The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 53

Thursday 18 January 2018

Contents

Are Implanted Medical Devices Creating A 'Danger Within Us'?
NPR via Richard M Stein
Russia admits $45m satellite launch failed because programmers put in co-ordinates for the WRONG launch site
Daily Mail
Phoenix Pay System Disaster Continues
John C. Bauer
Ernst & Young report on Vancouver Island iHealth project mismanagment
Kelly Bert Manning
Erie, PA household electric bill for US$ 284B
WashPo
Programming error results in too many winning lottery tickets
The State via Steve Golson
500 rupees, 10 minutes, and you have access to billion Aadhaar details
The Tribune India via Prashanth Mundkur
Massive security breach in India
Mark Thorson
Who's liable in driverless train accident?
The Straits Times
"LA-Tokyo flight turns back after passenger 'boards with wrong ticket'"
BBC
Rise of the Robo-Judge
Dan Jacobson
Hawaiian False Missile Alert Command Confirmation Bias Strikes Again
NYTimes et al.
War Risk 2018 with North Korea
Rob Wilcox
Drones keep entering no-fly zones over Washington, raising security concerns
WashPo
What Happens If Russia Attacks Undersea Internet Cables
WiReD
New Rules Announced for Border Inspection of Electronic Devices
Gabe Goldberg
Is the Answer to Phone Addiction a Worse Phone?
NYTimes
Apple said a software problem caused its heating system to break, which caused icicles to form on the roof of its Chicago store
Gabe Goldberg
Windows Meltdown and Spectre patches
Gabe Goldberg
Meltdown/Spectre/GoogleZero
The Verge
Microsoft's patches brick AMD PCs
Money via Barry Gold
Antivirus: the perfect spying tool!!
Nicole Perlroth
Infected USB sticks handed out at security conference
Taipei Times
Cybersecurity in self-driving cars: University of Michigan releases threat identification tool
Mike Chinni
BlackBerry Jarvis Checks Autonomous Car Software for Security Flaws
EWeek
Firms buy insurance 'in mad panic' as cyber-attacks soar
BBC
Health Care Is Hemorrhaging Data. AI Is Here to Help
WiReD
Romanian Hackers Compromised DC Security Cameras Prior to Inauguration
TRK
Indiana Hospital Hacked for Ransom: An Argument for Decentralized Data
Dan Jacobson
Chanticleer to use blockchain for its rewards program
Gabe Goldberg
How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com
Dan Jacobson
Egypt's grand mufti says bitcoin 'forbidden' by Islam
The Times of Israel
How The Banks Bought Bitcoin
Lightning Network
Your Mother's Maiden Name Is Not a Secret
NYTimes
Risks of not using a bookstore?
Newsweek
Why you'll fire Siri and do the job yourself
ComputerWorld
Always allow removing comments
Dan Jacobson
Five copyright claims against youtube video of white noise
BBC via Mark Thorson
The Geography of Risks
Spencer Cheng
How Adding Accelerometers to Keys Will Thwart Car Thieves
IEEE Spectrum
Re: The Unstoppable Momentum of Self-Driving Cars
Amos Shapir
Re: Vehicle Satellite Navigation
Chris Drewe
Info on RISKS (comp.risks)

Are Implanted Medical Devices Creating A 'Danger Within Us'? (NPR)

Richard M Stein <rmstein@ieee.org>
Thu, 18 Jan 2018 11:07:56 +0800
https://www.npr.org/2018/01/17/578562873/are-implanted-medical-devices-creating-a-danger-within-us


  LENZER: "So I went back to the FDA certain the company was going to get
  slammed. I mean, here it is. Here's a device on the market over a decade
  after it was approved, and yet, they'd never done a study looking at
  deaths, nor would they release the death data. And when I brought all this
  to the FDA, the FDA said, it's safe. And I said, how can you say it's safe
  when we don't have death data? And their answer—and I have it in
  writing—is we never asked the company to count the number of deaths. We
  only asked them to characterize death."

This NPR interview reveals many worrisome issues, including corporate
control fraud and an apparent failure to incorporate lessons learned for
public safety benefit. Worth a read for anyone who has an implantable
device, is contemplating implantation, or knows someone who has one. Given
the "free market" regulatory structure for implantables—in the US at
least—there is little cause for manufacturers to be concerned about
selling 'high risk' devices which induce fatalities.  Caveat emptor.

  "DAVIES: You know, most of us ordinary patients in the world aren't going
  to do research about medical devices, right? We're going to trust doctors
  to know what works and what is safe. Broadly speaking, should we?

  LENZER: "This is a terrific problem. I mean, I have a medical device
  implanted. I'm very happy with it, but I got to confess. I didn't research
  it because the truth is we are dependent on the research that comes out of
  these companies. And that's where I wanted to alert the public that we
  need to make some structural changes so that we can trust these devices.
  As you said, we can't individually research them because we don't have the
  capability to do it. Even if we read the studies that are released, we
  don't know that we can trust them.

  "And I'll give you two examples of just how difficult the situation is.
  One of the people I talk about in the book is a man who was harmed by a
  hip implant. Well, it turns out that man is also an orthopedic surgeon who
  specializes in hip replacements, and yet he landed up being poisoned by
  his hip implant from cobalt that leaked out of the hip and destroyed his
  muscles and tissues and even caused some degree of heart damage.

  "Another example is a Medtronic executive that I report on who had a
  Medtronic device implanted in her spine and suffered just terribly
  disabling and painful effects from that device. So even people who are
  insiders and who should know don't really know."

The FDA's MAUDE (Manufacturer and User Facility Device Experience Database
apparently documents only 1% of historical events attributed to implantable
device incidence. 
<https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.CFM>

  LENZER: "Well, first of all, there's a study showing that only about 1
  percent of all serious adverse events make it into the FDA's adverse event
  database. And something that really surprised me was, it turns out that
  the more serious the event was, the less likely it was to be reported.
  Manufacturers are supposed to report these adverse events. And there is
  some leeway granted to them about determining whether the device event was
  related or not to the device.

