The RISKS Digest
Volume 30 Issue 20

Thursday, 30th March 2017

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Aging resident dies after Eden Prairie caregiver forgot to plug in heart pump
Gabe Goldberg
Self-driving Uber gets in accident in Tempe, Arizona
Business Insider
NASA fireworks
Alister Wm Macintyre
Evidence That Robots Are Winning the Race for American Jobs
Claire Cain Miller
Ransomware scammers exploited Safari bug to extort porn-viewing iOS users
Ars Technica
Senate votes to let ISPs sell your Web browsing history to advertisers
Ars Technica
For sale: Your private browsing history
Ars Technica
UK government says Apple “cannot get away with unbreakable encryption'' following terrorist attack
Ben Lovejoy
Fake Sleuths: Web Gets It Wrong on London Attacker
Mark Scott
How police unmasked suspect accused of sending seizure-inducing tweet
Ars Technica
DJI Proposes Electronic Identification Framework For Small Drones
Slashdot
Win10 Class Action ...
The Register via Alister Wm Macintyre
Risks from falsified Data
BBC via John Murrell
US Supreme Court Case on Toner Cartridges
Alister Wm Macintyre
Re: self-checkout at grocery stores
Barry Gold
Mark Jackson
Info on RISKS (comp.risks)

Aging resident dies after Eden Prairie caregiver forgot to plug in heart pump

Gabe Goldberg <gabe@gabegold.com>
Thu, 30 Mar 2017 01:16:08 -0400
A distracted aide at an Eden Prairie assisted-living center failed to plug
in a resident's heart pump at bedtime, and the man didn't live through the
night, according to a state investigation released Wednesday.

http://www.startribune.com/aging-resident-dies-after-eden-prairie-caregiver-forgot-to-plug-in-heart-pump/413868613/

If an alarm sounds but nobody hears it...

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


Self-driving Uber gets in accident in Tempe, Arizona

Monty Solomon <monty@roscom.com>
Sat, 25 Mar 2017 11:18:03 -0400
http://www.businessinsider.com/self-driving-uber-gets-in-accident-in-tempe-arizona-2017-3


NASA fireworks

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 23 Mar 2017 08:30:24 -0500
NASA's Inspector General reports:  https://oig.nasa.gov/
A security patch, applied by IT staff at NASA, caused an equipment shutdown
and subsequent fire that destroyed spacecraft hardware.

The fire lasted 3.5 hours, unnoticed by anyone because the security patch
had shut down the fire alarm systems.

  [The news media blame the fire on the security patch.  Inspector General
  finds more significant faults.  The Space Agency has lost track of its
  equipment needs. AWM]

This was not an isolated incident, of bad consequences of networking
hardware, without good management of the equipment's dissimilar needs..

"Vulnerability scanning used to identify software flaws, that can be
exploited by an attacker, caused equipment to fail and loss of communication
with an Earth science spacecraft during an orbital pass.  A chilled-water
heating, ventilation and air-conditioning system was disabled—which
caused IT equipment reliant on it in one of NASA's data centers to be shut
down after temperatures rapidly rose to more than 50 degrees centigrade.

  Here is the IG Feb-8 report, on above challenges:
  https://oig.nasa.gov/audits/reports/FY17/IG-17-011.pdf

[Many industries grew with industrial control mechanisms not designed to be
networked with computer systems vulnerable to malware, hacking etc.  They
don't have good firewalls or any cyber security protections, but in the
interests of cost savings, critical infrastructure industrial systems are
being included into computer networks, often without adequate thinking to
protect all the devices in a cyber security risky world.  US's Space Agency
is one of those industries.  Before networking the industrial control
hardware, there were personnel familiar with its maintenance needs.  If you
drop those people from the payroll, you are making your outfit more
vulnerable.. AWM]

https://fcw.com/articles/2017/02/09/nasa-iot-problems-rockwell.aspx
http://www.computing.co.uk/ctg/news/3004421/security-patch-caused-equipment-shutdown-and-fire-at-nasa?im_edp=gmail.com
[Registration required]
http://www.theinquirer.net/inquirer/news/3004427/nasa-equipment-shutdown-and-fire-blamed-on-rogue-security-patch

Lots of NASA operations get connected to the cloud, without upper management
awareness, nor approval, due to lack of good cyber security..

