The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 85

Tuesday 2 October 2018

Contents

Kim Zetter, The Crisis of Election Security
NYTimes
Voting Machine Used in Half of U.S. Is Vulnerable to Attack
WSJ
Facebook hack exposed info on up to 50 million users
Engadget
Don't go to New Zealand
Henry Baker
Feds Force Suspect To Unlock Apple iPhone X With Their Face
Forbes
Facebook wins court battle over law enforcement access to encrypted phone calls
WashPost
A Quebecer spoke out against the Saudis—then learned he had spyware on his iPhone
CBC
"Easy way to bypass passcode lock screens on iPhones, iPads running iOS 12"
ComputerWorld
Criminal Behavior: How Facebook Steals Your Security Data to Violate Your Privacy
Lauren Weinstein
"Uber to pay $148 million in settlement over 2016 data breach and cover-up"
ZDNet
"Telstra refunds customers AU$9.3m for billing practices"
Corinne Reichert
"Monero bug could have allowed hackers to steal massive amounts of cryptocurrency"
Catalin Cimpanu
"Wendy's faces lawsuit for unlawfully collecting employee fingerprints"
Catalin Cimpanu
"Man gets two years in prison for sabotaging US Army servers with 'logic bomb'"
Catalin Cimpanu
Coding Error Sends 2019 Subaru Ascents To the Car Crusher
Slashdot
AI security camera detects guns and identifies shooters
zdnet
Will LA's Anti-Terrorist Subway Scanners Be Adopted Everywhere
Scientific American
Delta 'Technology Issue' Temporarily Disrupts Travel and Enrages Customers
NYTimes
The scientific method
NPR
Instagram has a drug problem. Its algorithms make it worse.
WashPost
Why buy bankrupt corporate servers on craigslist when you can "rent the room" containing them?
Kelly Bert Manning
Road to Zero: A Vision for Achieving Zero Roadway Deaths by 2050
NSC
Sometimes still good to have international borders indicated on maps
Dan Jacobson
Tardy responses, security failings led to SingHealth breach
StraitsTimes
Perspective: A Heart Device Can Save Lives, But Doctors Need To Explain The Downsides
NPR.org
Re: Randomized clinical trial of epinephrine in treatment of cardiac arrest
Robert R. Fenichel
Re: bloat
Dmitri Maziuk
Re: How do you get people to trust autonomous vehicles?
Richard Stein
Re: Bay Area city blocks 5G deployments over cancer concerns
Richard Stein
Report on Artificial Intelligence and Human Rights: Opportunities and Risks
Raso et al.
Info on RISKS (comp.risks)

Kim Zetter, The Crisis of Election Security (NYTimes)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 2 Oct 2018 11:12:50 PDT
Kim Zetter wrote an absolutely wonderful long article, with a very clever
cover page in *The New York Times* Sunday Magazine section.  For those of
you actually read the print edition, the very fine-print footnote to the
title on the cover of the Magazine section tells it all, beautifully.  For
those of you who read The Times online, you will miss out on the cover --
and have to read the entire article.

  As the midterms approach, America's electronic voting systems are more
  vulnerable than ever. Why isn't anyone trying to fix them?

https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html


Voting Machine Used in Half of U.S. Is Vulnerable to Attack (WSJ)

ACM TechNews <technews-editor@acm.org>
Fri, 28 Sep 2018 12:49:04 -0400
Robert McMillan and Dustin Volz, *The Wall Street Journal*, 27 Sep 2018
via ACM TechNews, Friday, September 28, 2018

Election machines used in more than half of U.S. states contain a decade-old
flaw that makes them vulnerable to a cyberattack, according to a report
based on research conducted last month at the Def Con hacker conference,
which was released Thursday. The vulnerability was found in the Model 650
high-speed ballot-counting machine from Election Systems & Software (ES&S),
and is one of about seven security issues identified in several models of
voting equipment described in the report. The Model 650 machine does not
have the advanced security features of more-modern systems, but ES&S says
its security is "strong enough to make it extraordinarily difficult to hack
in a real-world environment." Many of the flaws cited in the report can be
exploited only through physical access to the machines, but hackers could
exploit others via remote access. The company has said it considers
cybersecurity a top priority, and has never experienced a breach.