  "So, you know, sometimes people cough and sneeze when they have a device.
  It doesn't mean the device caused it. The problem is is that there's no
  independent party assessing whether these problems are related to the
  device or not. So leaving that decision to the company presents a real
  conflict of interest."

The MAUDE page states, "Each year, the FDA receives several hundred
thousand medical device reports (MDRs) of suspected device-associated
deaths, serious injuries and malfunctions. The FDA uses MDRs to monitor
device performance, detect potential device-related safety issues, and
contribute to benefit-risk assessments of these products. The MAUDE
database houses MDRs submitted to the FDA by mandatory reporters 1
(manufacturers, importers and device user facilities) and voluntary
reporters such as health care professionals, patients and consumers."
MAUDE only retains reports for the previous 10 years.

    [There was also a recent article in The Townsend Letter this month,
    relating to severe metal toxicity in hip replacements.  PGN]


Russia admits $45m satellite launch failed because programmers put in co-ordinates for the WRONG launch site (Daily Mail)

geoff goodfellow <geoff@iconia.com>
Wed, 27 Dec 2017 11:57:04 -1000
http://www.dailymail.co.uk/sciencetech/article-5215871/Russia-says-satellite-launch-failure-programming-error.html


Phoenix Pay System Disaster Continues

"John C. Bauer" <johncbauer.xx@gmail.com>
Tue, 02 Jan 2018 17:12:17 -0500
The problems with the Canadian federal government's Phoenix pay system are
continuing apace.

The system is outlined and its problems were originally noted at:

http://catless.ncl.ac.uk/Risks/29/76#subj10.1

Things have gotten worse since the September 2016 post.  The system now
contains 589,000 unresolved pay problems with an average resolution time of
three months.  The number of problems is up from a previous number of
520,000.  Evidently half of all payments issued are incorrect.

The estimated cost of "fixing" the system is now at $600M, up from an
estimate of $25M in August of 2016, and still rising.

http://nationalpost.com/opinion/john-ivison-the-phoenix-fiasco-isnt-shocking-government-is-just-not-very-good-at-doing-things

Perhaps it is time to change "too big to fail" to "big enough to guarantee
failure".  On the other hand the wholesale condemnation of government in the
above article containing the facts quoted can be seen as being over the top.

  [The Phoenix was known to rise from its ashes.
  One wonders whether the name was chosen wisely or serendiptiously.  PGN]


Ernst & Young report on Vancouver Island iHealth project mismanagment

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Sat, 13 Jan 2018 13:25:57 -0500 (EST)
A new Ernst & Young report has been prepared about the failed iHealth
Electronic Records project at Nanaimo General Hospital. Direction of the
project has been taken away from the Hospital and roll out to other
Hospitals on Vancouver Island has been suspended until existing problems are
fixed, if possible.

http://www.timescolonist.com/news/local/nanaimo-electronic-health-records-mismanaged-report-says-1.23143541
https://news.gov.bc.ca/releases/2018HLTH0003-000038
https://vancouverisland.ctvnews.ca/nanaimo-electronic-health-records-system-over-budget-mismanaged-report-1.3757733

"It confirmed that it wasn't only a small group of physicians, but the
majority of healthcare workers who were concerned about the technology. It
also showed those feelings haven't changed since a 2016 independent report
by Dr. Doug Cochrane, who identified potential for errors, decreased
productivity and other problems with the system."

"The report found less than half of staff and physicians surveyed agreed it
would be possible to work collaboratively to make IHealth a success"

One innovation to be implemented is that staff who report problems with
iHealth should no longer expect workplace reprisals. The earlier Cochrane
reported identified a "blame the user" response to problem reports as a root
cause of failure to address the issues.

http://ihealth.islandhealth.ca/the-cochrane-report/

A report from the Vector Group had identified Nanaimo General as having a
"toxic" top down bullying culture . That may have played a role in the
iHealth project getting it so wrong and failing to correct problems reported
by users.

https://vancouverisland.ctvnews.ca/toxic-culture-of-fear-bullying-tearing-apart-nanaimo-hospital-report-1.3670885
https://www.cheknews.ca/culture-report-says-nanaimo-hospital-is-leading-to-self-destruction-385673/

One man had to have heart surgery after notes about an infection were not
visible to Physicians. He was sent home with an inappropriate prescription
and readmitted when his heart problem became more grave.

A similar electronic Health Record project in the Vancouver Coastal Health
Authority is also over budget, behind schedule and nowhere near as effective
as expected.

http://vancouversun.com/news/politics/more-delays-cost-overruns-hit-vancouver-electronic-health-project

A common assumptions failure in these projects, and in the Federal
Government's failed Phoenix system, is that improved efficiency would
quickly be realised. That led to an assumption that all 3 projects could be
funded out of operational budgets, because of the assumed payback. It also
led to a rush to roll out flawed systems, to realise the anticipated
"savings". Instead the systems require more staff time than the previous
applications they were supposed to replace, have gone far over budget, and
show no hope of realising operational savings by making staff more
efficient.  They also have operational errors and user interface issues.

It reminds me of the repeating mistake of assuming that Data Base Systems
would be less expensive to operate that the sorted Master File Systems they
replaced. Systems Analysts had a hard time understanding the difference
between a sequential tape or disk file read and a non sequential Data Base
record retrieval. In some cases they justified DB projects by a proposal to
"eliminate the operational cost of sorting". My experience with CODASYL,
Hierarchical, and Relational DBs is that Sorting is often a method of
reducing the overhead of Direct Access I/O.

With both Phoenix and the Electronic Patient Records systems the current BC
and Canadian Federal governments are dealing with the legacy of projects
initiated under previous Right Wing Administrations.

