Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.washingtonpost.com/news/posteverything/wp/2018/10/05/feature/doctors-are-surprisingly-bad-at-reading-lab-results-its-putting-us-all-at-risk Physicians make mistakes interpreting lab results, assessing diagnostic images, prescribing medicine, etc. These errors can portend either a fatal outcome or expensive mitigation based on the incorrect assessment of patient symptoms, history, and diagnostic evidence. The Agency for Healthcare Research and Quality (AHRQ) of the US Health and Human Services estimated in 2014 that 5% of outpatients experience misdiagnosis, and 13% of emergency room patients are misdiagnosed for stroke (see https://psnet.ahrq.gov/perspectives/perspective/169/diagnostic-errors). As AI-based assistance—robo-medicine—encroaches on medical specializations, a significant risk arises from the training reference input data used to construct these platforms. The risk materializes from the who/what that arbitrates between "correct" and "incorrect" or "pass" and "fail" machine-generated diagnostic conclusions and therapeutic recommendations. Physicians will be challenged to justify and pursue robo-medicine's diagnostic findings and therapeutic recommendations based on a "probably approximately correct learning" technique. Robo-medicine viability depends on the input training data used to construct the core decision engine, the artificial life or neural network framework that is constructed to generate a presumably viable diagnosis based on patient symptoms, physiological data, and history. That physicians make mistakes assessing this information implies that the machine training stimulus input and output inherits and partially acquires human judgment, however imperfect. Without physician intervention, an automatic patient diagnostic/treatment life cycle consisting of pre-existing and chronic conditions, blood/urine chemistry, diagnostic image analysis, surgical robots (robots with knives), and prescription generators comprises a future medical-industrial ecosystem that can amplify misdiagnosis frequency and severity. Without independent and continuous monitoring, reporting and correction, medical error cluster formation is a likely outcome. A proactive and concurrent maintenance and oversight life cycle is imperative to mitigate emergent risks. Accountability and traceability must remain with the physician in charge of patient care. It would be irresponsible and dangerous, though possibly cost-effective, to allow robo-medicine dispensation without physician oversight. Publication of patient life cycle experience, including automated misdiagnosis and maltreatment incidents, is essential to enable independent analysis. How to achieve this reporting, and preserve patient confidentiality, privacy, and anonymity poses a significant and sustained challenge. Procedures are required to govern robo-medicine's therapeutic analysis, findings and recommendations. A misdiagnosis or incorrect therapy schedule must be quickly reported to the FDA's MAUDE repository. An unrecognized and unchallenged diagnostic or therapeutic defect escape in a hospital emergency room may be catastrophic. As technological risk multiples in the medical-industrial complex, elevated financial and legal penalties against suppliers are needed to deter irresponsible product deployment. Robo-medicine platforms must be indemnification-exempt should a physician initiate suspect, incorrect, or life-threatening therapeutic recommendations and procedures. Mandatory peer consultation is a requirement. If the medical-industrial complex sustains caveat emptor (buyer beware) as their business model, independent and conflict-free reviewers of product viability and effectiveness becomes mandatory. Robo-medicine manufacturing and qualification processes for software and hardware must become transparent. Consumer trust and confidence accrues from evidence that sponsors it, not marketing or propaganda. Compulsory reporting of unvarnished defect escape of misdiagnosis and questionable therapeutic recommendations are necessary to reveal robo-medicine's defects. Regulatory governance, enforcement, and vigilance must strengthen to improve patient outcome and suppress the accelerated misdiagnosis potential of robo-medicine.