Here's IG Feb-7 report on that:
https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf
http://www.networkworld.com/article/3167609/security/nasa-has-a-shadow-it-problem.html

NASA is also involved with IoT.
https://www.fedscoop.com/nasa-forays-into-the-internet-of-things/
https://www.nasa.gov/sites/default/files/atoms/files/it-talk_oct-dec2015-v1_1.pdf

Iowa Senator Chuck Grassley reported, in 2007, that $ 1.9 billion in
hardware was stolen, thanks to hackers into NASA.

That's a significant portion of NASA's annual $ 13 billion budget.

https://www.grassley.senate.gov/news/news-releases/nasa-ig-under-fire


Evidence That Robots Are Winning the Race for American Jobs (Claire Cain Miller)

Dewayne Hendricks <dewayne@warpspeed.com>
Tue, Mar 28, 2017 at 7:23 PM
  [Note:  This item comes from friend Mike Cheponis.  DLH]
Claire Cain Miller, *The New York Times*, 28 Mar 2017
https://www.nytimes.com/2017/03/28/upshot/evidence-that-robots-are-winning-the-race-for-american-jobs.html

Who is winning the race for jobs between robots and humans? Last year, two
leading economists described a future in which humans come out ahead. But
now they've declared a different winner: the robots.

The industry most affected by automation is manufacturing. For every robot
per thousand workers, up to six workers lost their jobs and wages fell by
as much as three-fourths of a percent, according to a new paper by the
economists, Daron Acemoglu of M.I.T. and Pascual Restrepo of Boston
University. It appears to be the first study to quantify large, direct,
negative effects of robots.

The paper is all the more significant because the researchers, whose work
is highly regarded in their field, had been more sanguine about the effect
of technology on jobs. In a paper last year, they said it was likely that
increased automation would create new, better jobs, so employment and wages
would eventually return to their previous levels. Just as cranes replaced
dockworkers but created related jobs for engineers and financiers, the
theory goes, new technology has created new jobs for software developers
and data analysts.

But that paper was a conceptual exercise. The new one uses real-world data
-- and suggests a more pessimistic future. The researchers said they were
surprised to see very little employment increase in other occupations to
offset the job losses in manufacturing. That increase could still happen,
they said, but for now there are large numbers of people out of work, with
no clear path forward—especially blue-collar men without college degrees.

Acemoglu: “The conclusion is that even if overall employment and wages
recover, there will be losers in the process, and it's going to take a very
long time for these communities to recover.  If you've worked in Detroit for
10 years, you don't have the skills to go into health care.  The market
economy is not going to create the jobs by itself for these workers who are
bearing the brunt of the change.''

The paper's evidence of job displacement from technology contrasts with a
comment from the Treasury secretary, Steve Mnuchin, who said at an Axios
event last week that artificial intelligence's displacement of human jobs
was “not even on our radar screen,'' and “50 to 100 more years''
away. (Not all robots use artificial intelligence, but a panel of experts --
polled by the M.I.T. Initiative on the Digital Economy in reaction to
Mr. Mnuchin's comments—expressed the same broad concern of major job
displacement.)

The paper also helps explain a mystery that has been puzzling economists:
why, if machines are replacing human workers, productivity hasn't been
increasing. In manufacturing, productivity has been increasing more than
elsewhere—and now we see evidence of it in the employment data, too.

The study analyzed the effect of industrial robots in local labor markets in
the United States. Robots are to blame for up to 670,000 lost manufacturing
jobs between 1990 and 2007, it concluded, and that number will rise because
industrial robots are expected to quadruple. [...]


Ransomware scammers exploited Safari bug to extort porn-viewing iOS users (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 29 Mar 2017 22:47:09 -0400
https://arstechnica.com/security/2017/03/ransomware-scammers-exploited-safari-bug-to-extort-porn-viewing-ios-users/


Senate votes to let ISPs sell your Web browsing history to advertisers

Lauren Weinstein <lauren@vortex.com>
Thu, 23 Mar 2017 13:42:39 -0700
NNSquad
https://arstechnica.com/tech-policy/2017/03/senate-votes-to-let-isps-sell-your-web-browsing-history-to-advertisers/

  The US Senate today voted to eliminate broadband privacy rules that would
  have required ISPs to get consumers' explicit consent before selling or
  sharing Web browsing data and other private information with advertisers
  and other companies.  The rules were approved in October 2016 by the
  Federal Communications Commission's then-Democratic leadership, but are
  opposed by the FCC's new Republican majority and Republicans in
  Congress. The Senate today used its power under the Congressional Review
  Act to ensure that the FCC rulemaking "shall have no force or effect" and
  to prevent the FCC from issuing similar regulations in the future.  The
  House, also controlled by Republicans, would need to vote on the measure
  before the privacy rules are officially eliminated. President Trump could
  also preserve the privacy rules by issuing a veto.  If the House and Trump
  agree with the Senate's action, ISPs won't have to seek customer approval
  before sharing their browsing histories and other private information with
  advertisers.