There are of echoes of the project management failures of the
various attempts to develop a Case Management System for the
FBI in the USA.

https://www.computer.org/cms/Computer.org/ComputingNow/homepage/2012/0712/rW_CO_WhytheFBI.pdf

https://spectrum.ieee.org/riskfactor/computing/it/fbis-500-million-sentinel-case-management-system-still-has-major-operational-kinks-ig-reports


Erie, PA household electric bill for US$ 284B (WashPo)

Richard M Stein <rmstein@ieee.org>
Wed, 27 Dec 2017 16:51:35 +0800
https://www.washingtonpost.com/news/business/wp/2017/12/26/woman-gets-284-billion-electric-bill-wonders-whether-its-her-christmas-lights/

I'm shocked, shocked to learn this brand outrage incident occurred from
a production defect escape into our maze of technology traps. Must be a
feature. At least First Energy cops to the fault. This incident would
make a good April Fools risks contribution, if the event wasn't true.
It should qualify for "Ripley's Believe It or Not" as the most
erroneous bill amount ever submitted to a consumer. Good thing First
Energy uses 64-bit arithmetic to totalize their bills. [RMS]

  [Also noted by Bernhard Riedel:
  $284.46 electricity bill turns into $284,460,000,000.
  http://www.bbc.com/news/world-us-canada-42489666
  PGN]


Programming error results in too many winning lottery tickets

Steve Golson <sgolson@trilobyte.com>
Thu, 28 Dec 2017 12:40:26 -0500
http://www.thestate.com/news/local/article191818114.html

Excitement and joy turned to anger and frustration Wednesday as dozens of
people expecting to collect lottery winnings instead left the South Carolina
Education Lottery offices empty handed.

State lottery officials say a *programming error* with the lottery's
computer vendor, Intralot, affected the Holiday Cash Add-A-Play tickets on
Christmas Day.

From 5:51 p.m. to 7:53 p.m. Monday, the same play symbol was repeated in all
nine available play areas on tickets, which would result in a top prize of
$500, officials have said. No more than five identical play symbols should
appear for a single play.

There was no word Wednesday on how many winning tickets were generated, or
whether those with winning tickets would collect any prize money. The South
Carolina Education Lottery is telling players who purchased Add-A-Play
tickets on Christmas Day during the affected time period to hold on to their
tickets until a review is completed.

  I wonder how many programming errors have lead to *fewer* than expected
  winning tickets? Who would notice?

  And it's rather ironic that this is the Education Lottery!


500 rupees, 10 minutes, and you have access to billion Aadhaar details (The Tribune, India)

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Thu, 4 Jan 2018 09:52:45 +0530
Rs 500, 10 minutes, and you have access to billion Aadhaar details
Rachna Khaira, Tribune News Service, Jalandhar, January 3 2018

http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html

  It was only last November that the UIDAI asserted that Aadhaar data is
  fully safe and secure and there has been no data leak or breach at UIDAI
  Today, The Tribune *purchased* a service being offered by anonymous
  sellers over WhatsApp that provided unrestricted access to details for any
  of the more than 1 billion Aadhaar numbers created in India thus far.

  It took just Rs 500, paid through Paytm, and 10 minutes in which an agent
  of the group running the racket created a gateway for this correspondent
  and gave a login ID and password. Lo and behold, you could enter any
  Aadhaar number in the portal, and instantly get all particulars that an
  individual may have submitted to the UIDAI (Unique Identification
  Authority of India), including name, address, postal code (PIN), photo,
  phone number and email.

  What is more, The Tribune team paid another Rs 300, for which the agent
  provided software that could facilitate the printing of the Aadhaar card
  after entering the Aadhaar number of any individual.

    [Rs 500 is less than $10.]


Massive security breach in India

Mark Thorson <eee@dialup4less.com>
Fri, 5 Jan 2018 11:41:29 -0800
If you build it, they will come.

http://marginalrevolution.com/marginalrevolution/2018/01/security-breach-india.html


Who's liable in driverless train accident? (The Straits Times)

Richard M Stein <rmstein@ieee.org>
Sat, 06 Jan 2018 09:15:21 +0800
http://www.straitstimes.com/singapore/courts-crime/whos-liable-in-driverless-train-accident

Insurance premiums may deter the ubiquitous deployment of automated
transport systems, especially if/when an incident swarm identifies system
operators or component suppliers liable.  See RISKS-29.64 [item 11] for a
premium guestimate given the moral dilemma underlying deployment choice.


"LA-Tokyo flight turns back after passenger 'boards with wrong ticket'" (BBC)

Bernhard Riedel <bernhard@netmuc.net>
Wed, 27 Dec 2017 16:12:50 +0100
http://www.bbc.com/news/world-us-canada-42492467
"LA-Tokyo flight turns back after passenger 'boards with wrong ticket'"

What, then, is the purpose of these boarding scanners? Glorified passenger
counters?  I had always thought they were there to ensure that only the
expected passengers would be on the plane.


Rise of the Robo-Judge

Dan Jacobson <jidanni@jidanni.org>
Mon, 15 Jan 2018 07:12:12 +0800
https://www.linkedin.com/pulse/rise-robo-judge-artificial-intelligence-well-its-way-determining-fox/

Imagine for a second, that you enter the courtroom to see a computer in the
place of a judge. You watch the trial robot as it hears the details of a
case, and as the "judge-bot" absorbs the evidence, it seems to be drawing
conclusions, determining through steely artificial intelligence, if the
accused is guilty or not guilty. It seems a bit weird, unsettling, and may
not be as farfetched as it sounds.


