The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 68

Saturday 5 May 2018

Contents

Iowa Lottery fraud resolved
PGN on NYTimes item
"Online voting is impossible to secure. So why are some governments using it?"
Porup
Lightning Struck Her Home. Then Her Brain Implant Stopped Working
NY Times
KRACK Wi-Fi vulnerability can expose medical devices, patient records
Charlie Osborne
"A critical security flaw in popular industrial software put power plants at risk"
Zack Whittaker
"Oracle Access Manager security bug so serious it let anyone access protected data"
Lian Tung
How not to announce a loss of secure information
SMH
Why Silicon Valley can't fix itself
The Guardian
"Google Maps user? Beware attackers using URL-sharing to send you to shady sites"
Lian Tung
China's bungled drone display breaks world record
via BBC.com
When a stranger takes your face, Facebook failed crackdown on fake accounts
WashPo
The Era of Fake Video Begins
Franklin Foer
Souped-up smartphones, robots to help police fight crime more effectively
Straits Times
"GitHub says bug exposed some plaintext passwords"
ZDNet
"Gaming: The System"
NY Times
France seizes France.com from man who's had it since 1994, so he sues
Ars Technica
Transparent Eel-Like Soft Robot Can Swim Silently Underwater
ACM Technews
He Drove a Tesla on Autopilot From the Passenger Seat. The Court Was Not Amused.
NYTimes
Is My Not-So-Smart House Watching Me?
NYTimes
Following the Trail of Online Ads, Wherever It Leads
NYTimes
Criminals Used Flying Robots to Disrupt FBI Hostage Operation
Fortune
Facebook's dating service is a chance to meet the catfisher, advertiser, or scammer of your dreams
WashPo
Blockchain Will Be Theirs, Russian Spy Boasted at Conference
Nathaniel Popper
Blockchain is not only crappy technology but a bad vision for the future
Kai Stinchcombe
John Levine
Keeping your *Twitter* account secure
Gabe Goldberg
Against Trendism: how to defang the social media disinformation complex
Medium via John Ohno
Letter to *Consumer Reports* responding to June article about connected cars
Gabe Goldberg
Info on RISKS (comp.risks)

Iowa Lottery fraud resolved (NYTimes)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 3 May 2018 14:06:09 PDT
The Iowa Hot Lotto fraud scandal has now been resolved.  A programmer who
happened to be the info-security head for the Multi-State Lottery
Association managed to slip in a piece of code into the proprietary system
that changed the randomness on just three chosen days in the year.  This
enabled a would-be payoff of $14.3M.  The collaborators were detected when
they attempted to collect.
http://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-iowa-lottery-fraud-mystery.html

This is reminiscent of the Harrah's Tahoe six-slot-machine progressive
payoff noted way back in RISKS-1.01 (where a shill chosen to collect the
payoff never showed up, because he had a record and feared exposure [perhaps
he was in a witness-protection program?], and the more recent Breeder's Cup
off-track pick-six $3M scam (RISKS-22.33, 38, 39, 40)—in which bets on the
first four races were altered by an insider after those races were over, and
the next races wildcarded to cover all possible horses, but in a system in
which the bets were never transmitted until after the fourth race (to save
bandwidth?).

The combination of proprietary code that cannot be inspected externally and
the insider being the IT security person should recall the corresponding
situation with proprietary election systems that can be hacked or rigged by
insiders.  [And then read Gene Wirchenko's next item!  PGN]


"Online voting is impossible to secure. So why are some governments using it?" (Porup)

Gene Wirchenko <genew@telus.net>
Thu, 03 May 2018 09:01:31 -0700
J.M. Porup, CSO, 2 May 2018
http://www.csoonline.com/article/3269297/security/online-voting-is-impossible-to-secure-so-why-are-some-governments-using-it.html

If you thought electronic voting machines were insecure, wait until you meet
online voting.

selected text:

A researcher at the University of Melbourne in Australia, Teague has twice
demonstrated massive security flaws in the online voting systems used in
state elections in Australia—including one of the largest deployments of
online voting ever, the 2015 New South Wales (NSW) state election, with
280,000 votes cast online.

The response? Official complaints about her efforts to university
administrators, and a determination by state election officials to keep
using online voting, despite ample empirical proof, she says, that these
systems are not secure.