https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1ca89x217941x072467%26


Facebook hack exposed info on up to 50 million users (Engadget)

Lauren Weinstein <lauren@vortex.com>
Fri, 28 Sep 2018 14:11:29 -0700
  [Security and Privacy Code Review FAIL]
https://www.engadget.com/2018/09/28/facebook-hack-exposed-info-on-up-to-50-million-users/

  Facebook announced on Friday that it has suffered a data breach affecting
 up to 50 million users. According to a report from the New York Times,
 Facebook discovered the attack on Tuesday and have contacted the FBI. The
 exploit reportedly enables attackers to take over control of accounts so,
 as a precaution, the social network has automatically logged out more than
 90 million potentially compromised accounts.  "This is a really serious
 security issue and we're taking it really seriously," Facebook Mark
 Zuckerberg told reporters during a Friday media call.

   [Gene Wirchenko noted "Facebook discloses network breach affecting 50
   million user accounts", by Natalie Gagliordi
https://www.zdnet.com/article/facebook-discloses-network-breach-affecting-50-million-user-accounts/
   PGN]


Don't go to New Zealand

Henry Baker <hbaker1@pipeline.com>
Tue, 02 Oct 2018 12:14:51 -0700
  "Travelers refusing digital search now face $5000 Customs fine" [*]

I can't imagine what NZ will do to travelers with implanted digital devices,
including medical devices.

Of course, as a member of the "Five Eyes", NZ will also share all of your
digital info with the other Four.

Probably best to leave NZ to the New Zealanders, and enjoy NZ movies and
their excellent wine w/o having to be strip-searched there.

Two L with NZ, I say!

  [* Speaking of TWO L, I generally change "traveller" to "traveler".  My
  rule is that there should be a difference between accented double
  letters and unaccented double letters.  TRAvelers is not traVELLers.  PGN]

https://www.msn.com/en-nz/news/national/travellers-refusing-digital-search-now-face-dollar5000-customs-fine/ar-BBNLCFW

Travelers who refuse to hand over their phone or laptop passwords to Customs
officials can now be slapped with a $5000 fine.  The Customs and Excise Act
2018—which comes into effect today—sets guidelines around how Customs
can carry out "digital strip-searches".

Previously, Customs could stop anyone at the border and demand to see their
electronic devices. However, the law did not specify that people had to also
provide a password.  The updated law makes clear that travelers must provide
access—whether that be a password, pin-code or fingerprint—but
officials would need to have a reasonable suspicion of wrongdoing.
"It is a file-by-file [search] on your phone. We're not going into 'the
cloud'. We'll examine your phone while it's on flight mode," Customs
spokesperson Terry Brown said.

If people refused to comply, they could be fined up to $5000 and their
device would be seized and forensically searched.  Mr Brown said the law
struck the "delicate balance" between a person's right to privacy and
Customs' law enforcement responsibilities.  "I personally have an e-device
and it maintains all my records—banking data, et cetera, et cetera—so
we understand the importance and significance of it."

Council for Civil Liberties spokesperson Thomas Beagle said the law was an
unjustified invasion of privacy.  "Nowadays we've got everything on our
phones; we've got all our personal life, all our doctors' records, our
emails, absolutely everything on it, and customs can take that and keep it."
The new requirement for reasonable suspicion did not rein in the law at all,
Mr Beagle said.  "They don't have to tell you what the cause of that
suspicion is, there's no way to challenge it."

Customs Minister Kris Faafoi said the power to search electronic devices was
necessary.  "A lot of the organised crime groups are becoming a lot more
sophisticated in the ways they're trying to get things across the border.
"And if we do think they're up to that kind of business, then getting
intelligence from smartphones and computers can be useful for a
prosecution."

But Mr Beagle said "serious criminals" would simply store incriminating
material online.  "You'd be mad to carry stuff over on your phone.

Privacy Commissioner John Edwards had some influence over the drafting of
the legislation and said he was "pretty comfortable" with where the law
stood.

"There's a good balance between ensuring that our borders are protected
... and [that people] are not subject to unreasonable search of their
devices."  "You know when you come into the country that you can be asked to
open your suitcase and that a Customs officer can look at everything in
there."

Border officials searched roughly 540 electronic devices at New Zealand
airports in 2017.

