The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 56

Tuesday 27 February 2018

Contents

To Stir Discord in 2016, Russians Turned Most Often to Facebook
NYT
Russian election interference
PGN
Russia hacked the Olympics and tried to make it look like North Korea did it
Vox
Are Bots a Danger for Political Election Campaigns?
PGN
The Myth of the Hacker-Proof Voting Machine
Kim Zetter
Your Bitcoin or Your Life
Nathaniel Popper
All but Banned in the U.S., Chinese Giant Huawei Is Welcomed in Britain
WSJ
Drone collisions, close calls underscore growing risks for aircraft
WashPo
BB&T Restores ATM Service, Online Banking Problem Persists
WSJ
"Lawsuits threaten infosec research just when we need it most"
Zack Whittaker
"Security firm Keeper sues news reporter over vulnerability story"
Zack Whittaker
"Microsoft is distributing security patches through insecure HTTP links"
Woody Leonhard
That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH.
The Register
Facebook's Mandatory Anti-Malware Scan Is Invasive and Lacks Transparency
WiReD
An old tax scam—with a troubling new twist
WashPo
"Maker of sneaky Mac adware sends security researcher cease-and-desist letters"
Zack Whittaker
Tesla cloud resources are hacked to run cryptocurrency-mining malware
Ars Technica
One-stop counterfeit certificate shops for all your malware-signing
Ars Technica
US Border Patrol Hasn't Validated E-Passport Data For Years
Lily Hay Newman
Facebook Shows Why SMS Isn't Ideal for Two-Factor Authentication
Tidbits
Google Chrome Now Blocks Irksome Ads. That's a Good Thing, Right?
NYTimes
Federal Judge Says Embedding a Tweet Can Be Copyright Infringement
EFF
How a fight over Star Wars download codes could reshape copyright law
Ars Technica
How Samsung moved beyond its exploding phones
Ars Technica
"Fail-slow at scale: When the cloud stops working"
Robin Harris
Apple Repair Center Barrages Sacramento's 911 Operators
CBS
Convention registration leaks information
Medium via Arthur T
Banking Nightmare: Chase Glitch Gives Online Access to Random People
Fly&Dine
"iPhone explodes at Vietnamese hair salon, thankfully only injures Apple fans' pride"
RocketNews
Cyberstalking via unsolicited anonymous Amazon deliveries
The Boston Globe
The Car of the Future Will Sell Your Data
Bloomberg
Don't blindly follow your GPS—Sylvan Lake State Park staff offers winter route advice
Pam Boyd
Before Hitting the Road, Self-Driving Cars Should Have to Pass a Driving Test
Scientific American
Re: mystery deliveries from Amazon
Kelly Manning
Info on RISKS (comp.risks)

To Stir Discord in 2016, Russians Turned Most Often to Facebook (NYT)

Lauren Weinstein <lauren@vortex.com>
Sat, 17 Feb 2018 14:05:19 -0800
Sherra Frenkel and Kate Benner, *The New York Times*, 17 Feb 2018, via NNSquad
http://www.nytimes.com/2018/02/17/technology/indictment-russian-tech-facebook.html

  In 2014, Russians working for a shadowy firm called the Internet Research
  Agency started gathering American followers in online groups focused on
  issues like religion and immigration. Around mid-2015, the Russians began
  buying digital ads to spread their messages. A year later, they tapped
  their followers to help organize political rallies across the United
  States.  Their digital instrument of choice for all of these actions?
  Facebook and its photo-sharing site Instagram.


Russian election interference

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 18 Feb 2018 21:32:20 PST
  [Perhaps it is time to once again dust off my mixed metaphor
  from the second crypto wars:

    Pandora's Cat is Out of the Barn,
    and the Genie Won't Go Back in the Closet.    PGN]

Here are the articles from *The New York Times* in this news cycle.

