The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 82

Tuesday 4 September 2018

Contents

Five Eyes' governments call on tech giants to build encryption backdoors —or else
TechCrunch
The Untold Story of NotPetya, the Most Devastating Cyberattack in History
WiReD
Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers
NYTimes
US accuses China of 'super aggressive' spy campaign on LinkedIn
CNBC
E.U. Will Let Countries Decide Whether to Use Daylight Saving
NYTimes
How FireEye Helped Facebook Spot a Disinformation Campaign
NYTimes
Europe Worries as Facebook Fights Manipulation Worldwide
NYTimes
Hackers Stole Personal Data of 2 Million T-Mobile Customers
Motherboard
Facebook Bans Quiz App That Captured Data of Four Million Users
WSJ
White House "looking at" whether to regulate Google search
CBS
Didi Chuxing suspends Hitch service after passenger murder
ZDnet
U.S. students need a cellphone detox
WashPo
A disturbing photo and a leaky can of pepper spray ruined this flight to Hawaii
CNN
Linux Kernel Developer Criticizes Intel's Meltdown Disclosure
E-Week
3-D Printed Gun Plans Must Stay Off Internet for Now, Judge Rules
NYTimes
Racist Robocalls Target Andrew Gillum, Democratic Nominee for Florida Governor
NYTimes
Groundbreaking algorithm to share data without breaching privacy
AE
Electric shock collars for pets to be banned
bbc.com
How do you get people to trust autonomous vehicles? This company is giving them virtual eyes.
WashPo
U.S. regulation of auto technologies
Car and Driver
Franken-algorithms: the deadly consequences of unpredictable code
TheGuardian.com
Re: Self-driving cars need to learn how humans drive
Amos Shapir
Re: Self driving cars
Dick Mills
Comment on Improved keyless entry system could replace car key fob with iPhone
JC Cantrell
Re: Yet another squirrel incident
Dan Jacobson
Re: SwissPost invites you to hack a developing online voting system J0hn Levine)
????
Re: Caring for Aging Parents, With an Eye on the Broker Handling Their Savings
John Levine
Re: Comments on RISKS-30.79
David E. Ross
Re: What3words: putting geographical addresses behind a closed API
Amos Shapir
Info on RISKS (comp.risks)

Five Eyes' governments call on tech giants to build encryption backdoors—or else (TechCrunch)

geoff goodfellow <geoff@iconia.com>
Mon, 3 Sep 2018 13:18:58 -1000
https://techcrunch.com/2018/09/03/five-eyes-governments-call-on-tech-giants-to-build-encryption-backdoors-or-else/

  [This one seems weird to me.  The Five Eyes group is usually with national
  security, not with law enforcement.  LE is the primary advocate for
  backdoors.  Everyone else seems to understand the potentially disatrous
  nature of backdoors.  PGN]


The Untold Story of NotPetya, the Most Devastating Cyberattack in History (WiReD)

Monty Solomon <monty@roscom.com>
Sun, 2 Sep 2018 00:31:48 -0400
Crippled ports. Paralyzed corporations. Frozen government agencies. How a
single piece of code crashed the world.

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/


Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 1 Sep 2018 12:13:48 -0400
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

Doctors and scientists say microwave strikes may have caused sonic delusions
and very real brain damage among embassy staff and family members.


US accuses China of 'super aggressive' spy campaign on LinkedIn (CNBC)

Monty Solomon <monty@roscom.com>
Sat, 1 Sep 2018 12:06:59 -0400
https://www.cnbc.com/2018/09/01/us-accuses-china-of-super-aggressive-spy-campaign-on-linkedin.html


E.U. Will Let Countries Decide Whether to Use Daylight Saving (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Sat, 1 Sep 2018 00:26:07 -0400
https://www.nytimes.com/2018/08/31/world/europe/eu-daylight-saving.html

Computers, networks, train schedules—won't physical/virtual border
crossings be fun.


How FireEye Helped Facebook Spot a Disinformation Campaign (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 28 Aug 2018 02:39:41 -0400
How FireEye Helped Facebook Spot a Disinformation Campaign
https://www.nytimes.com/2018/08/23/technology/fireeye-facebook-disinformation.html

The cybersecurity company has shifted its attention to detecting
disinformation and uncovering social media campaigns intended to influence
politics.