Hawaiian False Missile Alert Command Confirmation Bias Strikes Again (NYTimes)

Bob Gezelter <gezelter@rlgsc.com>
Sun, 14 Jan 2018 07:04:45 -0700
*The New York Times*, 13 Jan 2018
https://www.nytimes.com/2018/01/13/us/hawaii-missile.html

  Vern T. Miyagi, the administrator of the agency, said that during the
  drill, an unidentified employee mistakenly pushed a button on a computer
  screen to send out the alert, rather than one marked to test it. He said
  the employee answered *yes* when asked by the system if he was sure he
  wanted to send the message.  [PGN-ed]

Computer users are all too familiar with the decades old hazard of "Are you
sure you want to *****?" Much havoc has ensured when a user or system
manager types a command, only to reflexively confirm it. Systems have shut
down, files lost, and many other serious consequences. This feature is
present on a wide range of systems, including Tenex, OpenVMS, MS-DOS, and
Windows (My recollection is that *IX systems do not ask for confirmation,
they just "do it").

Perhaps, critical systems (e.g., Emergency Warning Systems) might be better
off adopting a different approach. Users responding to a confirmation prompt
all too often fall into the trap of confirming by reflex.

A better approach might be to require two operators at different consoles,
separated physically by a sufficient distance, to BOTH command critical
actions (e.g., sending out an all mobile phones alert). Had such a
"two-person" rule applied, it is likely that two independent individuals
would not have made the same error.

Bob Gezelter, http://www.rlgsc.com

  [Dave Horsfall added: Now that we know that the automatic bulk alert works
  just fine, why was there no automatic bulk retraction designed into it?
  Surely right next to the Big Red Button (no, not that one) should be a Big
  Red "OOPS!" Button?

  Lauren Weinstein added: You can excuse the good people of Hawai'i if they
  consider all future alerts on that system with an extreme degree of
  skepticism.  Any system that permits an error like this needs to be ripped
  out by the roots and tossed into a dumpster, along with whomever is in
  charge of it.

  Rob Wilcox noted this:
http://www.hawaiinewsnow.com/story/37271628/officials-release-image-of-hiema-screen-that-triggered-incorrect-missile-alert

  Gabe Goldberg had this to add:
http://www.thegatewaypundit.com/2018/01/hawaiian-emergency-management-officials-hold-interview-post-notes-passwords-computer-screens/
Maybe Amazon can recommend invisible ink when Post-It notes are purchased.

  PGN]


War Risk 2018 with North Korea

Rob Wilcox <robwilcoxjr@gmail.com>
Mon, 15 Jan 2018 08:04:55 -0800
Many RISKS readers have a deep understanding of computer and human factor
nuclear war risks discussed in the early 1980's.

(The New York Times)
https://www.nytimes.com/2018/01/14/world/asia/hawaii-false-alarm-north-korea-nuclear.html


Drones keep entering no-fly zones over Washington, raising security concerns (WashPo)

"Dave Farber" <farber@gmail.com>
Sun, 14 Jan 2018 09:52:32 -0500
The Washington Post, 13 Jan 2018
https://www.washingtonpost.com/local/trafficandcommuting/drones-keep-entering-no-fly-zones-over-washington-raising-security-concerns-and-illustrating-larger-problems/2018/01/13/1030159a-db7d-11e7-b1a8-62589434a581_story.html


What Happens If Russia Attacks Undersea Internet Cables (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 6 Jan 2018 14:19:02 -0500
https://www.wired.com/story/russia-undersea-internet-cables/?mbid=nl_010518_daily_list1_p1


New Rules Announced for Border Inspection of Electronic Devices

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Jan 2018 16:35:40 -0500
The U.S. Customs and Border Patrol announced new restrictions on when agents
can copy data from digital devices at border crossing points.

Agents now need *reasonable suspicion* in advance of searches of phones,
computers, tablets, cameras or any other digital device belonging to people
entering or leaving the United States. Border agents will also be restricted
from accessing data stored remotely in the cloud.

The new guidance published on Friday update existing rules introduced in
2009 regarding advanced searches that can be conducted at random and without
warrant.
<https://www.cbp.gov/sites/default/files/assets/documents/2018-Jan/cbp-directive-3340-049a-border-search-electronic-media.pdf>

Under the new rules, border agents would still be able to conduct basic
searches with or without suspicion, which entails physical examination of
digital devices, such as sorting through photos and examining messages.
Advanced searches based on reasonable suspicion will still be permitted and
agents can still review, copy, and analyze a digital device's contents.

The directive states travelers may be asked to provide passcodes to unlock a
device. If the border agent is unable to inspect the device because it is
passcode or encryption-protected, the agent may detain the device for up to
five days.

https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/


Is the Answer to Phone Addiction a Worse Phone? (NYTimes)

Monty Solomon <monty@roscom.com>
Mon, 15 Jan 2018 09:44:22 -0500
Is the Answer to Phone Addiction a Worse Phone?
https://www.nytimes.com/2018/01/12/technology/grayscale-phone.html

A small group of people have turned their phone screens to shades of gray to
make them less stimulating. Thatās the opposite of what tech companies want.


Apple said a software problem caused its heating system to break, which caused icicles to form on the roof of its Chicago store

Gabe Goldberg <gabe@gabegold.com>
Sat, 6 Jan 2018 14:21:12 -0500
Apple spokesman Nick Leahy said the building's architects designed the
store to be snow-friendly.  “The roof has a warming system that's built
into it,'' said Leahy. It needed some fine-tuning and it got reprogrammed
today. It's hopefully a temporary problem.''  The store has an ultra-thin
carbon roof. Crews closed off sections of the store's outdoor plaza after
the icicles to form.  The Chicago Apple store has faced criticism...

It SNOWS in Chicago? Who knew... The risk? Smart buildings that aren't.