Customs will be required to keep Parliament updated on the number of devices
searched every year. The agency said it did not expect the number to
increase.


Feds Force Suspect To Unlock Apple iPhone X With Their Face (Forbes)

Gabe Goldberg <gabe@gabegold.com>
Tue, 2 Oct 2018 00:38:49 -0400
https://www.forbes.com/sites/thomasbrewster/2018/09/30/feds-force-suspect-to-unlock-apple-iphone-x-with-their-face/%234dbbfaaa1259


Facebook wins court battle over law enforcement access to encrypted phone calls (WashPost)

Monty Solomon <monty@roscom.com>
Sat, 29 Sep 2018 13:42:48 -0400
The ruling is a setback to the Justice Department and a victory for tech firms.

https://www.washingtonpost.com/world/national-security/facebook-wins-court-battle-over-law-enforcement-access-to-encrypted-phone-calls/2018/09/28/df438a6a-c33a-11e8-b338-a3289f6cb742_story.html


A Quebecer spoke out against the Saudis—then learned he had spyware on his iPhone (CBC)

=?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Mon, 1 Oct 2018 20:18:13 -0400
https://www.cbc.ca/news/technology/omar-abdulaziz-spyware-saudi-arabia-nso-citizen-lab-quebec-1.4845179

It started with a tub of protein powder. Omar Abdulaziz ordered one on
Amazon in late June and was waiting for it to arrive at his Sherbrooke,
Que., apartment. Abdulaziz didn't think much of it when he received a text
message later that day from DHL with a link to a tracking number, stating
his package was on its way.

In what has become a scarily effective hacking technique, the text message
-” and the link it contained ” was not what it claimed to be.  Abdulaziz
believes he clicked the link, which would have let spyware burrow its way
into his iPhone. There, it could copy his contacts and messages and even
eavesdrop on calls. Its operators would have total control.

But unlike the phishing attacks that ultimately helped Russian operatives
disrupt the 2016 U.S. presidential election, the attack on Abdulaziz's phone
was deeply personal.

In a new report, researchers at the University of Toronto's Citizen Lab say
that it was very likely conducted by the government of Abdulaziz's home
country, Saudi Arabia.


"Easy way to bypass passcode lock screens on iPhones, iPads running iOS 12" (ComputerWorld)

Gene Wirchenko <genew@telus.net>
Mon, 24 Sep 2018 15:15:51 -0700
Darlene Storm and Michelle Davidson, Computerworld | Sep 18, 2018
Easy way to bypass passcode lock screens on iPhones, iPads running iOS 12
The vulnerability allowing anyone to bypass the passcode lock screen
still exists in iOS 12 running on iPhones and iPads that have Touch ID.
Security Is Sexy
https://www.computerworld.com/article/3041302/security/4-new-ways-to-bypass-passcode-lock-screen-on-iphones-ipads-running-ios-9.html

  [Monty Solomon found this as well.
https://www.macrumors.com/2018/09/29/iphone-passcode-bypass-contacts-photos/
  PGN]


Criminal Behavior: How Facebook Steals Your Security Data to Violate Your Privacy

Lauren Weinstein <lauren@vortex.com>
Sun, 30 Sep 2018 09:55:14 -0700
https://lauren.vortex.com/2018/09/30/criminal-behavior-how-facebook-steals-your-security-data-to-violate-your-privacy

One of the most fundamental and crucial aspects of proper privacy
implementations is the basic concept of "data compartmentalization" --
essentially, assuring that data collected for a specific purpose is only
used for that purpose.

Reports indicate that Facebook is violating this concept in a way that is
directly detrimental to both the privacy and security of its users.  I'd
consider it criminal behavior in an ethical sense. If it isn't already
actually criminal under the laws of various countries, it should be.

There's been much discussion over the last few days about reports (confirmed
by Facebook, as far as I can determine) that Facebook routinely abuses their
users' contact information, including phone numbers provided by users, to ad
target other users who may never have provided those numbers in the first
place. In other words, if a friend of yours has your number in his contacts
and lets Facebook access it, Facebook considers your number fair game for
targeting, even though you never provided it to them or gave them permission
to use it. And you have no way to tell Facebook to stop this behavior,
because your number is in someone else's contacts address book that was
shared and is under their control, not yours.