 0. INDICTMENT BARES RUSSIAN NETWORK TO TWIST 2016 VOTE,
    17 Jan 2018 (front page top lead, over [1] and [2])

 1. Scott Shane and Mark Mazzetti, Mueller Chronicles a Social Media War,
    17 Jan 2018

 2. Matt Apuzzo and Sharon LaFraniere, Sees `Unwitting' Ties to Trump Forces,
    17 Jan 2018

 3. Sheera Frenkel and Katie Benner, To Create Rifts, Russians Liked
    Facebook Most, 18 Jan 2018

 4. Peter Baker, Trump Quiet In a U.S. War On Meddling, 18 Jan 2018

 5. Neil MacFarquahar, Russian Trolls Were Sloppy, but U.S. Indictment Still
    `Points to the Kremlin', 18 Jan 2018

 6. David E. Sanger, In Trump Administration, A Sharp Divide Over Election
    Interference, 18 Jan 2018

 7. Scott Shane, How Russians Exploited Web to Tangle Vote, 19 Jan 2018

Long Live the Internet, for better and for worse!


Russia hacked the Olympics and tried to make it look like North Korea did it (Vox)

Lauren Weinstein <lauren@vortex.com>
Sun, 25 Feb 2018 10:50:58 -0800
http://www.vox.com/world/2018/2/25/17050058/russia-hacked-olympics-pyeongchang-north-korea

  Russian military spies hacked hundreds of computers at the 2018 Olympic
  Games in South Korea—and tried to make it look like North Korea was the
  culprit, according to a new report.  It is likely retaliation against the
  International Olympic Committee (IOC) for banning the Russian team from
  Olympics because of a widespread doping scheme it used to cheat in
  previous competitions.  The Washington Post's Ellen Nakashima reported on
  Saturday evening that the GRU, Russia's military intelligence agency,
  accessed as many as 300 Olympics-related computers earlier this month,
  according to two US officials.  To cover their tracks, and to pin any
  suspicions on North Korea, the hackers used North Korean IP addresses,
  among other tactics.

http://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html


Are Bots a Danger for Political Election Campaigns?

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 21 Feb 2018 10:14:26 PST
Friedrich-Alexander University Erlangen-Nurnberg (Germany) (02/19/18)

Researchers at Friedrich-Alexander University (FAU) in Germany have probed
the extent to which autonomous social bots were used on Twitter during
Japan's general elections in 2014.  The team analyzed more than 540,000
tweets using a corpus linguistics strategy so large volumes of text could be
examined, and found nearly 80 percent of the investigated tweets were
duplicates traced back to a total of 3,722 original tweets.  Five
proliferation patterns were uncovered, four of which were used by right-wing
activists, and one by users who acted similarly to bots.  FAU professor
Fabian Schafer says it seems as if social bots were widely used by
right-wing users, to give indirect online backing to Shinzo Abe's
nationalistic agenda.  "As a result, Abe's position was not only supported
by the conservative organizations of a group of users with close links to
the [Liberal Democratic Party] but also by the large...group of right-wing
Internet activists," Schafer notes.


The Myth of the Hacker-Proof Voting Machine (Kim Zetter)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 23 Feb 2018 10:22:36 PST
Kim Zetter, *The New York Times*, 21 Feb 2018

Election officials have insisted that machines can;t be remotely compromised
because they're not connected to the Internet.  But security experts point
out crucial ways in which they are.

https://www.nytimes.com/2018/02/21/magazine/the-myth-of-the-hacker-proof-voting-machine.html


Your Bitcoin or Your Life (Nathaniel Popper)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 19 Feb 2018 12:01:57 PST
Nathaniel Popper, *The New York Times*, 19 Feb 2018   [PGN-ed]
Bitcoin Thieves Threaten Real Violence for Virtual Currencies
Anonymity and soaring values have made virtual currencies an attractive
target for thieves.
http://www.nytimes.com/2018/02/18/technology/virtual-currency-extortion.html

The currency they were after was virtual, but the guns they carried were
anything but.

* In Phuket, Thailand, assailants forced a Russian man to transfer about
  $100K in Bitcoin to them.

* The head of a Ukrainian Bitcoin exchange was taken hostage and released
  only after a ransom of $1M in Bitcoin.