Europe Worries as Facebook Fights Manipulation Worldwide (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 28 Aug 2018 02:41:57 -0400
https://www.nytimes.com/2018/08/22/business/facebook-russia-iran-britain.html

The social network's disclosure of a new misinformation effort shows
manipulation of its platform isn't a phenomenon limited only to Americans.


Hackers Stole Personal Data of 2 Million T-Mobile Customers (Motherboard)

Monty Solomon <monty@roscom.com>
Mon, 3 Sep 2018 18:29:34 -0400
https://motherboard.vice.com/en_us/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data


Facebook Bans Quiz App That Captured Data of Four Million Users (WSJ)

Monty Solomon <monty@roscom.com>
Sun, 26 Aug 2018 14:24:49 -0400
Facebook Inc. on Wednesday banned from its platform a quiz app that could
have exposed the data of up to four million users, after the developers
declined to be audited by the social-media giant as part of its effort to
track down potential abuses.

Facebook said it banned the app, called myPersonality, "for failing to agree
to our request to audit and because it is clear that they shared information
with researchers as well as companies with only limited protections in
place."

https://www.wsj.com/articles/facebook-bans-quiz-app-that-captured-data-of-four-million-users-1534992464


White House "looking at" whether to regulate Google search (CBS)

Rob Slade <rmslade@shaw.ca>
Tue, 28 Aug 2018 17:55:47 -0700
These days you want to be careful about dumping more gas on any Trump/anti-
Trump threads.  But that leads to chilling of discussion, which seems as
dangerous as this is ...

https://www.cbsnews.com/news/trump-news-on-google-is-rigged-against-him/

  The Trump administration is considering imposing regulations on Google and
  its search service, White House chief economic adviser Larry Kudlow said
  Tuesday. His comments follow President Donald Trump's complaints that the
  search giant "rigged" its search results to show negative news stories
  about him.

Trump original tweets:
https://twitter.com/realDonaldTrump/status/1034456273306243076


Didi Chuxing suspends Hitch service after passenger murder (ZDnet)

Gene Wirchenko <genew@telus.net>
Tue, 28 Aug 2018 15:52:00 -0700
https://www.zdnet.com/article/didi-chuxing-suspends-hitch-service-after-passenger-murder/

Jonathan Chadwick, ZDnet, 27 Aug 2018
Didi Chuxing has announced that it is suspending its Hitch ride-sharing
service, a day after police said a female user of the service was raped and
killed by her driver on Friday in Wenzhou, China.


U.S. students need a cellphone detox (WashPo)

Richard Stein <rmstein@ieee.org>
Sat, 1 Sep 2018 12:57:30 -0700
https://www.washingtonpost.com/opinions/us-students-need-a-cellphone-detox/2018/08/31/06d45faa-a644-11e8-b76b-d513a40042f6_story.html

French students are about to get a much-needed detox from their cellphones
now that the government has banned them during school for kids 15 and under.
When will our educational system follow France's lead?

Sadly, most schools in the United States are turning a blind eye to a
looming public health crisis. What are we waiting for? A tragedy? Ten years
of data? A lost generation? Not on my watch. These are my children, their
peers and their friends. As a parent, I will not allow them to be guinea
pigs or data points. We have to do something.


A disturbing photo and a leaky can of pepper spray ruined this flight to Hawaii (CNN)

Monty Solomon <monty@roscom.com>
Sat, 1 Sep 2018 11:08:04 -0400
It was found that the girl was just trying to airdrop the photo to her mom,
Kelly said, but because she airdropped using bluetooth, people in range of
her phone had the option of accepting and viewing the photo. ...

3Dhttps://www.cnn.com/2018/09/01/us/hawaiian-airlines-unlucky-flight-trnd/index.html


Linux Kernel Developer Criticizes Intel's Meltdown Disclosure (E-Week)

Gabe Goldberg <gabe@gabegold.com>
Fri, 31 Aug 2018 16:57:55 -0400
http://www.eweek.com/security/linux-kernel-developer-criticizes-intel-for-meltdown-spectre-response


3-D Printed Gun Plans Must Stay Off Internet for Now, Judge Rules (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 28 Aug 2018 02:45:05 -0400
https://www.nytimes.com/2018/08/27/business/3-d-printed-gun-cody-wilson.html

A federal judge, in approving a preliminary injunction sought by states,
cited the potential harm caused “if the existing restrictions are
withdrawn.''


