The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 25

Tuesday 18 April 2017

Contents

How fake news and hoaxes have tried to derail Jakarta's election
BBC
Critics See Signs of Interference in French Vote
Andrew Higgins
Voters Cite Turkish Leader's Record as He Claims a Slim Victory
Patrick Kingsley
Biased Bots: Human Prejudices Sneak Into Artificial Intelligence Systems
Princeton
The tiny changes that can cause AI to fail
BBC
Shadow Brokers: a mysterious hacker or group of hackers released the Microsoft apocalypsed that wasn't
Robert Hackett
Hackers have just dumped a treasure trove of NSA data. Here's what it means.
Henry Farrell
Car parking app shares 2000 customers' private details after company suffers glitch
The Telegraph
California Secession Bid Fails: Leader Is Living in Russia
KABC
Inside the Tech Support Scam Ecosystem
OnTheWire
Why one Republican voted to kill privacy rules: Nobody has to use the Internet
Ars Technica
Re: Autonomous Electric Vehicle impact on Economy
Amos Shapir
Info on RISKS (comp.risks)

How fake news and hoaxes have tried to derail Jakarta's election

Lauren Weinstein <lauren@vortex.com>
Mon, 17 Apr 2017 22:29:26 -0700
via NNSquad
http://www.bbc.com/news/world-asia-39176350

  In Indonesia, the rise of fake news, hoaxes, and misleading information
  online has cast a pall over an already bitterly divided election in the
  capital, Jakarta. BBC Indonesian's Christine Franciska looks at why
  activists are describing this as a dark era in Indonesia's digital life.


Critics See Signs of Interference in French Vote (Andrew Higgins)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 18 Apr 2017 8:39:30 PDT
Andrew Higgins, *The New York Times*, 18 Apr 2017
State-run Russian News Operations Disperse Slanted Reports


Voters Cite Turkish Leader's Record as He Claims a Slim Victory (Patrick Kingsley)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 18 Apr 2017 8:49:11 PDT
Patrick Kingsley, *The New York Times*, 18 Apr 2017

Noting irregularities, opposition party seeks recount.  The pro-Kurdish
party noted that as many as 3M votes lacked an official stamp and should be
invalidated.  Teams of European observers also had complaints.  Unlevel
playing field with Erdogan's "state of emergency".  Opposition party people
arrested.  "No" campaigners physically intimidated, rallies limited.  That
seems to be a recipe for a "fair" election rather than a "good" one or an
"excellent" one—if you subscribe to the other meaning of "fair".
[PGN-ed]


Biased Bots: Human Prejudices Sneak Into Artificial Intelligence Systems (Princeton)

"ACM TechNews" <technews-editor@acm.org>
Mon, 17 Apr 2017 12:16:09 -0400 (EDT)
Princeton University 13 Apr 2017 via ACM TechNews 17 Apr 2017

Researchers at Princeton University have demonstrated how machines can be
reflections of their creators' biases.  They determined common
machine-learning programs, when fed ordinary human language available
online, can obtain cultural prejudices embedded in the patterns of wording.
"We have a situation where these artificial intelligence [AI] systems may be
perpetuating historical patterns of bias that we might find socially
unacceptable and which we might be trying to move away from," warns
Princeton professor Arvind Narayanan.  The team experimented with a
machine-learning version of the Implicit Association Test, the GloVe
program, which can represent the co-occurrence statistics of words in a
specific text window.  The test replicated the broad substantiations of bias
found in select Implicit Association Test studies over the years that relied
on human subjects.  Coders might hope to prevent the perpetuation of
cultural stereotypes via development of explicit, math-based instructions
for machine-learning programs underpinning AI systems.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-13472x2118efx072995&


The tiny changes that can cause AI to fail (BBC)

Lauren Weinstein <lauren@vortex.com>
Sat, 15 Apr 2017 09:38:57 -0700
BBC via NNSquad
http://www.bbc.com/future/story/20170410-how-to-fool-artificial-intelligence

  The year is 2022. You're riding along in a self-driving car on a routine
  trip through the city. The car comes to a stop sign it's passed a hundred
  times before - but this time, it blows right through it.  To you, the stop
  sign looks exactly the same as any other. But to the car, it looks like
  something entirely different. Minutes earlier, unbeknownst to either you
  or the machine, a scam artist stuck a small sticker onto the sign:
  unnoticeable to the human eye, inescapable to the technology.  In other
  words? The tiny sticker smacked on the sign is enough for the car to "see"
  the stop sign as something completely different from a stop sign.  It may
  sound far-fetched. But a growing field of research proves that artificial
  intelligence can be fooled in more or less the same way, seeing one thing
  where humans would see something else entirely.