Windows Meltdown and Spectre patches

Gabe Goldberg <gabe@gabegold.com>
Thu, 11 Jan 2018 15:28:49 -0500
Microsoft has added a new and very important detail on the support page,
describing incompatibilities between AV products and the recent Windows
Meltdown and Spectre patches. The update says that Windows users will not
receive the January 2018 Patch Tuesday security updates, or any subsequent
Patch Tuesday security updates, unless the AV program they are using becomes
compatible with the Windows Meltdown and Spectre patches. *AV programs will
need to add a special Registry key in the future*.  One researcher is
keeping of track of which AV programs are updated on this spreadsheet.

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true


Meltdown/Spectre/GoogleZero

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 7 Jan 2018 13:43:34 PST
https://www.theverge.com/2018/1/4/16851132/meltdown-spectre-google-cpu-patch-performance-slowdown

Google just gave chipmakers some much needed good news. In a post on the
company's Online Security Blog, two Google engineers described a novel
chip-level patch that has been deployed across the company's entire
infrastructure, resulting in only minor declines in performance in most
cases.  The company has also posted details of the new technique, called
Retpoline, in the hopes that other companies will be able to follow the same
technique.  If the claims hold, it would mean Intel and others have avoided
the catastrophic slowdowns that many had predicted.


Microsoft's patches brick AMD PCs

Barry Gold <barrydgold@ca.rr.com>
Wed, 10 Jan 2018 21:54:40 -0800
Microsoft came up with a security patch for the Spectre and Meltdown
vulnerabilities, but if the patch is installed on a PC with an AMD chip,
it's likely to turn into a boat anchor.  M$ is blaming AMD for providing
inadequate info on how their chips work.

http://money.cnn.com/2018/01/09/technology/business/microsoft-amd-update/index.html


Antivirus: the perfect spying tool!! (Nicole Perlroth)

Henry Baker <hbaker1@pipeline.com>
Tue, 02 Jan 2018 16:39:01 -0800
What does an antivirus program do?  It scans every file in your device
looking for *signatures*, and then uploads those files which match the
signatures for further analysis by the antivirus provider.

So hacking antivirus involves 2 steps: produce signatures for files you want
to steal, and then exfiltrate those files.  The hard work of scanning for
those files is already automated by the antivirus program!

Both steps are trivial *if/when you're the antivirus vendor*!  Duh!

But even when you're not the antivirus vendor, the antivirus technology is
the perfect "evil maid" which constantly runs in the background, indexing
files for later—possibly more labor-intensive—exfiltration.

Nicole Perlroth, 1 Jan 2018
How Antivirus Software Can Be Turned Into a Tool for Spying
https://www.nytimes.com/2018/01/01/technology/kaspersky-lab-antivirus.html

It has been a secret, long known to intelligence agencies but rarely to
consumers, that security software can be a powerful spy tool.

Security software runs closest to the bare metal of a computer, with
privileged access to nearly every program, application, web browser, email
and file.  There's good reason for this: Security products are intended to
evaluate everything that touches your machine in search of anything
malicious, or even vaguely suspicious.

By downloading security software, consumers also run the risk that an
untrustworthy antivirus maker—or hacker or spy with a foothold in its
systems—could abuse that deep access to track customers' every digital
movement.

"In the battle against malicious code, antivirus products are a staple,"
said Patrick Wardle, chief research officer at Digita Security, a security
company.  "Ironically, though, these products share many characteristics
with the advanced cyberespionage collection implants they seek to detect."
Mr. Wardle would know.  A former hacker at the National Security Agency,
Mr. Wardle recently succeeded in subverting antivirus software sold by
Kaspersky Lab, turning it into a powerful search tool for classified
documents.  Mr. Wardle's curiosity was piqued by recent news that Russian
spies had used Kaspersky antivirus products to siphon classified documents
off the home computer of an NSA developer, and may have played a critical
role in broader Russian intelligence gathering.

"I wanted to know if this was a feasible attack mechanism," Mr. Wardle said.
"I didn't want to get into the complex accusations.  But from a technical
point of view, if an antivirus maker wanted to, was coerced to, or was
hacked or somehow subverted, could it create a signature to flag classified
documents?"

That question has taken on renewed importance over the last three months in
the wake of United States officials' accusations that Kaspersky's antivirus
software was used for Russian intelligence gathering, an accusation that
Kaspersky has rigorously denied.

Last month, Kaspersky Lab sued the Trump administration after a Department
of Homeland Security directive banning its software from federal computer
networks.  Kaspersky claimed in an open letter that "DHS has harmed
Kaspersky Lab's reputation and its commercial operations without any
evidence of wrongdoing by the company."

For years, intelligence agencies suspected that Kaspersky Lab's security
products provided a back door for Russian intelligence.  A draft of a
top-secret report leaked by Edward J. Snowden, the former National Security
Agency contractor, described a top-secret, NSA effort in 2008 that concluded
that Kaspersky's software collected sensitive information off customers'
machines.

The documents showed Kaspersky was not the NSA's only target.  Future
targets included nearly two dozen other foreign antivirus makers, including
Checkpoint in Israel and Avast in the Czech Republic.  [...]

  [Excellent long item PGN-truncated for RISKS.  The print version (2 Jan
  2018) has a different headline: Spies Exploit The Software That Protects.]


Infected USB sticks handed out at security conference

Mark Thorson <eee@dialup4less.com>
Sun, 7 Jan 2018 10:20:18 -0800
Apparently, infected inadvertently and not targeted at the conference.
Quickly discovered.

http://www.taipeitimes.com/News/taiwan/archives/2018/01/08/2003685393


Cybersecurity in self-driving cars: University of Michigan releases threat identification tool

"Mike Chinni" <mchinni@optonline.net>
Mon, 8 Jan 2018 13:51:08 -0500
"These three hypothetical scenarios-posited in a new white paper by
University of Michigan researchers working with Mcity-illustrate the breadth
of the cybersecurity challenges that must be overcome before autonomous and
connected vehicles can be widely adopted. While every new generation of auto
tech brings new security risks, the vulnerabilities that come along with
advanced mobility are both unprecedented and under-studied, the paper
states.