While insecure voting machines have received most of the attention since the
2016 U.S. presidential election, states and municipalities continue to use
-- even enthusiastically adopt—web-based online voting, including 31
states in the U.S., two provinces in Canada, and two states in Australia.
Wales in the UK is pushing hard for online voting. The country of Estonia
uses online voting for its national elections.

Security researchers point out flaws; election officials get angry and
ignore security issues that threaten the integrity of the voting
results. Teague's story repeats itself around the world.

The NSW state election of 2015 was so insecure that one seat in the upper
house of the state parliament may have been decided by hacked votes.  In
response to the scandal, the electoral commission went to great lengths to
avoid transparency regarding the security issues Teague and her team
reported, and only revealed the true nature of the problem under close
questioning in state parliament a year later.

Before the election, the state electoral commission told the Australian
Broadcasting Corporation (ABC) that "People's vote is completely secret...
It's fully encrypted and safeguarded, it can't be tampered with."  Yet it
took researchers only a few days to identify fatal flaws in the online
voting web application that could have easily been used to spy on and even
modify every single vote cast online, and to do so in an undetectable
manner.

The NSW electoral commission initially reported after the election that
there were no anomalies seen while using the online voting platform, but a
year later, under questioning in state parliament, admitted that there were,
in fact, significant anomalies reported by voters. More than 600 voters who
attempted to verify their votes using a rudimentary telephone-based system
were unable to do so—a 10 percent failure rate, enough to call into
question the voting result of the state election. "That to me is the bottom
line," Teague says. "The really important thing is that we didn't find out
the truth at the time."


Lightning Struck Her Home. Then Her Brain Implant Stopped Working (NY Times)

Richard M Stein <rmstein@ieee.org>
Fri, 04 May 2018 08:12:36 +0800
http://www.nytimes.com/2018/05/03/health/lightning-brain-implants.html


KRACK Wi-Fi vulnerability can expose medical devices, patient records (Charlie Osborne)

Gene Wirchenko <genew@telus.net>
Tue, 01 May 2018 09:38:02 -0700
Charlie Osborne for Zero Day, 1 May 2018
http://www.zdnet.com/article/krack-wi-fi-vulnerability-strikes-medical-devices/

selected text:

Medical devices produced by Becton, Dickinson and Company (BD) are
vulnerable to the infamous KRACK bug, potentially exposing patient records.
Discovered in October, KRACK, which stands for Key Reinstallation Attack,
exploits a flaw in the Wi-Fi Protected Access II (WPA2) protocol which is
used to secure modern wireless networks.

If exploited, KRACK gives threat actors the key required to join wireless
networks which would otherwise require a password for authentication.  Once
they have joined, they can snoop on network traffic, perform
Man-in-The-Middle (MiTM) attacks, hijack connections, and potentially send
out crafted, malicious network packets.

In a security bulletin, BD said that successful exploit in a select range of
products could also lead to patient record changes or exfiltration, as well
as major IT disruptions.


"A critical security flaw in popular industrial software put power plants at risk" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Wed, 02 May 2018 08:59:05 -0700
Zack Whittaker for Zero Day, 2 May 2018
The bug in the industrial control software could leave power and
manufacturing plants exposed.  A severe vulnerability in a widely used
industrial control software could have been used to disrupt and shut down
power plants and other critical infrastructure.
http://www.zdnet.com/article/critical-security-flaw-schneider-industrial-software-power-plants-vulnerabilty/


"Oracle Access Manager security bug so serious it let anyone access protected data" (Lian Tung)

Gene Wirchenko <genew@telus.net>
Thu, 03 May 2018 09:15:02 -0700
By Liam Tung | May 3, 2018—12:42 GMT (05:42 PDT) | Topic: Security
The moral? Don't roll your own crypto, security researcher tells Oracle.
http://www.zdnet.com/article/oracle-access-manager-security-bug-so-serious-it-let-anyone-access-protected-data/

selected text:

A bug that Oracle recently patched broke the main functionality of Oracle
Access Manager (OAM), which should only give authorized users access to
protected enterprise data.

However, researchers at Austrian security firm SEC-Consult found a flaw in
OAM's cryptographic format that allowed them to create session tokens for
any user, which the attacker could use to impersonate any legitimate user
and access web apps that OAM should be protecting.