This abuse by Facebook of "shadow contacts" is bad enough, but is actually
not my main concern for this post today, because Facebook is also doing
something far worse with your phone numbers.

By now you've probably gotten a bit bored of my frequent posts strongly
urging that you enable 2sv (two-step verification, 2-factor verification)
protections on your accounts whenever this capability is offered. It's
crucial to do this on all accounts where you can. Just a few days ago, I was
contacted by someone who had failed to do this on a secondary account that
they rarely used. That account has now been hijacked, and he's concerned
that someone could be conducting scams using that account—still in his
name—as a home base for frauds.

It's always been a hard sell to get most users to enable 2sv. Most people
just don't believe that they will be hacked—until they are and it's too
late (please see: "How to 'Bribe' Our Way to Better Account Security" -

https://lauren.vortex.com/2018/02/11/how-to-bribe-our-way-to-better-account-security

While among the various choices that can be offered for 2sv
(phone-based, authenticator apps, U2F security keys, etc.) the
phone-based systems offer the least security, 2sv via phone-based text
messaging still greatly predominates among users with 2sv enabled,
because virtually everyone has a mobile phone that is text messaging
capable.

But many persons have been reluctant to provide their mobile numbers
for 2sv security, because they fear that those numbers will be sold to
advertisers or used for some other purpose than 2sv.

In the case of Google, such fears are groundless. Google doesn't sell
user data to anyone, and the phone numbers that you provide to them
for 2sv or account recovery purposes are only used for those
designated purposes.

But Facebook has admitted that they are taking a different, quite
horrible approach. When you provide a phone number for 2sv, they feel
free to use it as an advertising targeting vector that feeds into
their "shadow contact" system that I described above.

This is, as I suggested, so close to being criminal as to be
indistinguishable from actual criminality.

When you provide a phone number for 2sv account security to Facebook,
you should have every expectation that this is the ONLY purpose for
which that phone number will be used!

By violating the basic data compartmentalization concept, Facebook
actually encourages poor security practices, by discouraging the use
of 2sv by users who don't want to provide their phone numbers for
commercial exploitation by Facebook!

Facebook will say that they now have other ways to provide 2sv, so you
can use 2sv without providing a phone number.

But they also know damned well that most people do use mobile phones
for 2sv. There are very large numbers of people who don't even have
smartphones, just simple mobile phones with text messaging functions.
They can't run authenticator apps. Security keys are only now
beginning to make slow inroads among user populations.

So Facebook—in sharp contrast to far more ethical companies like
Google who don't treat their users like sheep to be fleeced—is
offering vast numbers of Facebook users a horrible Hobson's choice --
let us exploit your phone number for ad targeting, or suffer with poor
security and risk your Facebook account being hijacked.

This situation, piled on top of all the other self-made disasters now
facing Facebook, help to explain why I don't have a Facebook account.

I realize that Facebook is a tough addiction to escape. "All my
friends and family are on there!" is the usual excuse.

But if you really care about them—not to mention yourself—you
might consider giving Facebook the boot for good and all.


"Uber to pay $148 million in settlement over 2016 data breach and cover-up" (ZDNet)

Gene Wirchenko <genew@telus.net>
Thu, 27 Sep 2018 20:06:22 -0700
Stephanie Condon for Between the Lines | 26 Sep 2018
The nationwide settlement agreement also requires Uber to implement
better data protection policies.
https://www.zdnet.com/article/uber-to-pay-148-million-in-settlment-over-2016-data-breach-and-cover-up/

opening text:

Uber has agreed to pay $148 million in a nationwide settlement agreement
over its 2016 data breach and subsequent cover-up, state attorneys general
announced Wednesday. The money will be dispersed across all 50 states and
the District of Columbia. Uber has also agreed to take specific steps to
better secure its employees' data.


