food Inside

Gabe Goldberg <gabe@gabegold.com>
Thu, 9 Mar 2017 18:01:32 -0500
WASHINGTON, DC ” Food delivery app Postmates officially rolled out a fleet
of delivery robots in D.C. created by Starship Technologies on Wednesday,
and they're something to behold.

The group of 20 robots will make trips off less than a mile in the
Georgetown and 14th Street corridor areas, according to a Washingtonian
report, which notes that the service is likely to expand to more
neighborhoods later.

If a Postmates user orders some items from a nearby store, the vendor gets a
notification and a robot is sent to a nearby designated hub. The vendor puts
the goods in the bag, which is temperature-controlled and sealed, and then
the bot wheels its way to the customer. The customer is given a code that is
necessary to open the container.

http://patch.com/district-columbia/washingtondc/these-adorable-robots-are-roaming-dc-streets-food-inside-video

That's 20 ... 19 ... 18 ... etc. robots making deliveries while the others
appear on milk cartons' "Have you seen this robot?" appeals.


Consumer Reports Launches Digital Standard to Measure Privacy, Security

Gabe Goldberg <gabe@gabegold.com>
Mon, 6 Mar 2017 17:47:52 -0500
Washington, DC—*Consumer Reports* said Monday is will begin evaluating
products, apps and services based on their privacy and data
security. Developed in partnership with several privacy, security and
consumer rights organizations, including DC-based nonprofit *Ranking Digital
Rights*, the publication said it will use the new standard to evaluate
connected products such as baby monitors, security cameras, routers and even
cars. The standard asks companies to require consumers to create unique
usernames and passwords for Internet-connected devices.  It also calls on
them to delete consumer data from their servers upon request, encrypt
personal data and be transparent about how personal information is shared
with other companies. "Our research shows that users lack adequate
information about how companies' policies and practices affect their
privacy, security and other rights like freedom of expression," said
*Rebecca MacKinnon*, the director of Ranking Digital Rights. "We believe
that this effort can help people make more informed decisions about how they
use technology. We also believe that the digital standard will help
companies do a better job of protecting and respecting users' rights." The
initial version of the standard, is available at the top link below.
https://thedigitalstandard.org
<http://m1e.net/c?47971208-Hj1MQUH6fvTAQ%40389487218-Jc9u5tYJ5ih/Y>
http://www.consumerreports.org/privacy/consumer-reports-to-begin-evaluating-products-services-for-privacy-and-data-security/
<http://m1e.net/c?47971208-wLfA8BzTasINw%40389487223-YAlUG.JFB5pQc>


Avast Cybercapture of personal files

Benoit Goas <goasben@hawk.iit.edu>
Tue, 7 Mar 2017 18:44:58 +0100
I just downloaded a set of (obviously personal) medical images from an
imaging lab, which allows downloads only as executable zip file (their
website runs only with silverlight, but that's not the main issue).  As
indicated on
https://blog.avast.com/cybercapture-protection-against-zero-second-attacks,
since around mid 2016 Avast antivirus has a new function to protect our
computers against "zero second attacks".  So it saw my download of an
executable file, and sent it to their cloud as it was a "very rare program
file" that they "needed to study".  Indeed, my personal medical images are
quite unique! But I didn't expect them to be sent anywhere, especially
without asking me.  So I now disabled that option, but some problems were: -
letting my computer auto update without knowing what it's adding (lots of
auto updates are running...)  - automatically sending personal files outside
of private computers without asking first - hence "forcing" me to disable
that feature that could protect me another day - making us download
executable files to begin with, to just send us a compressed folder - not
giving any option to contact the software provider, as it appears that part
of the company no longer exists (and I'm sure the imaging place wouldn't
care, as it's a nice service they provide, and can't change the tools) -
Forgetting to put a correct title to this email and either being flagged as
spam or being delivered twice (in that case, sorry!)  And probably more...
Best regards, B. GOAS