"What's more, the session cookie crafting process lets us create a session
cookie for an arbitrary username, thus allowing us to impersonate any user
known to the OAM."


How not to announce a loss of secure information (SMH)

Dave Horsfall <dave@horsfall.org>
Fri, 4 May 2018 11:08:29 +1000
The Commonwealth Bank of Australia, who are in enough trouble as it is with
major scandals, did not tell its customers that some "tapes" went missing on
their way to be destroyed.

http://www.smh.com.au/business/banking-and-finance/almost-20-million-bank-account-records-lost-by-commonwealth-bank-20180502-p4zd02.html

  “The tapes contained customer names, addresses, account numbers and
  transaction details from 19.8 million accounts spanning 2000 to early
  2016. They did not contain passwords, PINs or other data which could be
  used to enable account fraud, CBA said in a statement on Wednesday night
  after BuzzFeed broke the story.''

So, plenty of account numbers and transaction details etc, but we've got
nothing to worry about, right?  Perhaps they should be reading RISKS...

Dave Horsfall VK2KFU North Gosford NSW 2250 Australia


Why Silicon Valley can't fix itself (The Guardian)

Monty Solomon <monty@roscom.com>
Sat, 5 May 2018 11:04:01 -0400
Tech insiders have finally started admitting their mistakes—but the
solutions they are offering could just help the big players get even more
powerful.

http://www.theguardian.com/news/2018/may/03/why-silicon-valley-cant-fix-itself-tech-humanism


"Google Maps user? Beware attackers using URL-sharing to send you to shady sites" (Lian Tung)

Gene Wirchenko <genew@telus.net>
Wed, 02 May 2018 09:02:16 -0700
Liam Tung, ZDNet, 2 May 2018

The Google Maps URL-sharing feature allows scammers to send victims to any
site they choose.  Scammers are using the Google Maps URL-sharing feature to
direct victims not to Maps but any shady website the crooks want.  According
to security firm Sophos, scammers are taking advantage of the fact the URL
sharing feature in Google Maps isn't an official product and lacks a
mechanism to report scammy links.

That's unlike Google's soon-to-be retired URL shortener goo.gl, which can be
used to conceal links to malware or phishing sites, but also has a simple
way for recipients to report scam links.

http://www.zdnet.com/article/google-maps-user-beware-attackers-using-url-sharing-to-send-you-to-shady-sites/


China's bungled drone display breaks world record (via BBC.com)

Richard M Stein <rmstein@ieee.org>
Thu, 03 May 2018 09:29:21 +0800
http://www.bbc.com/news/technology-43982522

Swarm intelligence is complicated to coordinate. "I believe everything
happens for a reason. Usually, the reason is that somebody screwed up."
(From Maxine—the Hallmark Shoebox card character on 23JUN2007). 


When a stranger takes your face, Facebook failed crackdown on fake accounts (WashPo)

Richard M Stein <rmstein@ieee.org>
Sat, 05 May 2018 00:54:41 +0000
https://www.washingtonpost.com/business/economy/when-a-stranger-takes-your-face-facebooks-failed-crackdown-on-fake-accounts/2018/05/04/d3318838-4f1a-11e8-af46-b1d6dc0d9bfe_story.html%3Fnoredirect%3Don%26utm_term%3D.fc1e7548ed66

Perhaps a biometric supplement would boost authentication accuracy?

Would be good to learn Facebook user profile photo match rate against the
FBI's NCIC to test hit/miss rate. How many convicted felons or fugitives use
Facebook? Given this information, update T&Cs to hedge against
authentication theft.


The Era of Fake Video Begins (Franklin Foer)

geoff goodfellow <geoff@iconia.com>
Sun, 29 Apr 2018 23:41:00 +0000
Franklin Foer, *The Atlantic*, May 2018 Issue
The digital manipulation of video may make the current era of fake news seem
quaint.
http://www.theatlantic.com/magazine/archive/2018/05/realitys-end/556877/

EXCERPT:

In a dank corner of the Internet, it is possible to find actresses from Game
of Thrones or Harry Potter engaged in all manner of sex acts. Or at least to
the world the carnal figures look like those actresses, and the faces in the
videos are indeed their own. Everything south of the neck, however, belongs
to different women. An artificial intelligence has almost seamlessly
stitched the familiar visages into pornographic scenes, one face swapped for
another. The genre is one of the cruelest, most invasive forms of identity
theft invented in the Internet era. At the core of the cruelty is the acuity
of the technology: A casual observer can't easily detect the hoax.