"Telstra refunds customers AU$9.3m for billing practices" (Corinne Reichert)

Gene Wirchenko <genew@telus.net>
Thu, 27 Sep 2018 20:18:44 -0700
Corinne Reichert, ZDNet, 28 Sep 2018
After being fined AU$10 million for misleading customers on its management
of premium direct billing services, Telstra has also had to refund customers
a total of AU$9.3 million.

https://www.zdnet.com/article/telstra-refunds-customers-au9-3m-for-billing-practices/


"Monero bug could have allowed hackers to steal massive amounts of cryptocurrency" (Catalin Cimpanu)

Gene Wirchenko <genew@telus.net>
Tue, 25 Sep 2018 17:24:49 -0700
Catalin Cimpanu for Zero Day | 25 Sep 2018
Bug was discovered after a user posted a theoretical question on Reddit.
The developers of the Monero anonymous cryptocurrency have rolled out a
patch today that addresses a bug that could have been used by hackers to
obtain funds from exchanges illegally.

https://www.zdnet.com/article/monero-bug-could-have-allowed-hackers-to-steal-massive-amounts-of-cryptocurrency/


"Wendy's faces lawsuit for unlawfully collecting employee fingerprints" (Catalin Cimpanu)

Gene Wirchenko <genew@telus.net>
Mon, 24 Sep 2018 15:24:41 -0700
Catalin Cimpanu for Zero Day | 23 Sep 2018
Wendy's faces lawsuit for unlawfully collecting employee fingerprints
Restaurant chain faces class-action lawsuit in Illinois for breaking
BIPA state law.

https://www.zdnet.com/article/wendys-faces-lawsuit-for-unlawfully-collecting-employee-fingerprints/

A class-action lawsuit has been filed in Illinois against fast food
restaurant chain Wendy's accusing the company of breaking state laws in
regards to the way it stores and handles employee fingerprints.

The complaint is centered around Wendy's practice of using biometric clocks
that scan employees' fingerprints when they arrive at work, when they leave,
and when they use the Point-Of-Sale and cash register systems.


"Man gets two years in prison for sabotaging US Army servers with 'logic bomb'" (Catalin Cimpanu)

Gene Wirchenko <genew@telus.net>
Tue, 25 Sep 2018 17:16:10 -0700
Catalin Cimpanu for Zero Day | 25 Sep 2018
Server sabotage resulted in 17 days of delay in US Army Reserve pay.

https://www.zdnet.com/article/man-gets-two-years-in-prison-for-sabotaging-us-army-servers-with-logic-bomb/

A US judge has sentenced an Atlanta man to two years in prison followed by
three years of supervised release for sabotaging one of the US Army's
payroll databases with a "logic bomb."

According to investigators, Das didn't appear to take this handover lightly,
and at some time before the changeover, he placed malicious code on the RLAS
database that would execute days after the new company took over and would
destroy locally-stored records.


Coding Error Sends 2019 Subaru Ascents To the Car Crusher (Slashdot)

Ben Moore <ben.moore@juno.com>
Tue, 25 Sep 2018 21:34:08 -0500
"All 293 of the [2019 Subaru Ascent] SUVs that were built in July will be
scrapped because they are missing critical spot welds. According to
Subaru's recall notice filed with the U.S. National Highway Transportation
Safety Administration, the welding robots at the Subaru Indiana Automotive
plant in Lafayette, Ind., were improperly coded, which meant the robots
omitted the spot welds required on the Ascents' B-pillar."

https://developers.slashdot.org/story/18/09/23/0311221/coding-error-sends-2019-subaru-ascents-to-the-car-crusher


AI security camera detects guns and identifies shooters (zdnet)

Richard Stein <rmstein@ieee.org>
Fri, 28 Sep 2018 09:52:26 +0800
https://www.zdnet.com/article/ai-security-camera-detects-guns-and-identifies-shooters/

False positives may lead to unintentional shootings.


Will LA's Anti-Terrorist Subway Scanners Be Adopted Everywhere (Scientific American)

Richard Stein <rmstein@ieee.org>
Wed, 26 Sep 2018 07:40:51 +0800
https://www.scientificamerican.com/article/will-l-a-s-anti-terrorist-subway-scanners-be-adopted-everywhere/

Terahertz millimeter-wave screening devices scan crowded public spaces to
detect weapons/explosives.

'How the technology works in practice depends heavily on the operator's
training. According to Evans, "A lot of tradecraft goes into understanding
where the threat item is likely to be on the body." He sees the crucial role
played by the operator as giving back control to security guards and
allowing them to use their common sense.'