Racist Robocalls Target Andrew Gillum, Democratic Nominee for Florida Governor (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 1 Sep 2018 11:31:08 -0400
The calls, tied to a white supremacist entity, came days after Mr. Gillum
became the first black person nominated by a major party to be governor of
Florida.

https://www.nytimes.com/2018/09/01/us/racist-robocall-andrew-gillum.html


Groundbreaking algorithm to share data without breaching privacy (AE)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 29 Aug 2018 14:42:46 PDT
https://www.thenational.ae/uae/science/emirati-researcher-develops-groundbreaking-algorithm-to-share-data-without-breaching-privacy-1.763024


Electric shock collars for pets to be banned (bbc.com)

Richard Stein <rmstein@ieee.org>
Mon, 27 Aug 2018 08:53:09 -0700
https://www.bbc.co.uk/news/uk-england-45320038

Good thing our pets aren't in charge!

  [Why?  Because they might suggest shock collars for `charging' their
  humans?  Semper fi-do.  PGN]


How do you get people to trust autonomous vehicles? This company is giving them virtual eyes. (WashPo)

Richard Stein <rmstein@ieee.org>
Thu, 30 Aug 2018 15:52:52 -0700
https://www.washingtonpost.com/technology/2018/08/29/how-do-you-get-people-trust-autonomous-vehicles-this-company-is-giving-them-virtual-eyes/%3Futm_term%3D.06df42bc1da5

Trust, by definition, is the firm reliance on the integrity, ability, or
character of a person or thing.

Human-driven vehicles, based on 2016 statistics, are known to cause ~37K
fatalities/year, a fatality rate of 1.18 per 100 million vehicle miles
traveled. This finding indicates misplaced trust in their safety, and a high
dependence that is not easily severed despite the risk.
  <https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812554)>

When silicon-driven vehicles equivalence or over-achieve (meaning greater
than 1.18) this fatality rate, then public trust will have reached a
justifiable tipping point favoring autonomous vehicles. Until this
demonstration, blind trust in a virtually eyed vehicle is a non sequitur.


U.S. regulation of auto technologies (Car and Driver)

George Sherwood <sherwood@transedge.com>
Mon, 27 Aug 2018 13:18:27 -0400
The September 2018 issue asks and answers 20 questions for 2019. Here's
question 10: What sorts of good technologies are we missing out on because
of our plodding governmental bureaucracy?

"Laser and adaptive-beam headlights that precisely brighten areas in the
driver's view are rolling out on luxury vehicles across Europe, but they're
illegal or dimmed down in the U.S. due to government regulations crafted in
the sealed-beam, Scotch-at-the-office era.

"[T]he latest safety innovations—automated vehicles and semiautomated
driver-assist features—aren't blocked at all. Instead, the government is
allowing companies to flood our cars with unchecked software without a
national standard or oversight.

"In 2017, lawmakers in both the U.S. House of Representatives and the Senate
introduced legislation that would allow each automaker to exempt tens of
thousands of Level 3, 4, and 5 automated vehicles from Federal Motor Vehicle
Safety Standards that have been in place since 1966. Some states require
manufacturers to obtain permits to test driverless vehicles on public roads,
but others [forgo, not forego] these restrictions altogether. [E]ven
automakers like Toyota admit there's been 'some irrational exuberance'
toward the capability of current automation systems. [T]he auto industry's
attitude toward safety has historically prioritized cost savings over people
(see Ford's infamous Pinto memo suggesting that settling with the victims of
fiery crashes would be cheaper than fixing the affected cars). In this case,
some more plodding from our bureaucrats might be a good thing."


Franken-algorithms: the deadly consequences of unpredictable code (TheGuardian.com)

Richard Stein <rmstein@ieee.org>
Sat, 1 Sep 2018 12:49:43 -0700
https://www.theguardian.com/technology/2018/aug/29/coding-algorithms-frankenalgos-program-danger

“The death of a woman hit by a self-driving car highlights an unfolding
technological crisis, as code piled on code creates 'a universe no one fully
understands.' ''

Maintenance consumes more than 80% of software life cycle expense.
Long-term investment is required to sustain viable stack publication
capability.

Institutional memory and knowledge transition, defect history, release life
cycle maturity and discipline, test assets (plans, cases, infrastructure,
etc.), user/design/requirement documentation, and configuration management
consistency/traceability influence stack maintenance.

Maintenance challenges accrue as changes (defect repair or feature
introduction) are introduced and release history evolves, complicated by
staff and management turnover.  A "SMOP"—small matter of programming --
evolves into an oxymoron.