This development, which has been the subject of much hand-wringing in the
tech press, is the work of a programmer who goes by the nom de hack
*deepfakes*.  And it is merely a beta version of a much more ambitious
project.  One of deepfakes' compatriots told Vice's Motherboard site in
January that he intends to democratize this work. He wants to refine the
process, further automating it, which would allow anyone to transpose the
disembodied head of a crush or an ex or a co-worker into an extant
pornographic clip with just a few simple steps. No technical knowledge would
be required. And because academic and commercial labs are developing even
more-sophisticated tools for non-pornographic purposes—algorithms that
map facial expressions and mimic voices with precision—the sordid fakes
will soon acquire even greater verisimilitude.  The Internet has always
contained the seeds of postmodern hell. Mass manipulation, from clickbait to
Russian bots to the addictive trickery that governs Facebook's News Feed, is
the currency of the medium. It has always been a place where identity is
terrifyingly slippery, where anonymity breeds coarseness and confusion,
where crooks can filch the very contours of selfhood. In this respect, the
rise of deepfakes is the culmination of the Internet's history to date --
and probably only a low-grade version of what's to come.


Souped-up smartphones, robots to help police fight crime more effectively (Straits Times)

Richard M Stein <rmstein@ieee.org>
Thu, 03 May 2018 17:19:08 +0800
http://www.straitstimes.com/singapore/souped-up-smartphones-robots-to-help-police-fight-crime-more-effectively

  "New technology unveiled on Thursday (May 3) will make it easier for the
  police to fight crime and enforce the law.

  "Souped-up smartphones will allow officers to respond faster and more
  effectively to incidents, as well as call up key information on a
  case. Robots on patrol can aid in the detection of suspicious activities,
  and handheld scanners will make it easier to take real- time 3D scans of
  crime scenes to aid in crime solving."

The article has several photos (showing 3 unique autonomous patrol unit
configurations) and lists the autonomous patrol unit's h/w specification.


"GitHub says bug exposed some plaintext passwords" (ZDNet)

Gene Wirchenko <genew@telus.net>
Wed, 02 May 2018 08:55:33 -0700
http://www.zdnet.com/article/github-says-bug-exposed-account-passwords/

Zack Whittaker for Zero Day, 1 May 2018
A small but unspecified number of GitHub staff could have seen plaintext
passwords.  GitHub has said a bug exposed some user passwords—in
plaintext.


"Gaming: The System" (NY Times)

Richard M Stein <rmstein@ieee.org>
Mon, 30 Apr 2018 09:57:26 +0800
https://www.nytimes.com/2018/04/28/opinion/sunday/gaming-the-system.html

  “My gamified life may be nutty and sad, but it doesn't hurt anyone.  At
  least that's what I thought until a few months ago, when my new car
  insurance company, Liberty Mutual, invited me to join a program its
  website describes this way: Using a small device that observes your
  driving habits, we'll notice the safe choices you're making on the road
  and reward you for them.  The company promised a rate reduction of at
  least 5 percent and up to 30 percent, based on driving performance over a
  three-month period. Best of all, an app would let me track the size of my
  discount in real time.''

Technology gamifies our lives as consumers—a dopamine burst sustains
product interest boosted by a loyalty discount, while data capture
algorithms gleefully score your profile. Several economics Nobel prizes
attest to reward incentive influence on consumer behavior.  Is gamification
deployed by social media bots that promote political candidates?  Is
gamification deployed by industries opposing environmental or health
legislation?  Has gamification emerged as a new public health threat
exploiting the brain's addiction channel?

See RISKS-29.21 for the first mention of 'gamification' in comp.risks: "The
brain-imaging experiment showed how the students concentrated and learned
better when studying was part of a game."


France seizes France.com from man who's had it since 1994, so he sues (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Mon, 30 Apr 2018 00:38:06 -0400
http://arstechnica.com/tech-policy/2018/04/france-seizes-france-com-from-man-whos-had-it-since-94-so-he-sues/

Nice domain you have there. Would be a shame if anything happened to it...