* A NYC man was held captive until he transferred $1.8M in Ether (Etherium).

Other recent cases have taken place in Russia, Ukraine, Turkey, Canada,
Britain, and the U.S.

  [Bit-caveat Emptor]


All but Banned in the U.S., Chinese Giant Huawei Is Welcomed in Britain (WSJ)

Monty Solomon <monty@roscom.com>
Sun, 25 Feb 2018 00:33:09 -0500
Britain's adoption of Huawei technology is widening a gulf between the U.S.
and allies over cybersecurity.

http://www.wsj.com/articles/huaweis-u-k-relationship-raises-u-s-concerns-1519416947


Drone collisions, close calls underscore growing risks for aircraft

Richard M Stein <rmstein@ieee.org>
Tue, 20 Feb 2018 19:32:30 +0800
The Washington Post, 17 Feb 2018
http://www.washingtonpost.com/politics/spate-of-drone-collisions-close-calls-underscore-growing-risks-for-aircraft/2018/02/17/4b630714-1433-11e8-8ea1-c1d91fcec3fe_story.html


BB&T Restores ATM Service, Online Banking Problem Persists (WSJ)

Monty Solomon <monty@roscom.com>
Fri, 23 Feb 2018 22:23:36 -0500
The North Carolina-based regional bank cited equipment malfunction at a data
center for the problems

http://www.wsj.com/articles/bb-t-customers-locked-out-of-online-banking-atms-after-technical-issue-1519403905%3Fmod%3De2fb


"Lawsuits threaten infosec research just when we need it most" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Mon, 19 Feb 2018 09:30:55 -0800
Zack Whittaker for Zero Day,  19 Feb 2018
http://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/

Security researchers and reporters have something in common: both hold the
powerful accountable.  But doing so has painted a target on their backs --
and looming threats of legal action and lawsuits have many concerned.

opening text:

NEW YORK, NY—This year, two security reporters and one researcher will
fight for their professional lives in court.

Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin,
security editor at Ars Technica, were last year named defendants in two
separate lawsuits. The cases are different, but they have a common theme:
they are being sued by the companies covered in articles they wrote.

Although lawsuits targeting reporters, particularly on the security beat,
are rare, legal threats are an occupational hazard that reporters are all
too aware of—from companies threatening to call an editor to demand a
correction—or else—to a full-blown lawsuit.

But the inevitable aftermath is a "chilling effect." White-hat hackers and
security researchers hesitate to report vulnerabilities and weaknesses to
technology firms for fear of facing legal retribution.


"Security firm Keeper sues news reporter over vulnerability story"

Gene Wirchenko <genew@telus.net>
Mon, 19 Feb 2018 09:29:02 -0800
Zack Whittaker for Zero Day, 20 Dec 2017
http://www.zdnet.com/article/security-firm-keeper-sues-news-reporter-over-vulnerability-story/

The vulnerability was fixed, but Keeper now demands that the allegedly
defamatory article is pulled offline.

selected text:

Keeper, a password manager software maker, has filed a lawsuit against a
news reporter and its publication after a story was posted reporting a
vulnerability disclosure.

Dan Goodin, security editor at Ars Technica, was named defendant in a suit
filed Tuesday by Chicago-based Keeper Security, which accused Goodin of
"false and misleading statements" about the company's password manager.

The bug has since been fixed, according to Ormandy's follow-up note, which
triggered the release of the report. Goodin's story was amended twice, which
was noted in the story's footer.

Keeper confirmed the bug was fixed in its own blog post, which said "no
customers were adversely affected by this potential vulnerability."

Several security experts and researchers on Twitter decried the lawsuit.

"This is bullying and Goodin is [definitely] def in the top 1 percent [of]
knowledgeable journalists," said Matthieu Suiche, founder of Comae
Technologies, a Dubai-based security firm, in a tweet.