The white paper introduces a tool called the Mcity Threat Identification
Model, which could help academic and industry researchers analyze the
likelihood and severity of potential threats. The new model outlines a
framework for considering: the attacker's skill level and motivation; the
vulnerable vehicle system components; the ways in which an attack could be
achieved; and the repercussions, including for privacy, safety and financial
loss.

The tool is believed to be the first of its kind focused on automated
vehicles. Mcity, led by U-M, is the nation's largest public-private
partnership working to advance connected and automated mobility."

http://ns.umich.edu/new/releases/25354-cybersecurity-in-self-driving-cars-u-m-releases-threat-identification-tool



BlackBerry Jarvis Checks Autonomous Car Software for Security Flaws

Gabe Goldberg <gabe@gabegold.com>
Thu, 18 Jan 2018 00:35:01 -0500
Enterprise software vendor BlackBerry is jumping into the autonomous vehicle
marketplace with a new cyber-security application called Jarvis that aims to
tighten security around the complex computing code that controls driver-less
vehicles.

BlackBerry Jarvis, which the company says is a "cloud-based, static binary
code scanning" application, can be used by automakers to quickly and deeply
scan and evaluate the voluminous and critical software code used in
autonomous vehicles, cutting such scanning from 30 days down to about seven
minutes, according to BlackBerry. [...]

"Jarvis is a game-changer for OEMs because for the first time they have a
complete, consistent, and near real-time view into the security posture of a
vehicle's entire code base along with the insights and deep learning needed
to predict and fix vulnerabilities, ensure compliance, and remain a step
ahead of bad actors."

Jarvis can be used to evaluate the hundreds of software applications that
are used in autonomous vehicles, according to BlackBerry. [...]

In the future, Jarvis could also be used to help secure critical
applications in other industries, including healthcare, industrial
automation, aerospace and defense, according to BlackBerry.

IT analysts said Jarvis is intriguing and could be a valuable tool for
autonomous vehicle makers.
http://www.eweek.com/security/blackberry-jarvis-scans-for-security-flaws-in-autonomous-car-software

It's magic, no question about that... and maybe it's recursive, can scan
itself for flaws.  GG


Firms buy insurance 'in mad panic' as cyber-attacks soar (BBC)

Richard M Stein <rmstein@ieee.org>
Wed, 17 Jan 2018 14:56:41 +0800
http://www.bbc.com/news/business-42687937

  "One of the biggest issues in cyber-insurance is how to price it
  effectively and cover indirect as well as direct costs a company suffers
  following a cyber-attack," says Nik Whitfield, chief executive of
  Panaseer, a cyber risk assessor.

  "He anticipates companies like his offering cyber risk assessment services
  to insurers. Firms seeking insurance would be happy to be assessed in the
  hope of securing lower premiums, he argues.

  "Such a service would be the equivalent of a telematics box in your car
  which tells the insurance company how well you're driving," says Mr
  Whitfield.

How many business and institutional entities are ill-equipped and too poorly
funded to sponsor essential defensive operations to actively suppress brand
outrage incidents? What happens when the cyber-insurer recommended changes
(ala outsource to a vendor) fails to suppress an incident? What happens to
the insurer when incident swarm drains claim reserves? Filing cabinets and
paper might be due for a strong comeback in light of the Internet of
Mistakes.


Health Care Is Hemorrhaging Data. AI Is Here to Help (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Tue, 2 Jan 2018 00:02:51 -0500
https://www.wired.com/story/health-care-is-hemorrhaging-data-ai-is-here-to-help/

Could be good news, could be bad news. Likely some of each. We'll see...


Romanian Hackers Compromised DC Security Cameras Prior to Inauguration (TRK)

Gabe Goldberg <gabe@gabegold.com>
Thu, 4 Jan 2018 11:36:54 -0500
Washington, DC—Two Romanian nationals have been arrested and charged with
hacking into approximately 123 computers that control outdoor surveillance
cameras for the *DC Metropolitan Police Department* in connection with a
Ransomware scheme just before Donald Trump's inauguration last January.
According to documents recently unsealed, Mihai Alexandru Isvanca, 25, and
Eveline Cismaru, 28, of Romania, were arrested on Dec. 15, at the airport in
Bucharest, Romania. Both have been charged with conspiracy to commit wire
fraud and conspiracy to commit various forms of computer fraud. Isvanca
remains in custody in Romania and Cismaru is on house arrest there pending
further legal proceedings.  “This case was of the highest priority due to
its impact on the Secret Service's protective mission and its potential
effect on the security plan for the 2017 Presidential Inauguration,'' the
*U.S. Attorney's Office* in DC said in a statement. All surveillance
cameras were restored prior to the inauguration.
https://www.justice.gov/usao-dc/pr/two-romanian-suspects-charged-hacking-metropolitan-police-department-surveillance-cameras
<http://trk.cp20.com/click/lruj4-d6mci4-7fgw0x81/>


Indiana Hospital Hacked for Ransom: An Argument for Decentralized Data

Dan Jacobson <jidanni@jidanni.org>
Mon, 15 Jan 2018 14:37:56 +0800
https://decentralized.tv/indiana-hospital-hacked-ransom-argument-decentralized-data/


Chanticleer to use blockchain for its rewards program

Gabe Goldberg <gabe@gabegold.com>
Thu, 4 Jan 2018 10:35:32 -0500
Insane blockchain magic fairy dust...

The speculative mania on anything related to cryptocurrencies is happening
again in the new year.

Chanticleer Holdings, an owner of burger restaurants, said Tuesday it will
use blockchain-related technology for its customer rewards program. The
company also owns 9 Hooter's restaurants and is a minority investor in
Hooter's of America.