Transparent Eel-Like Soft Robot Can Swim Silently Underwater

ACM TechNews <technews-editor@acm.org>
Wed, 2 May 2018 12:31:36 -0400
University of California, San Diego (04/24/18) Ioana Patringenaru
via ACM TechNews, Wednesday, 2 May 2018

Researchers at the University of California, San Diego and the University of
California, Berkeley have created a nearly-transparent eel-like robot that
can swim silently in salt water using artificial muscles. Critical to the
new technology is the use of the salt water in which the robot swims, to
generate the electrical forces that propel it. The robot delivers negative
charges to the water just outside itself, and positive charges inside the
robot to trigger its muscles to bend, creating the robot's swimming motion.
The charges carry very little current, making them safe for marine life. The
technology is an important step toward a future when soft robots can swim in
the ocean alongside fish and invertebrates without harming them, the
researchers say.

http://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1b1b0x215c58x070332%26

  [The technology is fascinating, with lots of opportunities here.  Risks?
  Sharks might devour but not digest the robots, heat-sensing creatures
  might cuddle up to them, or even befriend them, or redirect robots that
  are stealthy torpedos to another target!  PGN]


He Drove a Tesla on Autopilot From the Passenger Seat. The Court Was Not Amused. (NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 29 Apr 2018 17:31:40 -0400
http://www.nytimes.com/2018/04/29/world/europe/uk-autopilot-driver-no-hands.html

The British man was barred from driving for 18 months after being videotaped
sitting with his hands behind his head, cruising at 40 miles per hour in
*heavy* traffic.


Is My Not-So-Smart House Watching Me? (NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 29 Apr 2018 17:32:05 -0400
http://www.nytimes.com/2018/04/27/realestate/is-my-not-so-smart-house-watching-me.html

Smart-house technology has made it easier to turn on the lights and set the
thermostat, but sometimes objects go rogue.


Following the Trail of Online Ads, Wherever It Leads (NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 29 Apr 2018 17:32:55 -0400
http://www.nytimes.com/2018/04/18/technology/personaltech/online-advertising-tracking.html

Sapna Maheshwari, who covers advertising for The Times, discusses how she
tracks the online ads that track us.


Criminals Used Flying Robots to Disrupt FBI Hostage Operation (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Fri, 4 May 2018 23:50:14 -0400
Criminals have discovered another use for drones—to distract and spy on
law enforcement.

They recently tried to thwart an FBI hostage rescue, Joe Mazel, chief of the
FBI's operational technology law unit, said this week, according to a report
by news site Defense One.

Mazel, speaking at the AUVSI Xponential drone conference in Denver, said
that criminals launched a swarm of drones at an FBI rescue team during an
unspecified hostage situation near a large U.S. city, confusing law
enforcement. The criminals flew the drones at high speed over the heads of
FBI agents to drive them away while also shooting video that they then
uploaded to YouTube as a way to alert other nearby criminal members about
law enforcement's location.

http://fortune.com/2018/05/04/drone-fbi-hostage-criminals/


Facebook's dating service is a chance to meet the catfisher, advertiser, or scammer of your dreams (WashPo)

Lauren Weinstein <lauren@vortex.com>
Thu, 3 May 2018 19:44:28 -0700
via NNSquad

http://www.washingtonpost.com/news/the-switch/wp/2018/05/03/facebooks-dating-service-is-a-chance-to-meet-the-catfisher-advertiser-or-scammer-of-your-dreams/

  The love-seeking singles of Facebook's new dating service, privacy experts
  say, may not be prepared for what they'll encounter: sham profiles,
  expanded data gathering and a new wave of dating fraud.  Facebook—under
  fire for viral misinformation, fake accounts and breaches of tr[sic]


Blockchain Will Be Theirs, Russian Spy Boasted at Conference (Nathaniel Popper)

geoff goodfellow <geoff@iconia.com>
Sun, 29 Apr 2018 17:02:35 -1000
Nathaniel Popper, The New York Times, 29 Apr 2018

http://www.nytimes.com/2018/04/29/technology/blockchain-iso-russian-spies.html

EXCERPT:

Russian interest in the technology surrounding virtual currencies, like in
this crypto-mining operation in Moscow, is growing. Last year, employees of
Russia's spy agency attended a meeting where international standards for the
so-called blockchain were discussed. Andrey Rudakov/Bloomberg

SAN FRANCISCO—Last year, representatives of 25 countries met in Tokyo to
work on setting international standards for the blockchain, the technology
that was introduced by the virtual currency Bitcoin and has ignited intense
interest in corporate and government circles.