Prominent English-language newspaper removed from Wikipedia

Mark Thorson <eee@sonic.net>
Sat, 4 Mar 2017 14:02:54 -0800
No longer considered a reliable source for citations.  On the one hand, I
consider the Daily Mail to be poorly sourced, poorly written, and poorly
edited, but not much more so than many other more-respected newspapers.
This treatment, if true, seems harsh.

http://www.dailymail.co.uk/news/article-4280502


Re: Hinckley and Pres. Reagan, was: How the Secret Service Protects the President ... (Goldberg, RISKS-30.17)

danny burstein <dannyb@panix.com>
Sat, 4 Mar 2017 15:24:11 -0500 (EST)
> When it comes to protection, there is danger from lone lunatics like John
> Hinckley Jr., who tried to shoot President Ronald Reagan but was foiled as
> brave Secret Service agents used their bodies to block bullets.

Not quite.

Those of us of a certain age recall that Hinckley did, in fact, shoot and
seriously wound the President, did critical damage to James Brady, and also
injured Secret Service agent Timothy McCarthy and Police Officer Thomas
Delahanty.


Re: Science (RISKS-30.16)

Sue Willis <uusuzanne@yahoo.com>
Sat, 4 Mar 2017 20:34:15 +0000 (UTC)
>My beef with the modern Science world is that so much scientific stuff
>is written in the third person. ...

I agree. When I was a graduate student, and our group was publishing my
dissertation research, we wrote our abstract in the first person (plural,
since there were a bunch of us). It was rewritten by the journal editors in
the third person. The article itself was left in the first person, thank
goodness. This was Physics Review Letters in the late 1970s.


Re: Science (Wols Lists, RISKS-30.17)

Gerrit Muller <gerrit.muller@gmail.com>
Sun, 5 Mar 2017 09:55:51 +0100
Problem is that current scientific mores forbids the use of the first person
(single and plural), and promotes passive voice. The reason that people give
for these rules is that this makes the paper more objective.  Others tell me
that journal guidelines from a.o. IEEE prescribe this style.

As Wols Lists explains, the opposite is happening: the source of the
statement or the person(s) taking the action are obfuscated.

When instructing and supervising students, I explain the use of active and
passive voice to them. I provide them with a few links:

See http://writingcenter.unc.edu/handouts/passive-voice/,
https://owl.english.purdue.edu/owl/owlprint/539/ , and
http://www.whitesmoke.com/passive-voice-in-english. These links explicitly
explain that writers in general should avoid passive voice. However, there
are circumstances in which the use of passive voice is OK. The Purdue
guidelines state, “Passive voice makes sense when the agent performing the
action is obvious, unimportant, or unknown or when a writer wishes to
postpone mentioning the agent until the last part of the sentence or to
avoid mentioning the agent at all. The passive voice is effective in such
circumstances because it highlights the action and what is acted upon rather
than the agent performing the action.''  In addition, they state “Don't
trust the grammar-checking programs in word-processing software. Many
grammar checkers flag all passive constructions, but you may want to keep
some that are flagged. Trust your judgment, or ask another human being for
their opinion about which sentence sounds best.''

What is really worrisome is that academics do not question these rules and
apparently prefer a false sense of objectivity.


Re: Google's anti-trolling AI can be defeated by typos

Dave Horsfall <dave@horsfall.org>
Sun, 5 Mar 2017 08:12:53 +1100 (EST)
Lauren Weinstein writes that anti-troll measures can be defeated by unusual
punctuation and deliberate misspellings etc.  Spammers have been using this
technique for years in order to defeat body filters, so it was only a matter
of time before another class of abusers caught up.


Re: CRISPR assassinations (RISKS 30.17)

"Robert R. Fenichel" <bob@fenichel.net>
Sat, 04 Mar 2017 13:49:39 -0800
DNA-selective biowarfare vectors are not a new idea.  They were the central
gimmick of Vector, a novel (ISBN 0-312-94446-2) by Rob Swigart published in
1986.


Re: Hard Drive LED Allows Data Theft From Air-Gapped PCs

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Sat, 4 Mar 2017 17:13:15 -0500 (EST)
This reminds me of claims that data could be captured by monitoring the
blinking of the data light on a stand alone modem. Good luck with that at 56
kbps.