"Microsoft is distributing security patches through insecure HTTP links" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Mon, 19 Feb 2018 08:45:26 -0800
Woody Leonhard, Computerworld, 16 Feb 2018
http://www.computerworld.com/article/3256304/microsoft-windows/microsoft-is-distributing-security-patches-through-insecure-http-links.html
Microsoft is distributing security patches through insecure HTTP links
Stefan Kanthak, reporting on the Bugtraq mailing list, shows how Microsoft's
own security patch download links are based on HTTP, not HTTPS.


That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH. (The Register)

Monty Solomon <monty@roscom.com>
Sun, 18 Feb 2018 11:15:08 -0500
Oh yeah, we patched that in October, Windows giant yawns

http://www.theregister.co.uk/2018/02/15/microsoft_skype_fixed/


Facebook's Mandatory Anti-Malware Scan Is Invasive and Lacks Transparency (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 24 Feb 2018 00:51:59 -0500
When an Oregon science fiction writer named Charity tried to log onto
Facebook on February 11, she found herself completely locked out of her
account. A message appeared saying she needed to download Facebook's malware
scanner if she wanted to get back in. Charity couldn't use Facebook until
she completed the scan, but the file the company provided was for a Windows
device—Charity uses a Mac.

http://www.wired.com/story/facebook-mandatory-malware-scan/


An old tax scam—with a troubling new twist (WashPo)

Monty Solomon <monty@roscom.com>
Sat, 24 Feb 2018 14:34:50 -0500
An old tax scam—with a troubling new twist

http://www.washingtonpost.com/news/get-there/wp/2018/02/22/an-old-tax-scam-with-a-troubling-new-twist/

A New Tax Scam, and Tips on How to Deal With It
http://www.nytimes.com/2018/02/23/your-money/income-tax-scam-tips.html

A big deposit from the IRS unexpectedly shows up in your bank account. What
should you do? First off, don't spend it. You may be a victim of identity
fraud.


"Maker of sneaky Mac adware sends security researcher cease-and-desist letters" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Mon, 19 Feb 2018 09:23:11 -0800
Zack Whittaker for Zero Day | December 13, 2017
http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/

Maker of sneaky Mac adware sends security researcher cease-and-desist letters
"If there's code that's mining data and hiding itself on a computer without
any way of removing it, that's malware, plain and simple."

selected text:

The maker of a sneaky adware that hijacks a user's browser to serve ads is
back with a new, more advanced version—one that can gain root privileges
and spy on the user's activities.

News of the updated adware dropped Tuesday in a lengthy write-up by Amit
Serper, principal security researcher at Cybereason.

TargetingEdge sent cease-and-desist letters to try to prevent Serper from
publishing his research.


Tesla cloud resources are hacked to run cryptocurrency-mining malware (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 23 Feb 2018 20:26:21 -0500
Crooks find poorly secured access credentials, use them to install stealth
miner.

http://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/


One-stop counterfeit certificate shops for all your malware-signing needs (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 23 Feb 2018 20:26:17 -0500
Certificates registered in names of real corporations are surprisingly easy
to come by.

http://arstechnica.com/information-technology/2018/02/counterfeit-certificates-sold-online-make-digitally-signed-malware-a-snap/


US Border Patrol Hasn't Validated E-Passport Data For Years (Lily Hay Newman)

Richard Forno <rforno@infowarrior.org>
February 23, 2018 at 6:30:28 AM EST
Lily Hay Newman, WiReD, 22 Feb 2018

US Customs and Border Patrol hasn't been verifying the cryptographic
signatures on e-Passports --because they never installed the right software.

Passports, like any physical ID, can be altered and forged. That's partly
why for the last 11 years the United States has put RFID chips in the back
panel of its passports, creating so-called e-Passports. The chip stores your
passport information—like name, date of birth, passport number, your
photo, and even a biometric identifier—for quick, machine-readable border
checks.  And while e-Passports also store a cryptographic signature to
prevent tampering or forgeries, it turns out that despite having over a
decade to do so, US Customs and Border Protection hasn't deployed the
software needed to actually verify it.