https://www.engadget.com/2018/10/05/fda-approves-bose-over-the-counter-hearing-aid/%3Fyptr%3Dyahoo "Though they're not approved by the FDA as hearing aids, a number of companies have developed wireless earbuds that can manipulate and augment sound. Bose, Nuheara and the now defunct Doppler Labs have all released assistive hearing devices in the past." A cellphone app and a little Bluetooth will do ya for this gizmo. Hopefully, the amplifier settings do not go to '11'. [Bugs in your ear? Nice opportunity for Trojan ears? PGN]
The Dutch have decided to blow the spies' operation wide open. https://www.washingtonpost.com/opinions/global-opinions/russian-hackers-were-caught-in-the-act--and-the-results-are-devastating/2018/10/05/5e72495a-c8b5-11e8-b1ed-1d2d65b86d0c_story.html
via NNSquad https://techcrunch.com/2018/10/04/china-spy-hack-chip-bloomberg-supply-chain/ Thursday's explosive story by Bloomberg reveals detailed allegations that the Chinese military embedded tiny chips into servers, which made their way into datacenters operated by dozens of major U.S. companies. We covered the story earlier, including denials by Apple, Amazon and Supermicro—the server maker that was reportedly targeted by the Chinese government. Amazon said in a blog post that it "employs stringent security standards across our supply chain." The FBI and the Office for the Director of National Intelligence did not comment, but denied comment to Bloomberg. An interesting story, but aspects of it don't seem to ring quite true. I'll mention one odd aspect right now. Why would you build such capabilities into a separate chip that could ultimately be noticed as extraneous—even if camouflaged as another sort of chip—rather than build this capability into a chip that already was expected to be present and would never attract any attention at all? My hype detector is buzzing a bit on this saga. [This may be just the beginning of a long saga. Discussions over the past few days have been very contentious, with many different possible outcomes. For example, Peter Houppermans noted these: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies Apple is clearly not happy with Bloomberg, and refutes the story: https://9to5mac.com/2018/10/04/apple-spy-chips-china-bloomberg/ https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/ Also see: https://www.theatlantic.com/technology/archive/2018/10/political-cost-chinese-hardware-hack/572383/ https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies A recent bottom line may be don't believe Bloomberg: https://www.cnbc.com/2018/10/10/fbi-director-wray-on-super-micro-servers-be-careful-what-you-read.html PGN]
I started out, more than 30 years ago, researching malware and other forms of covert interference (including a number of instances involving hardware). While the possibility of a hardware attack similar to this is quite possible, the details of this story are quite suspect. (First of all, I note that Faux News is interested. That *automatically* raises alarms :-) There is the issue that this relates to a separate chip found on the circuit boards. If you are smart enough to make a chip that can do everything this superchip is supposed to do, you should be smart enough to put the functions into another chip on the the system (perhaps the system management controller that the superchip is supposed to control) so that an extraneous chip won't raise alarms. Then there are all the functions this superchip is supposed to do. It is supposed to manage communications. It is supposed to subvert the operating system. (*Which* operating system? How would they know that would be the one used?) It is supposed to divert password checks. Oh, right. It's supposed to subvert the system controller. I once reviewed a supposed antiviral system that Western Digital used as a demonstration of their new system controller chip. They made a total hash of it. Even system controllers don't have the kind of reference monitor function that this superchip would rely on. Other parts of the story refer to other chips, some as small as a pencil tip, that could be layered into the circuit board itself. Yes, it could. But how would you make contacts with it? (And you'd need multiple contacts ...) While the spy parts of the story sound reasonable, the tech parts don't. Now, it may be that there are similar types of hardware attacks mounted. It may even be that almost the whole story it true, but that the "sources" lied to Bloomberg about the tech for reasons of their own. But this smacks, to me, of the tale of the Desert Storm Virus of 1991. An April Fools joke that deceived the author of a book about the 1991 Desert Storm campaign—and also the Pentagon press office. (Because they'd read the book ...)
David Gewirtz for ZDNet, 3 Oct 2018 The one serious MacBook Pro security flaw that nobody is talking about Every MacBook since 2015 and every MacBook Pro since 2016 is at risk. Here's how you can keep your machines safe. selected text: With my 2015 MacBook equipped with a MagSafe port, if I want to charge the machine, I just plug it in. There's no risk of a data connection. As long as I have networking off and nothing plugged into any of my ports, I'm safe. I'm air-gapped from the rest of the world. MacBooks before 2015 and MacBook Pros before 2016 could charge without any risk, as long as everything else was off, empty, or disconnected. Prior to the USB C-only MacBook Pros, at least charging the device wasn't a possible hacking vector. But with the MacBook from 2015 on, and for the MacBook Pros from 2016 on, the only way you can charge the notebook is by connecting to a USB-C port. That's right. In order to charge the machine, you must connect to a port capable of transferring data. You have no choice.