'Ultimately will these devices make public places safer? Opinions vary
drastically. Schneier, for one, is a skeptic. "It makes no sense, because
all it does is force an attacker to make minor changes to their plans,"
adding that he sees the technology as a step toward "militarization of the
police." Evans responds: The scanners offer an alternative to leaving mass
transit unprotected or increasing the visible police presence as terrorists
shift their focus away from airports. "It's part of the solution," he
says. "We don't claim it's the whole solution, and anyone who does is
over-claiming their technology."  But the enormity of the problem makes even
that more modest goal a challenge. "A bomb can be set off anywhere in a free
society," Stanley says. "When and where is the trade-off worth it? A lot of
terrorism is not really very fussy about what's attacked. Are we going to
screen everybody every time people get together in one place?"'


Delta 'Technology Issue' Temporarily Disrupts Travel and Enrages Customers (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 25 Sep 2018 23:51:17 -0400
The problems caused widespread confusion, and many customers demanded to
know why they could not book flights, print tickets or board their planes.

https://www.nytimes.com/2018/09/25/business/delta-airlines-outage.html


The scientific method (NPR)

Rob Slade <rmslade@shaw.ca>
Wed, 26 Sep 2018 16:56:51 -0700
So this scientist has taken a fall for rather questionable methods in
directing scientific experiments.

https://www.npr.org/sections/thesalt/2018/09/26/651849441/cornell-food-researchers-downfall-raises-larger-questions-for-science
or https://is.gd/RC6Fju

So what has this to do with security?  Well, it sorta falls into the realm
of integrity.  Kinda like fake news.

And what's wrong with what he was doing?  After all, we teach about data
warehousing, right?  You got a bunch of data: what's wrong with using it to
learn things aside from what you originally thought you were going to learn?
That's sort of OK if you don't stray too far, but, at some point, you get
into the realms of "shoot first: draw the target afterward."


Instagram has a drug problem. Its algorithms make it worse. (WashPost)

Monty Solomon <monty@roscom.com>
Wed, 26 Sep 2018 10:12:25 -0400
If you express interest in buying drugs illicitly, expect a flood of
solicitations to be funneled to you.

https://www.washingtonpost.com/business/economy/instagram-has-a-drug-problem-its-algorithms-make-it-worse/2018/09/25/c45bf730-bdbf-11e8-b7d2-0773aa1e33da_story.html


Why buy bankrupt corporate servers on craigslist when you can "rent the room" containing them?

Kelly Bert Manning <bo774@freenet.carleton.ca>
Sat, 22 Sep 2018 12:00:50 -0400
We have seen bankruptcy trustees and Judges in some jurisdictions contend
that the personal information held by failed companies is an asset that can
be bought and sold, but "renting the room" containing the servers for
$15,000 takes that to a whole new level.

The relevant General Principles in Codes of Fair Information Practices and
most Privacy Regulations are that Personal Information must only be used for
the purposes for which it was originally collected, and cannot be passed
along without the informed consent of the person involved.

https://boingboing.net/2018/09/21/unencrypted-data.html

"When Vancouver tech retailer NCIX went bankrupt, it stopped paying its
bills, including the bills for the storage where its servers were being
kept; that led to the servers being auctioned off without being wiped first,
containing sensitive data—addresses, phone numbers, credit card numbers,
passwords, etc—for thousands of customers. Also on the servers: tax and
payroll information for the company's employees."

https://www.bleepingcomputer.com/news/security/unwiped-drives-and-servers-from-ncix-retailer-for-sale-on-craigslist/


Road to Zero: A Vision for Achieving Zero Roadway Deaths by 2050 (NSC)

Richard Stein <rmstein@ieee.org>
Sat, 22 Sep 2018 18:21:06 -0700
https://www.nsc.org/Portals/0/Documents/DistractedDrivingDocuments/Driver-Tech/Road%20to%20Zero/The-Report.pdf?ver=2018-04-17-111652-263

Fascinating report prepared by the Rand Corporation. Some of the acronyms
used:

3HF	Three-Horizons Foresight
AACN	advanced automatic crash notification
ABP	assumption-based planning
ADAS	advanced driver assistance systems
AEB	automatic emergency braking
DADSS	Driver Alcohol Detection System for Safety
EMS	emergency medical services
FARS	Fatality Analysis Reporting System
HAV	highly automated vehicle
IIHS	Insurance Institute for Highway Safety
V2V	vehicle-to-vehicle
V2X	vehicle-to-everything

Will 3HF correct ABP vision and align the CRM-114 discriminator POE?