This means that since as far back as 2006, a skilled hacker could alter the
data on an e-Passport chip—like the name, photo, or expiration date --
without fear that signature verification would alert a border agent to the
changes. That could theoretically be enough to slip into countries that
allow all-electronic border checks, or even to get past a border patrol
agent into the US.

"The idea of these things is that they're supposed to provide some
additional electronic security over a standard passport, which can be forged
using traditional techniques," says Matthew Green, a cryptographer at Johns
Hopkins University. "The digital signature would provide that guarantee. But
if it's not checked it doesn't."

A letter to CBP on Thursday from senators Ron Wyden of Oregon and Claire
McCaskill of Missouri highlights this crucial shortcoming. More than 100
countries now offer passports that come with a digital chip, and fewer than
half of those include the capability to verify the integrity of data using a
digital signature. But Wyden and McCaskill stress that while the US demands
that countries in the Visa Waiver program put a chip in their passports, it
has failed to fully realize its own e-Passport program.

"CBP does not have the software necessary to authenticate the information
stored on the e-Passport chips," the two Senators wrote. "Specifically, CBP
cannot verify the digital signatures stored on the e-Passport, which means
that CBP is unable to determine if the data stored on the smart chips has
been tampered with or forged."

http://www.wired.com/story/us-border-patrol-hasnt-validated-e-passport-data-for-year


Facebook Shows Why SMS Isn't Ideal for Two-Factor Authentication (Tidbits)

Monty Solomon <monty@roscom.com>
Mon, 19 Feb 2018 16:51:03 -0500
http://tidbits.com/article/17802


Google Chrome Now Blocks Irksome Ads. That's a Good Thing, Right? (NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 18 Feb 2018 23:08:39 -0500
http://www.nytimes.com/2018/02/18/business/media/google-chrome-ad-block.html
The brower's latest update filters out pop-up ads and other annoyances. It also strengthens Google's grip on the web.


Federal Judge Says Embedding a Tweet Can Be Copyright Infringement (EFF)

Monty Solomon <monty@roscom.com>
Sun, 18 Feb 2018 18:49:03 -0500
http://www.eff.org/deeplinks/2018/02/federal-judge-says-embedding-tweet-can-be-copyright-infringement


How a fight over Star Wars download codes could reshape copyright law (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 23 Feb 2018 20:26:14 -0500
How a fight over Star Wars download codes could reshape copyright law
http://arstechnica.com/tech-policy/2018/02/judge-slaps-down-disney-effort-to-stop-resale-of-star-wars-download-codes/


How Samsung moved beyond its exploding phones (Ars Technica)

Monty Solomon <monty@roscom.com>
Sat, 24 Feb 2018 16:16:16 -0500
Just 18 months later, the company—and consumers—have shrugged it all
off
http://www.washingtonpost.com/business/how-samsung-moved-beyond-its-exploding-phones/2018/02/23/5675632c-182f-11e8-b681-2d4d462a1921_story.html


"Fail-slow at scale: When the cloud stops working" (Robin Harris)

Gene Wirchenko <genew@telus.net>
Mon, 26 Feb 2018 09:11:15 -0800
Robin Harris for Storage Bits (26 Feb 2018)
Big system have so many interacting parts which can interact in
so many ways.  Such interesting (and frustrating) failure modes:

http://www.zdnet.com/article/how-clouds-fail-slow/
Computer systems fail. Most failures are well-behaved: the system stops
working. But there are bad failures too, where the systems works, but really
s-l-o-w-l-y. What components are most likely to fail-slow? The answers may
surprise you.

selected text:

If you've ever had a system fail-slow, you know how maddening it is.  The
lights are on, the fans are running, but nobody is home. Is it software? A
background process run amok?

The paper has some cautionary anecdotes that are amusing, if only in
retrospect.

* one operator put an office chair adjacent to a storage cluster. The
  operator liked to rock in the chair, repeatedly popping hotplug drives out
  of the chassis (a hard correlation to diagnose).

But many of the failures were more subtle:

* a vendor's buggy firmware made a batch of SSDs stop for seconds, disabling
  the flash cache layer and making the entire storage stack slow.