http:/gizmodo.com/microsoft-delays-latest-version-of-windows-10-after-rep-1829574177
The update—a major revision to Windows 10 that includes tools like a
cloud clipboard and a preliminary version of its phone mirroring software
—was reported to have resulted in mass file deletion from user
directories as well as less alarming issues like incorrect CPU usage in
Task Manager or broken audio drivers, ZDNet reported. One user on the
Microsoft support board claimed to have lost 220 gigabytes of files. As
CNET noted, some users reported that even using hard drive software would
not allow them to find more than a portion of the missing data.
[Chris J Brady noted other sources:
https://www.howtogeek.com/fyi/bug-in-windows-10s-latest-update-might-be-deleting-files-back-up-your-data-now/
https://www.reddit.com/r/Windows10/comments/9l128k/warning_1809_upgrade_misplaceddeleted_files_in/
https://www.reddit.com/r/Windows10/comments/9l2v3z/windows_1809_update_wiped_my_documents/
PGN]
"Federal air marshals have begun following ordinary US citizens not suspected of a crime or on any terrorist watch list and collecting extensive information about their movements and behavior under a new domestic surveillance program that is drawing criticism from within the agency." "The previously undisclosed program, called 'Quiet Skies,' specifically targets travelers who 'are not under investigation by any agency and are not in the Terrorist Screening Data Base,' according to a Transportation Security Administration bulletin in March." https://apps.bostonglobe.com/news/nation/graphics/2018/07/tsa-quiet-skies/ Not doing anything suspicious makes you a suspect? These terrorists are far more clever than I thought!
http://www.latimes.com/business/la-fi-vizio-settlement-20181004-story.html The most resonant message a for-profit business understands hits the bottom line. Vizio exploited customer data for profit. Now those profits, with a hefty fine, are being disgorged. 'The settlement values the data collected about each Vizio customer at 62 cents in the unlikely case that all of them apply for compensation. The lawyers described the per-person settlement figures as "highly favorable" based on estimates from a hired expert that "average damages for actual harm" from gathering and sharing viewing data is 78 cents to $4.76.' Chump change compensation for the affected class-action members.
Michael Krigsman for Beyond IT Failure, ZDNet, 30 Sep 2018 If your Twitter is hacked, it could be gone permanently and Twitter may not help. Here is one user's sad story and how you can protect yourself. https://www.zdnet.com/article/mission-impossible-trying-to-regain-twitter-account-access-after-identity-theft/ opening text: If you rely on Twitter for business or recreation, it's time to worry. Although the days of frequent service outages have passed, users have a new cause for concern - getting locked out by Twitter itself, without explanation. Unfortunately, when this happens, you have no recourse, and there is no one to call. It's bad news.
P.M. Lee, Straits Times The public post-mortem following Singapore's largest data breach in its 53 year old history finds that certain IT governance and deployment practices require redress. This breach rattled the city-state. https://www.straitstimes.com/singapore/coi-on-singhealth-cyber-attack-alarm-bells-did-not-ring-for-key-cyber-security-employee Among the recommendations from the "four-member Committee of Inquiry" https://www.straitstimes.com/singapore/failings-in-judgement-organisation-exposed-as-cyber-attack-coi-grills-singhealth-risk-man is adoption of the "Singapore Government Technology Stack" (SGTS) to enable "cheaper and faster" e-service roll-out. The SGTS contents is TBD. If a stack's publication viability (fitness to release for deployment) possesses an attribute governing "Trust" qualification, it must be shown to be immune/hardened against surreptitious access, and generate non-repudiated results, etc. The "Trust" attribute needs to be applied across the full ecosystem (including the carbon components), not just the SGTS, as the weakest security link is the easiest to penetrate, and often requires the broadest mitigations/countermeasures to harden. Metasploit cleanliness, OWASP.org compliance, and fuzz stimulus evaluation findings can contribute to trust qualification measurement by revealing vulnerabilities to prioritize for repair prior to deployment. Since the NSA's TOA toolset was involuntarily published, perhaps it should be applied as a "kitchen sink" qualification tool for SGTS? https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html