For sale: Your private browsing history

Lauren Weinstein <lauren@vortex.com>
Tue, 28 Mar 2017 15:09:10 -0700
via NNSquad
https://arstechnica.com/tech-policy/2017/03/for-sale-your-private-browsing-history/

  The House of Representatives voted today to eliminate ISP privacy rules,
  following the Senate vote to take the same action last week.  The
  legislation to kill the rules now heads to President Donald Trump for his
  signature or veto.  The White House issued a statement today supporting
  the House's action, and saying that Trump's advisors will recommend that
  he sign the legislation. That would make the death of the Federal
  Communications Commission's privacy rules official.  The rules issued by
  the FCC last year would have required ISPs to get consumers' opt-in
  consent before selling or sharing Web browsing history, app usage history,
  and other private information with advertisers and other companies. But
  lawmakers used their authority under the Congressional Review Act (CRA) to
  pass a joint resolution ensuring that the rules "shall have no force or
  effect" and that the FCC cannot issue similar regulations in the future.


UK government says Apple “cannot get away with unbreakable encryption'' following terrorist attack (Ben Lovejoy)

geoff goodfellow <geoff@iconia.com>
Mon, 27 Mar 2017 10:10:26 -1000
Ben Lovejoy, 9to5mac, 27 Mar 2017

British Home Secretary Amber Rudd—in charge of police policy in the UK --
told the BBC what is quoted in the subject line.

Rudd was speaking after it was revealed that Khalid Masood accessed WhatsApp
two minutes before ploughing through pedestrians on Westminster Bridge in a
rented car, killing three of them, before fatally stabbing a police officer
guarding the Houses of Parliament.

She described end-to-end encrypted messaging as used by WhatsApp and
Apple's Messages app as “completely unacceptable''.

https://9to5mac.com/2017/03/27/amber-rudd-british-government-apple-messages-whatsapp-end-to-end-encryption/

  [The problem is of course that dumbing down communication security just
  for British law enforcment would also be completely unacceptable, and
  could even be responsible for bringing down her own government as a result
  of subsequent compromises!  Is she Ruddy Naive?  (And then I recall the
  former prime minister suggesting a ban an all cryptography.)  PGN]


Fake Sleuths: Web Gets It Wrong on London Attacker (Mark Scott)

Monty Solomon <monty@roscom.com>
Sun, 26 Mar 2017 10:12:34 -0400
Mark Scott, *The New York Times*, 24 Mar 2017
http://www.nytimes.com/2017/03/24/technology/london-terror-attack-suspect-social-media.html


How police unmasked suspect accused of sending seizure-inducing tweet (Ars Technica)

Monty Solomon <monty@roscom.com>
Thu, 23 Mar 2017 01:09:27 -0400
https://arstechnica.com/tech-policy/2017/03/how-police-unmasked-suspect-accused-of-sending-seizure-inducing-tweet/


DJI Proposes Electronic Identification Framework For Small Drones (Slashdot)

Lauren Weinstein <lauren@vortex.com>
Tue, 28 Mar 2017 16:41:51 -0700
https://tech.slashdot.org/story/17/03/28/213236/dji-proposes-new-electronic-license-plate-for-drones?utm_source=rss1.0mainlinkanon&utm_medium=feed

  Chinese drone maker DJI proposed that drones be required to transmit a
  unique identifier to assist law enforcement to identify operators where
  necessary. Anyone with an appropriate receiver could receive the ID
  number, but the database linking the ID with the registered owner would
  only be available to government agencies.

Ridiculous idea—bad players would simply disable this feature—or
modify it (and you can bet that it will be possible to modify it, one
way or another). Handy for false flags! Luckily, the DJI page on this is
in such a low contrast font that you can't read it without going blind
anyway.


Win10 Class Action ...

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Mon, 27 Mar 2017 01:34:54 -0500
'Windows 10 destroyed our data!' Microsoft hauled into US court.
'Dodgy' unwanted operating system update sparks potential class-action lawsuit
24 Mar 2017

According to the complaint, Windows 10 installed itself onto plaintiff
Stephanie Watson's computer without her consent and then erased data, some
of it related to her work. She hired Geek Squad to repair the machine, with
only partial success, and ended up having to purchase a new computer.