* a machine was deemed nonfunctional due to heavy ECC correction of many
  DRAM bit-flips.

* bad chips in SSDs reduce the size of over-provisioned space, triggering
  more frequent garbage collection.

* applications that create a massive load can cause the rack power control
  to deliver insufficient power to other machines (degrading their
  performance), but only until the power-hungry applications finish.

"A fan in a compute node stopped working, making other fans compensate the
dead fan by operating at maximal speeds, which then caused a lot of noise
and vibration that subsequently degraded the disk performance."

Naturally, finding these problems took a minimum of hours and often days,
weeks, or even months. In one case an entire team of engineers was pulled
off a project to diagnose a bug, at a cost of tens of thousands of dollars.

Root causes

Nor does the root cause necessarily rest with the slow hardware, as in the
case above where a power-hungry application on some servers caused other
servers to slow down. In another case the vendor couldn't reproduce the
user's high-altitude failure mode at their sea level facility.

For (one more) example,

In one condition, a fan firmware would not react quickly enough when
CPU-intensive jobs were running, and as a result the CPUs entered thermal
throttle (reduced speed) before the fans had the chance to cool down the
CPUs.


Apple Repair Center Barrages Sacramento's 911 Operators (CBS)

Gabe Goldberg <gabe@gabegold.com>
Sun, 25 Feb 2018 11:53:22 -0500
http://sacramento.cbslocal.com/2018/02/22/apple-elk-grove-911-accidental/

Since October of last year, devices at an Apple repair center in Elk Grove,
California have called 911 an average of 20 times a day, for a total of
about 1600 dials, according to a local CBS affiliate. Apple acknowledged the
issue in a statement, saying, "We take this seriously and we are working
closely with local law enforcement to investigate the cause and ensure this
doesn't continue." That investigation likely won't take long; the Apple
Watch automatically calls 911 if you hold the side button down for several
seconds. Tapping the side button of your iPhone five times in succession
does the same, if you're on iOS 11. Those features are obviously helpful to
people in legitimate danger. But unless Apple can wrangle its Elk Grove
process to stop the influx of false alarms, it may end up blocking actual
calls from getting through.

http://sacramento.cbslocal.com/2018/02/22/apple-elk-grove-911-accidental/

  [Monty Solomon noted this here:
http://www.washingtonpost.com/news/the-switch/wp/2018/02/23/an-apple-repair-center-accidentally-called-911-about-1600-times-in-four-months-and-no-one-knows-why/
  ]


Convention registration leaks information

"Arthur T." <Risks201802.10.atsjbt@xoxy.net>
Sat, 24 Feb 2018 21:35:05 -0500
Software used for registration at some science fiction and furry conventions
will let you type in anyone's name, and it will show if that person has ever
attended that convention, and if they're registered for the upcoming one.
The software vendor considers this to be a feature, not a bug.

Some quotes from the article:

  "Even worse, your fursona name is also displayed."
  "The reality is that many people are afraid to come out as a fur, for their
   own reasons."
  "This is a leak of customer data, and should be treated like any other."

<http://medium.com/%40_sky_/furry-website-leaks-real-identities-7e25c71bd762>


Banking Nightmare: Chase Glitch Gives Online Access to Random People (Fly&Dine)

Gabe Goldberg <gabe@gabegold.com>
Sat, 24 Feb 2018 00:59:01 -0500
http://flyanddine.boardingarea.com/chase-glitch-random-access/
http://krebsonsecurity.com/2018/02/chase-glitch-exposed-customer-accounts/


"iPhone explodes at Vietnamese hair salon, thankfully only injures Apple fans' pride" (RocketNews)

Gene Wirchenko <genew@telus.net>
Tue, 20 Feb 2018 12:19:49 -0800
http://en.rocketnews24.com/2018/02/21/iphone-explodes-at-vietnamese-hair-salon-thankfully-only-injures-apple-fans-pride%25E3%2580%2590video%25E3%2580%2591/

iPhone explodes at Vietnamese hair salon, thankfully only injures Apple
fans' pride

The explosion is off-screen, but flames are not.