I had a hard time getting useful information about data rates and file sizes
from the linked video.

The text portion of the article gave a rate of 4800 bps with a range of 10
meters.

1. First you have to infect the target ted computer. OK, that is a
   challenge, but it is done millions of times each year, so assume that is
   doable.

https://www.statista.com/statistics/266169/highest-malware-infection-rate-countries/

2. Next you have to get something that can detect the transmission within 10
   meters, without being noticed. You also rely on the indicator being
   oriented toward a window that is not covered with a blind, curtain, or
   aluminized sun / heat reflective coating. Good Luck with that, but assume
   you did it somehow, perhaps by compromising a phone with a camera, or you
   rely on another data link, or the drone version of tapes in a station
   wagon or optical disks in a bike courier satchel to retrieve it.

3. Once you do that, assuming that no other disk activity or indicator
   flashing is happening, you are running at 1988 V.27ter dial up
   speeds. How nostalgic, but given the time and other constraints not a lot
   of use of anything beyond log in IDs, passwords or small text files. If
   there is other activity your data rate goes down and you need trellis
   parity or other fault detection and recovery methods that eat up your
   useful data rate.

What is the maximum blink rate of a typical modem or disk LED?

http://www.instructables.com/community/anyone-know-the-maximum-flash-rate-of-an-LED/
http://electronics.stackexchange.com/questions/118141/high-frequency-blinking-leds-and-sensor-for-that

Can the exposure be overcome by using a phosphor to smooth out the sharp
transitions? Phosphors are commonly used in "white" LEDs, to down convert
blue or UV wavelengths. The human eye can only detect blinks of 30 Hz, and
with a disk activity LED you would probably want the activity rate to be
exaggerated by prolonging the pulse length, to make activity easier to
notice.

I have good ears, despite my 6 decades, and rely on sound to tell me when
Microsoft, McAfee, ... has decided to start hitting my disks with high disk
head movement rates.


Re: California Law Enforcement Union Sues To Block Police Accountability (Al Mac, RISKS-30.17)

Sam Steingold <sds@gnu.org>
Tue, 07 Mar 2017 14:10:49 -0500
> 300 deputies who have a history of past misconduct—such as domestic
> violence, theft, bribery and brutality
> The 300 persons are about 3% of the total 9,100 force.

I wonder what percentage of the general population has such "past misconduct".


Re: Software Engineer detained by U.S. Customs

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Sat, 4 Mar 2017 17:26:10 -0500 (EST)
At least he was only delayed and subjected to inane questions.  Worse things
have happened.  The ordeal of Telecommunications Engineer and college Prof
Maher Arar is a cautionary tale.

https://en.wikipedia.org/wiki/Maher_Arar

http://www.theglobeandmail.com/news/national/how-canada-failed-citizen-maher-arar/article1103562/?page=all

This type of inane question harassment is not confined to engineers. USA tax
dollars at work providing Security Theatre.

http://www.theglobeandmail.com/news/world/boxing-legend-muhammad-alis-son-detained-at-florida-airport-asked-are-you-muslim/article34137579/

https://en.wikipedia.org/wiki/Security_theater

https://www.ted.com/talks/bruce_schneier


Non-detachable "What-is-this" metadata should be included in information

"Wheeler, David A" <dwheeler@ida.org>
Mon, 6 Mar 2017 11:48:41 -0500
Was: Oscars screwup

Dan Skwire:

> And are they the ones who stuff the envelopes? Probably not. So who is
  legally "liable" for the damages to the Academy Awards show? Were there
  any "damages" at all? Was there economic loss of any sort or is there a
  net gain because more people will watch next year, hoping for a similar
  car crash?

When if matters, I think answers (e.g., to queries) should include
"what-is-this" metadata, and ideally that metadata should be non-detachable
from the answer.

In this case, since envelopes can be mis-stuffed, the internal letter should
have said something like "2017 Oscars - Best Picture" at the top, followed
by the answer.  In HTML, JSON, or XML, you can easily insert the original or
"what this is" as part of the response.