Sometimes still good to have international borders indicated on maps

Dan Jacobson <jidanni@jidanni.org>
Sun, 23 Sep 2018 18:22:23 +0800
Yes, I know say in Europe international borders might just clutter up
maps, but in other parts of the world well, they are a more serious matter
and shouldn't be removed from maps just yet...
https://github.com/openstreetmap/openstreetmap-website/issues/2002


Tardy responses, security failings led to SingHealth breach (StraitsTimes)

Richard Stein <rmstein@ieee.org>
Mon, 24 Sep 2018 18:27:40 +0800
https://www.straitstimes.com/singapore/tardy-responses-security-failings-led-to-singhealth-breach

"Tardy responses owing to a lack of awareness of how critical the situation
was and multiple security inadequacies contributed to the factors that led
to a massive SingHealth cyber-attack compromising the personal data of 1.5
million patients."

An embarrassing wakeup call for Singapore where medical tourism is a big
draw throughout the APAC region. Deficient employee cybersecurity training
practices, data breach reporting procedure gaps, temporary database
connections left open across the network, malware implantation undetected,
password specification weaknesses, etc.


Perspective: A Heart Device Can Save Lives, But Doctors Need To Explain The Downsides (NPR.org)

Richard Stein <rmstein@ieee.org>
Mon, 1 Oct 2018 08:57:12 +0800
https://www.npr.org/sections/health-shots/2018/09/30/652201204/perspective-a-heart-device-can-save-lives-but-doctors-need-to-explain-the-downsi
  [SafeLinks munged url?]

Another cautionary tale about implantable devices. The piece discusses
quality of life (QOL) outcome probabilities, and attempts to educate
patients about informed choice selection: to implant or not to implant.
Also mentioned are the "incentives" that device manufacturers offer
physicians and medical centers to promote their products.

Device implantation QOL outcomes (enhanced or diminished) are not
predictably deterministic.

"Of course, technology improves with time. A clinical trial published in May
showed that a newer-model LVAD (left-ventricle assist device) had
significantly fewer complications. This is encouraging, but it will be
important to see whether these outcomes hold true in practice --
particularly because almost on the day that study was published, the
manufacturer recalled the device to deal with technical problems."

Technology does not always 'improve' with time; it changes, sometimes for
good, sometimes for bad. The Hassle Factor (something like Murphy's Law) is
immutable. This outcome is especially pronounced for software stacks.

When implantable device manufacturers are compelled to disclose and publish
at least this life cycle collateral: (a) a device test plan; (b) the device
test results (conducted via a random control trial protocol); (c) wall clock
to qualify each candidate change pushed into the stack; and, (d) top-10
reported defect escapes for their released, version-controlled implantable
device, consumers will then be empowered to make a rational choice based on
data, not a video packaged as manufacturer's propaganda.

Granted, most consumers only want implanted devices to "work"—produce a
favorable QOL outcome. Most implantation candidates would likely prefer an
informed and conflict-free, independent 3rd party to assess the device test
life cycle outcomes for them, and make a recommendation.  Consumer Reports
or Underwriters Laboratory are candidate organizations that can fulfill this
public interest.


Re: Randomized clinical trial of epinephrine in treatment of cardiac arrest (RISKS-28.17)

"Robert R. Fenichel" <bob@fenichel.net>
Sun, 30 Sep 2018 22:47:26 -0700
This trial, organized several years ago, was discussed here starting with
RISKS 28.17.

RISKS followers may be interested to learn that the trial has been
completed, with a result that hardly anyone anticipated.  As described in
the New England Journal of Medicine (379(8): 711-721, 787-788 (2018-08-23)),
administering epinephrine in conventional doses to patients in cardiac
arrest results in improved 30-day survival, but no improvement in
neurological outcome.


Re: bloat (Slade, RISKS-30.84)

Dmitri Maziuk <dmaziuk@bmrb.wisc.edu>
Sat, 29 Sep 2018 12:37:18 -0500
I think you're forgetting the bit where we had to have single-core CPUs
pumping bloat so fast they melted themselves blowing fuses city-wide... and
sales went down. So the chipmakers went with more-slower-cores instead and
for a short while were decrying the programmers' inability to program in
parallel. Until the software industry called and asked if they ever heard
about biting the hand that feeds them.