Some of the technologists at the meeting of the International Standards
Organization were surprised when they learned that the head of the Russian
delegation, Grigory Marshalko, worked for the FSB, the intelligence agency
that is the successor to the KGB.

They were even more surprised when they asked the FSB agent why the Russians
were devoting such resources to the blockchain standards.

“Look, the Internet belongs to the Americans—but blockchain will belong
to us,'' he said, according to one delegate who was there. The Russian added
that two other members of his country's four-person delegation to the
conference also worked for the FSB.

Another delegate who had a separate conversation with the head of the
Russian group remembers a slightly different wording: “The Internet
belonged to America. The blockchain will belong to the Russians.''

Both of the delegates who recounted their conversations did so on the
condition of anonymity, because discussions at the International Standards
Organization are supposed to be confidential.  Neither the Russian
organizations overseeing the delegation to the ISO nor the Russian delegates
responded to requests for comment.


Blockchain is not only crappy technology but a bad vision for the future (Kai Stinchcombe)

"Dave Farber" <farber@gmail.com>
Sat, 5 May 2018 09:22:23 -0400
Kai Stinchcombe, Medium, 5 Apr 2018 [Via Dave's IP distribution]
http://medium.com/%40kaistinchcombe/decentralized-and-trustless-crypto-paradise-is-actually-a-medieval-hellhole-c1ca122efdec

Blockchain is not only crappy technology but a bad vision for the future.
Its failure to achieve adoption to date is because systems built on trust,
norms, and institutions inherently function better than the type of
no-need-for-trusted-parties systems blockchain envisions. That's permanent:
no matter how much blockchain improves it is still headed in the wrong
direction.

This December I wrote a widely-circulated article on the inapplicability of
blockchain to any actual problem. People objected mostly not to the
technology argument, but rather hoped that decentralization could produce
integrity. [...]


Blockchain is not only crappy technology but a bad vision for the future (Re: Stinchcombe)

"John Levine" <johnl@iecc.com>
May 5, 2018 at 1:49:22 PM EDT
Bitcoins remind me of a story from the late chair of the Princeton U.
astronomy department.  In 1950 Immanuel Velikovsky published "Worlds in
Collision", a controversial best selling book that claimed that 3500 years
ago Venus and Mars swooped near the earth, causing `catastrophes that were
passed down in religions and mythologies.

The astronomer was talking to an anthropologist at a party and the book came
up.

"The astronomy is nonsense," said the astronomer, "but the anthropology is
really interesting."

"Funny," replied the anthropologist, "I was going to say almost the same
thing."

Bitcoin and blockchains lash together an unusual distributed database with a
libertarian economic model.  People who understand databases realize that
blockchains only work as long as there are incentives to keep a sufficient
number of non-colluding miners active, preventing collusion is probably
impossible, and that scaling blockchains up to handle an interesting
transaction rate is very hard, but that no-government money is really
interesting.

People who understand economics and particularly economic history understand
why central banks manage their currencies, thin markets like the ones for
cryptocurrencies are easy to corrupt, and a payment system nees a way to
undo bogus payments, but that free permanent database ledger is really
interesting.

Not surprisingly, the most enthusiastic bitcoin and blockchain proponents
are the ones who understand neither databases nor economics.


Keeping your *Twitter* account secure

Gabe Goldberg <gabe@gabegold.com>
Thu, 3 May 2018 22:56:28 -0400
Or not.

http://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html

When you set a password for your Twitter account, we use technology that
masks it so no one at the company can see it.  We recently identified a bug
that stored passwords unmasked in an internal log.  We have fixed the bug,
and our investigation shows no indication of breach or misuse by anyone.