Shadow Brokers: a mysterious hacker or group of hackers released the Microsoft apocalypsed that wasn't (Robert Hackett)

Gabe Goldberg <gabe@gabegold.com>
Sat, 15 Apr 2017 23:55:15 -0400
Robert Hackett

On Friday the Shadow Brokers, a mysterious hacker or group of hackers,
released the Microsoft apocalypse that wasn't.

What originally appeared to be one of the most damaging releases in recent
memory of zero-day exploits, or hacking tools that take advantage of
previously unknown software vulnerabilities, fell from the sky with the
shrieking ferocity of a MOAB bomb and landed with the soft thud of a
dud. Unknown to members of the information security community all through
the day, Microsoft had quietly patched the majority of the Windows flaws in
a security update last month, preventing the NSA-crafted espionage tools
from being abused by opportunistic attackers after their leak. The company
only announced that fact late in the evening.

Prior to Microsoft's hysteria-neutering blog post, security pros had been
tearing apart the leaked cache of digital weapons, running the attack code
on their test systems, and warning the world about the potential danger of
anyone connected to the Internet with a Windows-based computer. That the
researchers were running slightly outdated, un-patched versions of
Microsoft's software only became apparent after the company made its
late-night announcement.

Given that Microsoft seemed to miraculously fix the hitherto unknown bugs
just a month prior to their exposure leads any sane onlooker to the
conclusion that the U.S. government must have alerted the company to these
problems earlier and on the sly, preempting fallout. (A customary
acknowledgment for the researcher who reported the bugs was conspicuously
absent from Microsoft's post, hmm.) If so, this coordinated disclosure
represents a major policy coup. Instead of sticking its head in the sand (as
critics often accuse the intelligence community of doing), the spy set
appears to have worked with the tech sector, taking proactive measures to
defuse the situation before it could get out of hand.

This is the right approach; kudos to all involved. To stay protected, make
sure your systems—Windows 7 or later—are up to date with the latest
patches, dear readers. And a Happy Easter to those who celebrate.


Hackers have just dumped a treasure trove of NSA data. Here's what it means. (Henry Farrell)

Dewayne Hendricks <dewayne@warpspeed.com>
Sun, Apr 16, 2017 at 6:47 AM
Henry Farrell, 15 Apr 2017
https://www.washingtonpost.com/news/monkey-cage/wp/2017/04/15/shadowy-hackers-have-just-dumped-a-treasure-trove-of-nsa-data-heres-what-it-means/

A group of hackers called the Shadow Brokers has just released a new dump of
data from the National Security Agency. This is plausibly the most extensive
and important release of NSA hacking tools to date. It's likely to prove
awkward for the U.S. government, not only revealing top-secret information
but also damaging the government's relationships with U.S.  allies and with
big information technology firms. That is probably the motivation behind the
leak: The Shadow Brokers are widely assumed to be connected with the Russian
government. Here's what the dump means.

What information has been released?

The release is only the most recent in a series of Shadow Broker dumps of
information. However, it is by far the most substantial, providing two key
forms of information. The first is a series of zero-day exploits for
Microsoft Windows software. Zero-day exploits are attacks that take
advantage of unknown vulnerabilities in a given software package. Exploits
against commonly used software such as Windows are highly valuable =94
indeed, there is a clandestine international market where hackers sell
exploits (sometimes through middlemen) to intelligence agencies and other
interested parties, often for large sums of money. Intelligence services
can then use these exploits to compromise the computers of their targets.

Second, information in the dump seems to show that the NSA has penetrated a
service provider for SWIFT, an international financial messaging service.
Specifically, it appears to have penetrated a SWIFT Service Bureau that
provides support for a variety of banks in the Middle East.

Why are zero-day exploits important?