Including this metadata would reduce the risk of misinterpreting received
data.  Just receiving an answer isn't enough - was that the answer to the
question I expected?  Many science fiction stories hinge in part on the
misinterpretation of received data and/or disconnecting the question from
the answer (including WarGames, Ender's Game, The Matrix, and The
Hitchhiker's Guide to the Galaxy' s "42").

I haven't seen that as a generally-recommended good practice... but maybe it
should be.

  [Just a little stronger typing of the award category might have helped
  sort this one out.  PGN]


Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking (Larson, RISKS-30.17)

Arthur Flatau <flataua@acm.org>
Mon, 6 Mar 2017 15:14:49 -0600
I do believe that many lower skilled jobs will disappear because of
automation.  However I believe that it will be quite a bit more difficult to
get rid of some of these jobs quickly.  Witness the self-checkout lanes at
many grocery and other stores.  These have been ubiquitous for at least 10
years, but at most stores, most checkout lines are human staffed.  While I
hesitate to speak for everyone, I only use them when the lines at the human
staffed checkout lanes are long.  There is no doubt that the self-checkout
procedure is significantly longer than the human staffed ones.  The only
reason to use them is it is often the case that the lines to get checkout
are shorter for self-checkout so that the total time to get out the door is
(hopefully) shorter.

The self-checkout procedure is longer, largely because the store management
seems to trust their employees more than their customers.  Self-checkout
requires you to place your items on the carousal to be weighed to verify
that the are (likely) the items you scanned.


Risks of automated fast-food service

Paul Robinson <paul@paul-robinson.us>
Sun, 5 Mar 2017 07:05:02 +0000 (UTC)
In 1985, Harry Harrison wrote "A Stainless Steel Rat is Born." The title
character—Jim DiGriz—wants to become a master criminal because life on
his home planet is boring. So he arranges to break the planet's greatest
criminal out of jail. They escape to hide out in the storage area of a
completely automated fast-food restaurant where the only person ever there
is the once-a-week refill truck operator, from whom they have a system to
hide while he is restocking.

The customers order food in the main order area (or presumably at the drive
through), the items are combined automatically, flash cooked, set on the
tray, and once payment is received is delivered to the customer all
automatically. There are no employees on site, ever. An automated robot
cleans the place at various times.

When I was reading this I realized that the reason it wasn't done in our
world was that it was too expensive to automate or it was not possible to
automate the tasks involved in the preparation of food. Twenty-one years
later that's not so true and the problem is existing restaurants probably
can't be converted economically to fully automated operations. But that
doesn't mean someone can't eventually run the numbers and figure out when it
would be cheaper to build a fully-automated restaurant, I'm guessing that
the long-term cost of automation vs. employees currently makes using people
cheaper.

But if a science fiction writer could see it just over 20 years ago, how
long before some new entrepreneur sees it and discovers long term that
constructing a new restaurant for full unattended operation makes financial
sense over the hassles and expense of having employees?

Meanwhile, in the story, Jim orders some food through the maintenance
console, then, even though it's in front of him and he could have just taken
it without paying, deposits funds in the cashier slot like any other
customer. His mentor is shocked, wondering if Jim - a master thief - has had
an attack of conscience. Jim explains he isn't honest, just pragmatic. "The
accounting for food here measures everything used and delivered. The totals
must be exactly right, balanced to the last gram of food and fraction of a
Galactic Credit, or someone will come check to see why. When we're ready to
leave, then it's safe for me to not pay for our food, and to rob the cash
box and safe on the way out."

Clearly, Jim DiGriz understood the risks of drawing attention when you don't
want it.


Re: The AI Threat Isn't Skynet (RISKS-30.17)

Chris Drewe <e767pmk@yahoo.co.uk>
Mon, 06 Mar 2017 21:50:53 +0000
This seems to assume that there's a fixed amount of work which can either be
done by humans or automation.  As an alternative, just think back to the
1980s; if governments had decided that desk-top computers and the Internet
were a threat to the employment of secretaries, typists, filing clerks,
mailmen, etc.  and thus had banned them or taxed them highly, then there
would now be more of these jobs around, *but* many of today's jobs and
business opportunities wouldn't exist without the World-Wide Web and the
dotcom revolution.