On the plus side I can finally run the original Master of Orion complete
with the original Sound Blaster emulation in DosBox. Again. Because let's
face it: the sequels, especially the latest cellphone glitz version,
are... just bloat.


Re: How do you get people to trust autonomous vehicles? (Stein, RISKS-30.82)

Richard Stein <rmstein@ieee.org>
Sat, 22 Sep 2018 17:48:12 -0700
Martyn, Thanks correcting my garbled interpretation of the NHTSA statistic

The NHTSA's metrics (see
https://crashstats.nhtsa.dot.gov/Api/Public/Publication/812456), comprise a
factual reporting source. The metrics discriminate among vehicle type (SUV,
passenger car, pickup truck, motorcycle, etc.).  Deaths per 100 million
vehicle miles traveled, be they carbon or silicon driven, comprise an
aggregate key indicator.

Segregating this indicator (e.g., carbon v. silicon driven) may be valuable,
provided that comparison reporting is accurate. If, hypothetically, NTHSA
reported:

CB (Carbon-based) 100VMT for 2016: 1.2 (~270M registered vehicles)*
SB (Silicon-based) 100VMT for 2016: 3 (~100 registered vehicles)^

This hypothetical statistic demonstrates a safety disadvantage for AVs.  Not
a likely selling point for consumers currently. Also, the AV sample size is
at least 4 orders of magnitude smaller than the CB population.

Not hard to imagine AV vendors trivializing or spinning this statistic.
Also, many consumers are mathematically challenged by the term "order of
magnitude."

https://www.statista.com/statistics/183505/number-of-vehicles-in-the-united-states-since-1990/

https://static.googleusercontent.com/media/www.google.com/en//selfdrivingcar/files/reports/report-0916.pdf

I also note that Alphabet/Waymo is apparently "throwing down the
gauntlet" for AV deployment in 2020. See
https://www.recode.net/2018/3/27/17167906/alphabet-waymo-self-driving-jaguar-electric-ride-hail

Perhaps the NHTSA will introduce the SB statistic after 2020 go-live (or
go-dead)!


Re: Bay Area city blocks 5G deployments over cancer concerns (Goldberg, RISKS-30.84)

Richard Stein <rmstein@ieee.org>
Mon, 1 Oct 2018 13:12:27 +0800
Politicians and physics do not mix, except when a nuclear issue arises...

The energy of photon, E = h * f, or h * c/lambda, where h is Planck's
constant and f is the photon frequency, lambda the wavelength, establishes
photo-ionization potential—the ability of a photon to eject an electron
from an atom (in a DNA molecule for instance) and potentially initiate
cancer formation.

Cellphone frequencies range from ~0.45 to 6GHz. Doing the math per
https://www.1728.org/freqwave.htm

0.45 GHz or ~66.6 cm or ~1.86 microvolts
6.0  GHz or ~4.9  cm or ~25 microvolts

Ionization potential for carbon, hydrogen, and oxygen atoms: 11.2/13.6/13.6
eVolts. These values are 5-6 orders of magnitude larger than cell phone
energy radiation. 5G spectrum might approach ~30GHz, but the radiated energy
remains in the trivial range compared to ionization energy. A cellphone
might be used to warm croissant crumbs @ 2 GHz.


Report on Artificial Intelligence and Human Rights: Opportunities and Risks (Raso et al.)

Diego Latella <Diego.Latella@isti.cnr.it>
Fri, 28 Sep 2018 14:47:24 +0200
Berkman Klein Center for Internet & Society at Harvard

A report that is worth reading:

Artificial Intelligence & Human Rights: Opportunities & Risks
https://cyber.harvard.edu/publication/2018/artificial-intelligence-human-rights
F. Raso, H. Hilligoss, V. Krishnamurthy, C. Bavitz, L. Kim
Berkman Klein Center for Internet & Society at Harvard University

- Readable for non-computer-scientists, thanks to the clean & clear language
  used;

- Interesting for computer scientists, because helps them elaborating on the
  potential impacts of their work.

Please report problems with the web pages to the maintainer

Top