The leak of the zero-day exploits is important for two reasons. First, once
the existence of a zero-day exploit is revealed, it rapidly loses a lot of
its value. Zero-day exploits work reliably only when they are held secret.
Microsoft may already have fixed many of these vulnerabilities (there are
conflicting reports from Microsoft and security companies UPDATE: NOW
SECURITY RESEARCHERS APPEAR TO HAVE WITHDRAWN THEIR CLAIMS). However, if it
hasn't, or if the attacks provide information to hackers that can b=
e used
to generate more attacks, unscrupulous hackers might be able to take
advantage. In a worst-case scenario, there may be a period when it's as if
criminal hackers suddenly acquired super powers in an explosion, as in the
TV show The Flash, and started using them for nefarious ends.

Second, and as a consequence, trust between the United States and big
software companies may be seriously damaged. Some weeks ago, Adam Segal of
the Council on Foreign Relations wrote a report talking about how the U.S.
government needs to rebuild a relationship with Silicon Valley that had
been badly damaged by the Edward Snowden revelations. Now, the damage is
starting to mount up again.

Most people think of the NSA as a spying agency and do not realize that it
has a second responsibility: It is also supposed to protect the security of
communications by U.S. citizens and companies against foreign incursions.
When the United States learns of a zero-day exploit against software used by
Americans, it is supposed to engage in an equities process, in which the
default choice should be to inform the software producer so that it can fix
the vulnerability, keeping the zero-day secret only if a special case can be
made for it.  [...]


Car parking app shares 2000 customers' private details after company suffers glitch (The Telegraph)

Monty Solomon <monty@roscom.com>
Tue, 18 Apr 2017 09:54:39 -0400
http://www.telegraph.co.uk/news/2017/04/15/car-parking-app-customers-personal-data-shared-others-company/


California Secession Bid Fails: Leader Is Living in Russia (KABC)

Lauren Weinstein <lauren@vortex.com>
Tue, 18 Apr 2017 13:28:57 -0700
via NNSquad
http://www.kabc.com/news/california-secession-bid-fails-leader-is-living-in-russia/

  Supporters of one long-shot bid to make California an independent nation
  ended their effort on Monday, while another group said it will launch a
  new campaign for a statewide vote next year, reports the AP.  The Yes
  California Independence Campaign faltered after its president, Louis
  Marinelli, revealed ties to Russia.


Inside the Tech Support Scam Ecosystem (OnTheWire)

Lauren Weinstein <lauren@vortex.com>
Sun, 16 Apr 2017 10:11:37 -0700
OnTheWire via NNSquad

https://www.onthewire.io/inside-the-tech-support-scam-ecosystem/

  "So far, we collected more than 25K scam domains and thousands of scam
  phone numbers and we [have] evidence that this threat is not going to
  decrease soon and it still has an increasing trend," Miramirhani said.

REFERENCE: User Trust Fail: Google Chrome and the Tech Support Scams --
https://lauren.vortex.com/2017/01/12/user-trust-failure-google-chrome-and-the-tech-support-scams


Why one Republican voted to kill privacy rules: Nobody has to use the Internet (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Sat, 15 Apr 2017 23:33:49 -0400
A Republican lawmaker who voted to eliminate Internet privacy rules said,
"Nobody's got to use the Internet" when asked why ISPs should be able to use
and share their customers' Web browsing history for advertising purposes.

https://arstechnica.com/tech-policy/2017/04/dont-like-privacy-violations-dont-use-the-internet-gop-lawmaker-says/

The risk? People like that.


Re: Autonomous Electric Vehicle impact on Economy (Macintyre, RISKS-30.24)

Amos Shapir <amos083@gmail.com>
Tue, 18 Apr 2017 12:49:06 +0300
Parking meter?  How quaint.  I'm now using a phone application called Pango
which identifies where a user is parked (in a garage or on a street) when
it's turned on, and charges the account for parking fees when it's turned
off (in garages it can do this automatically, I prefer manual mode).
Additional payments could be charged to the account the same way.

> But if we are to have autonomous cars zooming past too fast to see the
  signs, marketing to reach riders of the autonomous vehicles may need a sea
  change of technology rethinking.

The Waze navigation application (recently acquired by Google) already has
this feature, flashing ads on the screen for businesses while a user
approaches them or drives by.

Please report problems with the web pages to the maintainer

Top