"We wanted to expand our existing loyalty program with something that really
changes the way our customers can leverage their rewards; Mobivity Merit is
real cryptocurrency, leveraging the same infrastructure and principles of
Bitcoin, Ethereum, Ripple, Litecoin, and more, and will enable our customers
to make use of their rewards in entirely new ways," Michael Pruitt,
chairman, president and CEO of Chanticleer Holdings, said in a release
<https://globenewswire.com/news-release/2018/01/02/1277006/0/en/Chanticleer-Holdings-to-Deploy-Mobivity-s-Blockchain-Technology-to-Power-Cryptocurrency-Rewards-Program.html>.

Chanticleer Holdings rose nearly 50 percent in Tuesday trading to almost $4
a share. The Nasdaq-traded stock had a market value of only $8 million
through Friday so it's clearly buyer beware.

https://www.cnbc.com/2018/01/02/chanticleer-to-use-blockchain-for-its-rewards-program.html


How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com

Dan Jacobson <jidanni@jidanni.org>
Thu, 28 Dec 2017 05:12:13 +0800
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac
It begins with a text message from Verizon
11:31 PM...


Egypt's grand mufti says bitcoin 'forbidden' by Islam (The Times of Israel)

Gabe Goldberg <gabe@gabegold.com>
Wed, 3 Jan 2018 17:11:03 -0500
https://www.timesofisrael.com/egypts-grand-mufti-says-bitcoin-forbidden-by-islam/

The risk? Using a forbidden currency.


How The Banks Bought Bitcoin (Lightning Network)

Dan Jacobson <jidanni@jidanni.org>
Fri, 05 Jan 2018 23:54:37 +0800
Lightning Network by Decentralized Thought http://bitthink.info/
https://www.youtube.com/watch?v=UYHFrf5ci_g
"-This is the finished version of my original video "The truth about the
lightning network"

-Treat this video as a menu to start at. As i add videos i will link the
relevant ones. Upcoming videos on Bitcoins censorship by r/theymos,
Blockstreams connections to the banks, How Blockstream took over Bitcoins
development, as well as videos on Asicboost, Jihan Wu, Roger Ver and a
variety of other topics."


Your Mother's Maiden Name Is Not a Secret (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Thu, 28 Dec 2017 12:44:22 -0500
NYTimes
There has been no shortage of incidents proving that website security
questions are far from secure.

https://www.nytimes.com/2017/12/28/opinion/sunday/internet-security-questions.html

...and yet they're still widely used.


Risks of not using a bookstore? (Newsweek)

Mark Brader <msb@vex.net>
Wed, 10 Jan 2018 07:03:18 -0500
http://www.newsweek.com/fire-fury-books-michael-wolff-trump-world-war-774048

  [People accidently bought the wrong book, with the same title but a
  completely different subtitle.  The name of the book is not a secret
  either.  (Snide comment on the previous item on your mother's maiden
  name.)  PGN]


Why you'll fire Siri and do the job yourself

Gene Wirchenko <genew@telus.net>
Tue, 09 Jan 2018 12:09:51 -0800
https://www.computerworld.com/article/3246088/artificial-intelligence/why-you-ll-fire-siri-and-do-the-job-yourself.html

Mike Elgan, Computerworld, 6 Jan 2018
Why you'll fire Siri and do the job yourself:
In the world of AI, the best virtual assistant might turn out to be your
virtual self.

selected text:

A company based in Pasadena, Calif., called ObEN built a 3D AI avatar
technology that produced what it calls a personal AI (PAI).

I spoke to ObEN co-founder and CEO Nikhil Jain this week. He told me ObEN's
technology generates a 3D computer-generated representation of the user's
face with a single selfie.

ObEN also learns to copy your voice. Once it's got your voice down, it can
do things with your voice that you cannot speak Chinese, for example, or
sing.

That *personality* is based not only on how you speak, but on what you know
as well. It's even possible to add knowledge manually.

In the perfect ObEN universe, different simultaneous instances of your PAI
would be off scheduling meetings, answering questions, negotiating rates and
even telling bedtime stories to your children, according to Jain, while you
are freed up to focus on the stuff that requires human attention and
experience.

At the end of the day, the user can review everything the PAI did that day.

Consider Amy, the x.ai virtual assistant. Amy is AI that interacts via email
and schedules meetings. Amy has a personality and can make decisions in an
email conversation, such as the meeting participants and the Amy virtual
assistant negotiating available times for meetings. Amy is a virtual person,
and many people who encounter Amy assume they're interacting with a real
human.

  Possible issues:

  1) Review it?  If you are so busy that you think you need one of these AI
     avatars, would you really review everything?

  2) Imagine the court case if someone believes something that a
     professional's AI avatar said—thinking it was the professional --
     and acts on it and suffers loss.  [GW]


Always allow removing comments

Dan Jacobson <jidanni@jidanni.org>
Wed, 10 Jan 2018 02:30:52 +0800
https://github.com/fetlife/android/issues/407
Simple copy and paste errors might result in users posting Personally
Identifiable Information, bank account passwords, family records, love
letters, even entire resumes.

With no way to quickly delete [what he now sees that he just accidentally
posted], in some cultures that could be pure suicide. What was seen as a
liberating website suddenly becomes the worst Outing Machine.

Just as one would not want the member database hacked leaking private
information, this leak should be plugged too.


Five copyright claims against youtube video of white noise

Mark Thorson <eee@dialup4less.com>
Sun, 7 Jan 2018 11:12:36 -0800
http://www.bbc.com/news/technology-42580523

  [If I discover a new largest prime number, could I copyright that?  MT

  Probably not under the old rules when I grew up, where you had to show an
  implementation!  Today it is a different story.  Almost any patent
  application may be issued, leaving it to the lawsuits and the lawyers.
  PGN]


The Geography of Risks

Spencer Cheng <spencer@morphbius.com>
Wed, 27 Dec 2017 13:35:14 -0500
I have been reading comp.risks for at least 30 years. It has been an
incredible source of insight, amusement and food for thought. Like all
self-selecting groups, there is a risk that the submitters and readers of
comp.risks shares too many similar concerns and educational background.