Cyberstalking via unsolicited anonymous Amazon deliveries (The Boston Globe)

David Tarabar <dtarabar@acm.org>
Tue, 20 Feb 2018 17:46:31 -0500
Several women have received multiple unsolicited Amazon packages containing
sex toys and lingerie. The sending account is anonymous and pays for the
items with gift cards.

http://www.bostonglobe.com/business/2018/02/19/these-surprise-packages-from-amazon-spark-something-more-than-frustration-fear/6X4X2rWJw3SawwCGe4n2rJ/story.html


The Car of the Future Will Sell Your Data (Bloomberg)

Gabe Goldberg <gabe@gabegold.com>
Wed, 21 Feb 2018 00:46:29
Your driving behavior, location, has monetary value, not unlike your search
activity.

Of course, not all drivers may understand what privacy rights they're
signing away. A Government Accountability Office report published in July
found none of the 13 carmakers in the study that collected data from
connected vehicles had easy-to-read privacy notices and most don't explain
data sharing and use practices. ...

The kinds of car-data tools in play today are much smaller scale.  General
Motors Co., which pioneered the connected car with its OnStar concierge
service, sent a software update to million of vehicles in December,
introducing an e-commerce system that lets drivers order coffee or make
restaurant reservations while driving—to the chagrin of some safety
advocates. Longer term, GM may look to monetize traffic and parking data
it'll collect as its self-driving cars get on the road next year.

http://www.bloomberg.com/news/articles/2018-02-20/the-car-of-the-future-will-sell-your-data

  [Monty Solomon noted this one:
Connected cars are going to monetize data, but most drivers don't know that.
http://arstechnica.com/cars/2018/02/no-one-has-a-clue-whats-happening-with-their-connected-cars-data/
  ]


Don't blindly follow your GPS—Sylvan Lake State Park staff offers winter route advice (Pam Boyd)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 20 Feb 2018 10:20:10 -0700
Pam Boyd, *Vail Daily*, February 17, 2018

   EAGLE—Just because a GPS system recommends it, doesn't mean it's the
   right way to travel.  The staff at Sylvan Lake State Park near Eagle
   highlighted this fact with a recent case in point.

   When motorists along Interstate 70 initiate a search for the shortest
   route to Ruedi Reservoir, their GPS may advise Crooked Creek Pass. During
   warm weather months, it's a viable alternative. In the winter, not so
   much.

   "GPS will tell people to come up this way, and that's fine in the
   summertime, but in the winter, the Forest Service doesn't plow the road
   above the lake," said Sylvan Lake State Park Supervisor Michael
   Wall. "It's very clear the road isn't open when they get here, it just
   isn't clear on GPS."


Before Hitting the Road, Self-Driving Cars Should Have to Pass a Driving Test (Scientific American)

Richard M Stein <rmstein@ieee.org>
Sat, 24 Feb 2018 19:11:40 +0800
http://www.scientificamerican.com/article/before-hitting-the-road-self-driving-cars-should-have-to-pass-a-driving-test/

So a fresh-off-the-assembly line autonomous vehicle (AV) goes to the
motor vehicle department, and queues for a road qualification test with
a crash-test dummy...

This qualification test, preferably a simulation environment applied to
the AVs operational control program (OFP), must incorporate non-
deterministic stimulus conditions: Bowling balls tossed onto the road,
a couch or refrigerator flying off the bed of a pick-up truck that's 8
car lengths ahead while traveling at 100 km/h, various weather
conditions (snow, ice, rain, wind, blinding sun, sundown, sunrise,
etc.), an overturned truck load of cabbages, traffic signs plastered
with "Kilroy was Here" or "Eat at Joe's," wayward intersection traffic
controls, sudden lane closures, and dogs and cats or children on
bicycles or skateboards carelessly sprinting in front of the vehicle
via blind spots. Add sensor error, failure, or s/w stack anomalies like
a "Bluetooth hijack" attack to spice things up a bit.