Plaintiff Robert Saiger, the complaint says, consented to the Windows 10
update, only to have his computer stop functioning. He lost data, then lost
time and money, while incurring aggravation attempting to recover the data.

Plaintiff Howard Goldberg "elected to accept Windows 10 after declining over
6 months of daily prompts requesting him to download it." After three
attempts to do so, the result was a non-functional computer and lost data.

https://www.theregister.co.uk/2017/03/24/microsoft_windows_10_update/

  [If a Win-7 user got add-on software for some activity, supported by Win-7
  but not by Win-10, and uses the software sub-directories of the add-on for
  the associated data, then:

  1. Microsoft does NOT tell the user that Win-10 does not support that
     stuff.

  2. The Win-10 installation process erases all the non-Microsoft software,
     and associated sub-directory data, that won't work with Win-10.

  3. The user is not told about this erasure.

  Other OS are much more polite to the user, giving the opportunity to save
  the software and data, not supported by the OS upgrade, so that the user
  can seek some add-on that is supported by the latest OS upgrade, and also
  provides a conversion path to move the data into any replacement format
  needed.

  Documentation regarding the OS upgrade also gives warning what is no
  longer supported, and will need some software from some from other than
  the OS company, to facilitate such conversions.

  Microsoft is not a believer in such user-friendly conversion info
  standards.  AWM]


Risks from falsified Data (BBC)

"John Murrell" <mail@johnmurrell.org.uk>
Mon, 27 Mar 2017 22:12:57 +0100
http://www.bbc.co.uk/news/business-38254362

There is an interesting article on the BBC website at that discusses an
alternative and much more subtle version of Malware. This involves
infiltrating systems and making changes to data which while being too small
to notice immediately result in system failure.

Their conclusion is that data integrity from start to end is just as
important as any other form of security.

I had a quick search through the Risks Digests and could not find any
evidence of this being discussed.  Has anyone any evidence that they are
willing and able to discuss of this type of attack ?

  [Is this not just one more example of faked news, perhaps more subtle
  than flagrant fake news, but still disinformation.  PGN]


US Supreme Court Case on Toner Cartridges

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Mon, 27 Mar 2017 00:31:16 -0500
You Should Care about the Supreme Court Case on Toner Cartridges.
The verdict could have consequences on practically any purchased product.

[PC printer manufacturers make most of their money selling toner & other ink
systems, often at ridiculous high prices.

Various 3rd party outfits sell apparently identical ink cartridges for much
less money.

I turn in my used cartridges to a recycling outfit, which refills them, with
much lower cost to me than buying the printer manufacturer cartridges.

The printer manufacturers want to put a stop to that competition, make you
use theirs exclusively, then they can jack up the prices even more.

https://www.hardocp.com/news/2017/03/25/you_should_care_about_supreme_court_case_on_toner_cartridges/
http://gizmodo.com/supreme-court-printer-cartridge-case-could-be-the-citiz-1793643311

http://www.scotusblog.com/case-files/cases/impression-products-inc-v-lexmark-international-inc/
<https://www.hardocp.com/news/2017/03/25/you_should_care_about_supreme_court_case_on_toner_cartridges/%0b%0bThe%20case:%0dhttp:/www.scotusblog.com/case-files/cases/impression-products-inc-v-lexmark-international-inc/%20%0b>

https://consumerist.com/2017/03/23/why-you-should-care-about-the-supreme-court-case-on-toner-cartridges/


Re: self-checkout at grocery stores [???]

Barry Gold <barrydgold@ca.rr.com>
Tue, 21 Mar 2017 17:45:59 -0700
I avoid self-checkout lanes unless the queues get *very* long or I have only
a single item because:

1. I'm nowhere near as fast as a trained checker in the whole scan-and-bag
   thing.

2. I want the checkers to keep their jobs.

And I *never* use self-checkout if I have produce or anything else that
needs to be weighed, because there's no way I can do the
enter-the-proper-code-and-weigh the thing as a checker who has usually
memorized the code for every single produce item in the store.


Re: self-checkout at grocery stores (Lamkin, RISKS-30.19)

Mark Jackson <mjackson@alumni.caltech.edu>
Wed, 22 Mar 2017 20:26:24 -0400
That looks like the same system deployed in some of their stores by Stop
& Shop, a not-particularly-high-end grocery chain serving much of the U.S.
Northeast:

https://stopandshop.com/shopping/shopping-tools/scanit/

Please report problems with the web pages to the maintainer

x
Top