With the explosive growth of the Internet over the last few decades, the
nature of risks also changes across national and cultural boundaries.  What
is a risk in the West, may be much less relevant outside the West.

The first real discussion I can find on comp.risks about IMSI-catchers is
RISKS-27.33 in 2013. Coincidentally, I was in Beijing around that time and
chatting with a PhD student friend who was complaining about the number of
SMS UCEMs they were getting. When I inquired further as to they don't just
block the sender, it turns out there are plenty of fake base stations in all
Chinese urban areas whose raison d'etre is to inject Macau gambling UCEM
into every phone it can connect to. The sender number is generated and
changes with every UCEM. The cellular operators are not in a position to
block these pop-up -catchers. I was told these IMSI catchers were quite
cheap to get and operate.

While the risk associated with 3PLA capturing and recording every message
to/from every phone is an accepted reality in China, there is an additional
layer of risks associated with your smartphone being constantly under attack
by anyone who could afford a cheap UCEM injector which as far as I know
doesn't to exist in Western Europe and North America.

I gave this only as an example of risks affected by geographical and
Societal context which can easily be diluted or transformed across societal
boundaries. It behooves us as computer professionals interested in various
computer-related risk to society, to remember that the Internet is not a
homogeneous cultural community of interest. The severity and relevance of
any risk must be placed in geographical, societal or cultural context.


How Adding Accelerometers to Keys Will Thwart Car Thieves (IEEE Spectrum)

Gabe Goldberg <gabe@gabegold.com>
Thu, 4 Jan 2018 09:42:55 -0500
During last week's MEMS and Sensors Executive Congress in San Jose, Calif.,
designers, researchers, and industry representatives argued for putting MEMS
devices, like accelerometers and microphones, and a wide variety of other
sensors in just about everything. We heard about an electric snowboard with
traction control, voice-controlled garbage cans, and accelerometers placed
on the nose to listen for speech in noisy environments.

But sometimes the simplest example is the most memorable. In this case, that
was a MEMS accelerometer—like the one in your step-counter—that
thwarts car thieves.

https://spectrum.ieee.org/view-from-the-valley/transportation/sensors/how-accelerometers-will-soon-thwart-car-thieves


Re: The Unstoppable Momentum of Self-Driving Cars (RISKS-30.52)

Amos Shapir <amos083@gmail.com>
Thu, 28 Dec 2017 18:48:59 +0200
The Las Vegas bus incident demonstrates a basic problem of autonomous cars,
which no one seems to have addressed yet.

As every student driver learns within the first few lessons, operating a
vehicle is the easier part; but driving is essentially teamwork.  A driver
must not just be aware of what other drivers do, but more important, has to
use social skills to predict what they wish to do and what are going to do.

It's no accident that in many languages, terms used to describe driving
originate from the realm of social behavior (e.g. "conduct").

So it seems that the main problem of driving robots is that they have
learned to control vehicles, but have not yet learned how to drive.


Re: Vehicle Satellite Navigation (RISKS-30.51,52)

Chris Drewe <e767pmk@yahoo.co.uk>
Thu, 28 Dec 2017 22:28:45 +0000
Where I live, five major roads on the east side of town all converge on a
single roundabout (traffic circle), which obviously gets congested
especially in rush hours.  To help the flow there's a flyover (overpass)
linking two of the roads directly; this is a rather spindly structure
suitable for cars and small vans only, and it's only one lane wide, so the
direction of traffic is switched according to demand—usually into town in
the morning and out of town in the afternoon—from a control room with
CCTV monitoring of the surrounding roads.  The are mechanically-operated
signs at each end, showing either a 'no entry' symbol (if closed), or '30'
(speed limit) and car and van symbols (if open) as appropriate.

Of course from time to time drivers miss the signs and go the wrong way
resulting in a near miss or head-on collision, usually without major
casualties luckily as speeds are low, though recovering wrecked vehicles 20
feet (6m) in the air can be a challenge.  This has been happening for
decades, however in early 2017 the local newspaper reported an increase in
incidents in recent years, suggesting that satellite navigation systems
could be to blame, with a quick check on several models showing that some
tell drivers to use the flyover without checking that it's actually open in
their direction first.  A representative from one of the makers was quoted
as saying that switched-direction roads are used in several parts of the
world and navigation systems can handle these, but only if they operate to a
regular schedule, which this one doesn't.

As I see it, there are two issues here: (1) is it possible/feasible for
satellite navigation systems to handle changing road conditions, both for
fixed locations like this and/or wider-ranging difficulties like wildfires?
And (2) how much detail should navigation systems actually provide for
drivers?  Telling them to stop at red lights, give way to other vehicles
(having a crash is rarely a good idea), avoid hitting pedestrians,
etc. seems a little unnecessary.

  [There's a vaguely similar item in RISKS-30.52: Navigation Apps Are Turning
  Quiet Neighborhoods Into Traffic Nightmares (Lisa Foderaro)]

In the UK there are occasional proposals for road pricing with the aim of
reducing traffic congestion while raising valuable funds for road
improvements—the per-mile rate would vary with higher charges for busier
roads at busier times.  Somebody pointed out that if this made major
highways quieter because heavy traffic used country lanes in the middle of
the night, would it count as success or failure..?  (Presumably smartphone
apps or whatever would be developed to calculate lowest-cost routes and
times for specific journeys.)

Similar approach in London, UK:
http://www.telegraph.co.uk/news/2017/12/31/block-streets-stop-smart-apps-turning-sleepy-roads-polluted/
  Block off streets to stop smart apps turning sleepy roads into
  polluted rat runs, say campaigners

Please report problems with the web pages to the maintainer

Top