Can an AV's OFP successfully navigate these conditions? Success means
reduced accident statistics compared to historical NHTSA findings. The NHTSA
published these accident statistics
(http://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812451) for
2014-2016. If all vehicles on the road are AVs, then the statistics would
look different per vehicle mile traveled (VMT). Perhaps a probably
approximately correct "trolley problem" self-trained, memristor-enabled,
quantum neural network solution can.

California's government specified safety requirements that AVs must satisfy
for deployment. You can find them here:
https://www.dmv.ca.gov/portal/wcm/connect/211897ae-c58a-4f28-a2b7-03cbe213e51d/avexpressterms_93016.pdf?MOD=AJPERES
The government charges $3600 to register an AV for a trial permit. This
document stipulates a "soup to nuts" specification for AV capability
achievement:

  Section 227.58. Application for a Permit for Post-Testing Deployment of
  Autonomous Vehicles on Public Roads, Part (b) states:

  "(1)Certification that the vehicle complies with the Vehicle Performance
  Guidance for Automated Vehicles in the National Highway Traffic Safety
  Administration's Federal Automated Vehicles Policy.

  "(2) Certification that the autonomous vehicle's autonomous technology is
  designed to detect and respond to roadway situations in compliance with
  all provisions of the California Vehicle Code and local regulation
  applicable to the operation of motor vehicles."

  Section 277.44 Reporting Accidents states:

  "A manufacturer whose autonomous vehicle while operating under a
  Manufacturer's Testing Permit is in any manner involved in an accident
  originating from the operation of the autonomous vehicle on a public road
  that resulted in the damage of property or in bodily injury or death shall
  report the accident to the department, within 10 days after the accident,
  on Report of Traffic Accident Involving an Autonomous Vehicle, form OL 316
  (NEW 9/2013)(REV 9/2016) which is hereby incorporated by reference."

California's regulations are scoped to vehicle capability. There are no
apparent "public benefit" metrics or key performance indicators contained in
the regulations, such as to show a reduction in VMT accident or incident
rates.  I did not inspect the federal regulations, but suspect that they do
not specify "public benefit" metrics either.

It is the transition to an all "Minority Report" transportation system --
complete AV supremacy—that portends regrettable "lessons learned"
measured in fatalities and accident histories. The State of California
proactively anticipates these incidents. AV manufacturers have bought a
green light to commit accidents, without a demand to "meet or reduce"
historical accident measures. The government apparently figures that
interfering with commercial enterprise and technological progress, despite
the public risk, is an acceptable quotidian practice.  Governments enable
loss-of-life experimentation to benefit preferred constituents. An
incontrovertible, and tragic oxymoron.

Apparently, the wealth to reap from accelerated human-operated vehicle
retirement tempts many to experiment. Politicians are eager to spill a
little blood for campaign contributions in the name of progress.
Pedestrians and motorists have no participatory opt-out/opt-in, except
through vocal protest and the ballot box.

Seems that technology has become like war: As Homer's Odyssey says, "War is
young men dying and old men talking."


Re: mystery deliveries from Amazon

Kelly Manning <k.manning@ieee.org>
Tue, 20 Feb 2018 07:43:40 -0800
The University of Victoria Student Union is also receiving a wide variety
of Amazon purchases that were not ordered.

While some of this may involve harassment the vast majority is probably
related to the issue of Fake Reviews / "brushing".

Fake Reviewers have to actually order the product, but don't want to be
traceable, so they direct the delivery to a street address for some other
person or entity.

Can't Amazon correlate the nuisance delivery addresses with Amazon Reviews,
and reject the reviews associated with those purchases, and flag future
purchases made with charge cards that can't be associated with an
established account? Amazon is able to determine that the purchases were
typically made with "Gift" VISA cards.

http://news.ycombinator.com/item%3Fid%3D15940318

http://www.brianbien.com/amazons-fake-review-problem/

Please report problems with the web pages to the maintainer

Top