Re: Self-driving cars need to learn how humans drive (RISKS-30.81)

Amos Shapir <amos083@gmail.com>
Mon, 27 Aug 2018 14:39:15 +0300
There is a problem designing a system to cope with human drivers, when all
data is gathered by watching *American* humans.  Let's see how the system
copes with Israeli drivers!  (Or Indian, Italian, Hungarian, etc...)


Re: Self driving cars (RISKS-30.81)

Dick Mills <dickandlibbymills@gmail.com>
Tue, 28 Aug 2018 10:20:29 -0400
You didn't mention the most urgent of all distractions (although slightly
dated).  Dropping a lit cigarette that rolls down the seat ending up under
the crotch of your pants.  Not only is it urgent, it is devilishly difficult
to remedy.  If you lift your butt to avoid being burned, it rolls further.


Comment on Improved keyless entry system could replace car key fob with iPhone (Goldberg, RISKS-30.81)

JC Cantrell <cantrellengineering@gmail.com>
Fri, 31 Aug 2018 15:29:54 -0700
Gabe ends with:
"It currently takes *three* different thieves to pull this off, but thanks
to technological progress that will soon be accomplished by just one.  "

Great, another case of robots stealing jobs from humans!


Re: Yet another squirrel incident (Wirchenko, RISKS-30.81)

Dan Jacobson <jidanni@jidanni.org>
Sat, 01 Sep 2018 07:41:35 +0800
Here in Taiwan electricity and phone lines are on separate poles.  That way
they don't go down at the same time.

(But instead a half-hour later here, when a bird (not cable thieves this
time) caused a short on pole #8-2, and then cell tower #6627's backup
batteries ran out.)


Re: SwissPost invites you to hack a developing online voting system (RISKS-30.81)

John Levine <johnl@iecc.com>
Sat, 25 Aug 2018 21:27:13 -0400
Do we still have to remind people while hacking challenges are a bad idea?

If their security is really bad, I suppose it's possible someone might crack
it and tell them, along the lines of the recent note about the teenager who
found a hole and deleted the entire vote database.

If nobody cracks it, all that means is that nobody has admitted to cracking
it.  Maybe it's secure, maybe someone broke in and didn't tell them, maybe
nobody broke in but it'll get more serious attention if it's used for close
elections.


Re: Caring for Aging Parents, With an Eye on the Broker Handling Their Savings. (RISKS-30.81)

John Levine <johnl@iecc.com>
Sat, 25 Aug 2018 21:42:01 -0400
This is a problem but it's hardly a high tech issue.  Account churning has
been a problem ever since there were brokers and commissions.  CFR �
240.15c1-7 makes it illegal and was last updated in 1976, but I think it
dates from the Securities Act of 1934 which created the SEC.


Re: Comments on RISKS-30.79 (Drewe, RISKS-30.81)

"David E. Ross" <david@rossde.com>
Sat, 25 Aug 2018 19:40:28 -0700
Almost 16 years ago, my daughter registered the personal domain rossde.com
for me as a gift.  Since then, I have changed E-mail hosts twice without
having to notify anyone of the change.  Each time, all I had to do was
subscribe to the hosting service, prepay the initial subscription fee, and
request the service to have the DNS routing changed.

Renewing that domain now costs US$10.95 per year, about $2 more than it did
when it was first registered.  Registering and renewing are easy.  The
hardest task is deciding what the domain should be after eliminating domains
that are already registered to someone else.

Note however that some hosting services require that subscribers use only
the service's domain in their E-mail address.  It was not hard for me to
find a service that allowed me to use my own domain.


Re: What3words: putting geographical addresses behind a closed API (RISKS-30.80)

Amos Shapir <amos083@gmail.com>
Mon, 27 Aug 2018 14:33:48 +0300
IMHO the bigger problem is not that the system is proprietary, but rather a
more basic one: What's the purpose of such a system?  Actually, most of the
world is already using a 3-word scheme: place, street name, house number.
It makes much more sense that similar addresses are close together—if I
get to 221 Baker st. by mistake instead of 223 Baker st., it's easy to look
around.

There is the opposite problem—my house is built on a 30m x 30m lot,
which means it has 100 addresses in the proposed scheme!  How can anyone
tell that they all point to the same house (except by searching each one in
their db)?

I also find that addresses of this scheme are impossible to remember, when
none of the 3 words of an address bears any relation to an actual place.

Please report problems with the web pages to the maintainer

Top