Against Trendism: how to defang the social media disinformation complex (Medium)

John Ohno <john.ohno@gmail.com>
Fri, 04 May 2018 14:15:59 +0000
http://medium.com/%40enkiv2/against-trendism-how-to-defang-the-social-media-disinformation-complex-81a8e2635956

There's an essential mistake that almost every social media platform makes
-- one inherited from marketing (where it makes some sense), and one that is
mostly unexamined and unaccounted-for even in otherwise fairly
socially-conscious projects like Mastodon and Diaspora. In almost every one
of these systems, incentives exist that confuse popularity with value.

I call this *trendism*—the belief that an already-trending topic deserves
to be promoted.

In marketing, because the piece of information being spread is intended to
sell a product, the spread of that information is, in fact, theoretically
proportional to its value. In social media, the information being spread is
not a piece of advertising, and while most of these systems have revenue
models based on advertising, that advertising is generated on the fly based
on the viewer's browsing history and has nothing to do with the content of
the piece of information being spread.

The thing is, ideas travel in packs. When we encounter one idea, we tend to
see its nearest neighbours also. When we find out something new, our friends
hear about it too. So, trending posts are rarely surprising: by the very
nature of their popularity, they are already familiar in their essence to
most of the people who are directed toward them.

The information content of a message, in Claude Shannon's formulation, is
proportional to its deviation from expectation—information is surprise.
Kolgorov's [Kolmogorov? PGN] formulation is similar: information content
proportional to the smallest possible message that could say the same thing
(which, of course, includes references to earlier messages or prior
knowledge as a possible tactic).

In other words, from an information-theoretic perspective, a post that only
tells you things you already know is worthless. Yet, trending content is
almost always composed solely of things the viewer has already seen.

There's one piece of information that a copy of a viral post actually has --
the association between the content of the post and the person posting it.
We share posts we've already seen as a way of expressing our identity, both
personally and within a group. That is the only form of information valued
by trending-oriented systems: tribal affiliation.

If we want to force our social media platforms into information-rich
environments and lower the amount of tribal rivalry we are exposed to, there
are a couple general-purpose solutions, and they all come down to
kneecapping the machinery of trendism.

  1. Rather than block political content (only one kind of tribalist
  content, and one that is at least theoretically grounded in genuine
  philosophical differences about the ideal shape of the world, rather than
  geography or social groups), we should block all shared content. Remove
  retweets and shares from your feed entirely. Most of them are things you
  have already seen, and most of the rest don't contain meaningful or useful
  information.

  2. Emotionally-manipulative posts get the most engagement, and are
  therefore ranked higher in feeds. (I don't want to be emotionally
  manipulated. Do you?)* To defeat this ranking, force your feed to
  reverse-chronological order. To filter out emotionally-manipulative posts,
  filter out anything with more than a set number of interactions.

  3. Avoid being part of the problem. Before sharing, determine: is the
  information true? Is it new? Is it playing mostly on my emotions? If
  possible, delay your sharing for a long period of time—read an article,
  and then wait a few hours, or even a few days, before deciding whether or
  not it is of sufficient quality to actually re-post.

  4. Identify when you are being drawn into heated arguments, and ignore
  them. In the heat of the moment, you're not actually making good points
  anyhow, and you're more likely to misunderstand or misrepresent your
  opponent. The suggestions from #3 apply here too for comments—make sure
  your comments are accurate, informative, and cool, even if that means
  waiting several days to respond. Never let the system rush you.

  5. Visible metrics gamify trendism. Remove them.

Most social media platforms don't make it easy to follow this advice.
Mastodon is closest—it hides metrics from the timeline by default,
supports only reverse-chronological post ordering, and allows you to filter
all boosts from your timeline. For everything else, you will need to use
browser extensions.

Facebook Demetricator ... and Twitter Demetricator  [...]
  [Truncated for RISKS.  PGN]


Letter to *Consumer Reports* responding to June article about connected cars.

Gabe Goldberg <gabe@gabegold.com>
Sat, 5 May 2018 10:58:12 -0400
Your otherwise-excellent article on data-hoovering connected cars doesn't
mention the downside of manufacturers being able to update automobile
software: risking bad updates and (worse) hackers abusing update
mechanisms. Anyone who's endured PC/phone/tablet problems with vendor
patches—even had devices "bricked" (made useless)—should be terrified
of car updates made without owner permission. And everyone aware of today's
hacking environment should refuse to purchase anything without understanding
and consenting to its update mechanism.

Please report problems with the web pages to the maintainer

Top