> I'm genuinely worried it will end with a lot of people starving.

As I've posted here before with some hyperbole, in the UK a lifetime on
welfare is a not-unknown career choice, but the Government needs the tax
revenues from business activity to fund the welfare bill.  (As it happens,
at the moment unemployment is low in the UK, the concern is poor
productivity.)  My worry is that if politicians try to control technological
developments such as AI, we'll end up with a planned economy like Cuba.


Re: Wired (Spencer, RISKS-30.17)

John Alexander Stewart <ivatt260@gmail.com>
Tue, 7 Mar 2017 17:56:09 -0500
> "The web becomes unusable if to read, say, 45K of text, your browser
> attempts to fetch 2M or more of assorted javascript, video, cycling image
> sequences and more."

It is even worse than that - I worked in a site where, one task (which I
failed at) was to write a white paper on how to reduce signaling for
conservation of RF-transmitted data.

I took the approach that the major bandwidth waster was all the "tracking
and cruft", with about 80% of the bandwidth lost, but the recipient was more
interested in the wireless protocols, not HTML (etc) data.

Oh well... I had fun researching HTML cruft...


GOP senators to let ISPs sell, without opt-out opportunity: your PII; geo travels; Web browsing data (Ars Tech)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Wed, 8 Mar 2017 12:36:46 -0600
GOP senators' new bill would let ISPs sell your Web browsing data Senate
resolution would throw out FCC's entire privacy rulemaking.  Mar 8, 2017

Republican senators introduced legislation that would overturn new privacy
rules for Internet service providers. If the Federal Communications
Commission rules are eliminated, ISPs would not have to get consumers'
explicit consent before selling or sharing Web browsing data and other
private information with advertisers and other third parties.  [...]

[As usual, the legislation does one thing, while the legislators paint a
confusing different story.]

The FCC privacy order had several major components. The requirement to get
the opt-in consent of consumers before sharing information covered
geo-location data, financial and health information, children's information,
Social Security numbers, Web browsing history, app usage history, and the
content of communications. This requirement is supposed to take effect on
December 4, 2017.

Flake's co-sponsors are US Sens. John Barrasso (R-Wyo.), Roy Blunt (R-Mo.),
John Boozman (R-Ark.), Shelly Moore Capito (R-W.Va.), Thad Cochran
(R-Miss.), John Cornyn (R-Texas), Tom Cotton (R-Ark.), Ted Cruz (R-Texas),
Deb Fischer (R-Neb.), Orrin Hatch (R-Utah), Dean Heller (R-Nev.), James
Inhofe (R-Okla.),  Ron Johnson (R-Wisc.), Mike Lee (R-Utah), Rand Paul
(R-Ky.), Pat Roberts (R-Kan.), Marco Rubio (R-Fla.), Richard Shelby
(R-Ala.), Dan Sullivan (R-Ark.), John Thune (R-S.D.), Roger Wicker
(R-Miss.), Ron Johnson (R-Wisc.), and Jerry Moran (R-Kan.).

Democratic senators support consumer privacy protections

US Sen. Brian Schatz (D-Hawaii) blasted Flake's proposal.

"If this [resolution] is passed, neither the FCC nor the FTC will have clear
authority when it comes to how Internet service providers protect consumers'
data privacy and security," Schatz said in a statement issued yesterday.
"Regardless of politics, allowing ISPs to operate in a rule-free zone
without any government oversight is reckless."

Sen. Edward Markey (D-Mass.) offered similar criticism. "Big broadband
barons and their Republican allies want to turn the telecommunications
marketplace into a Wild West where consumers are held captive with no
defense against abusive invasions of their privacy by internet service
providers," Markey said. "Consumers will have no ability to stop Internet
service providers from invading their privacy and selling sensitive
information about their health, finances, and children to advertisers,
insurers, data brokers or others who can profit off of this personal
information, all without their affirmative consent."

https://arstechnica.com/tech-policy/2017/03/gop-senators-new-bill-would-let-isps-sell-your-web-browsing-data/

Please report problems with the web pages to the maintainer