https://www.bbc.com/news/technology-45745366 Fitbit data has been used by US police investigating whether a 90-year-old murdered his stepdaughter. The victim, Karen Navarra, 67, was found with a kitchen knife in her hand, suggesting she killed herself. Anthony Aiello, who denies murder, told police he had visited her for 15 minutes to drop off pizza. But police say a fitness tracker she was wearing showed a significant spike in heart rate followed by a rapid slowdown at the time he was there. [...] It is not the first time Fitbit data has been used in a murder case. Last year in the US, Richard Dabate was charged with murdering his wife after data from her Fitbit discredited his version of events, according to police. Mr Dabate had said he had seen his wife, Connie, shot by an intruder more than an hour before her fitness tracker had recorded her last movements, they said. I've never seen or used one of these devices, but this makes me wonder: Must a user authenticate to one before it becomes active? How hard would it be to "borrow", say, a roommate's or significant other's Fitbit and use it as part of a scheme to frame him or her for a crime? I remember a story from some time back about a woman who looked at her boyfriend's Fitbit (or some other similar device) data, and concluded that he had been unfaithful due to it having recorded him "in the act", having sex with someone else. So it may not be difficult to extract data from them. But what about changing the contents of its memory? So I can imagine a plot for a story: Woman discovers, after examining Fitbit data, that husband has been cheating. She murders her rival, and uses the Fitbit to frame him for the crime. (Insert optional surprise ending: maybe someone framed him in the first place, or a friend had borrowed his Fitbit to try it out, and it was all a big mistake, but she learns this too late, or maybe she has to confess to the murder to save him, or ???) [Monty Solomon noted another source: Police Use Fitbit Data to Charge 90-Year-Old Man in Stepdaughter's Killing https://www.nytimes.com/2018/10/03/us/fitbit-murder-arrest.html PGN]
Check out this great article I read on WIRED: "The Next Great (Digital) Extinction" https://www.wired.com/story/ideas-joi-ito-great-digitization-event/%3Fmbid%3Demail_onsiteshare
https://boingboing.net/2018/10/04/welcome-bootlickers.html But calmer: https://ifixit.org/blog/11673/t2-mac-repairs-test/ Well, stop the presses. Turns out, “Apple makes your MacBook *inoperative* if you get it fixed at local repair shops'' isn't quite true—not yet, no matter what *The Sun* says. https://www.thesun.co.uk/tech/7427666/apple-macbook-pro-repair-fix-inoperative-authorised-service/ Our lab testing has found that independent (and DIY) repair is alive and well. But it is under threat.
Default passwords such as "admin" and "password" will be illegal for electronics firms to use in California from 2020. The state has passed a law that sets higher security standards for net-connected devices made or sold in the region. It demands that each gadget be given a unique password when it is made. Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm. The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with "reasonable" security features. https://www.bbc.com/news/technology-45757528
https://www.washingtonpost.com/news/morning-mix/wp/2018/10/03/more-than-250-people-worldwide-have-died-taking-selfies-study-finds “The selfie deaths have become a major public health problem,'' Agam Bansal, the study's lead author, told The Washington Post. Not as severe a problem health problem as distracted automobile drivers concurrently accessing mobile devices, but of a similar order of magnitude. [Monty Solomon quoted this in *The Washington Post* article: Researchers are calling for more `no selfie zones' near water bodies, mountain peaks, and over tall buildings. PGN] See Dan Piraro's "Bizarro" comic on 04OCT2018 https://bizarro.com/daily-comic/
Facebook Hack Puts Thousands of Other Sites at Riskhttps://www.nytimes.com/2018/10/02/technology/facebook-hack-other-sites.html Ten years ago, the social network introduced a password system that connected it to a broad swath of the Internet. Now we are seeing the downside.
I recently emailed my superannuation provider and received the following hopeful but disappointingly honest response. "Please note: ###'s recent system upgrade has meant longer than usual processing times and higher call volumes, while our staff become more familiar with the new system. We thank you for your patience and understanding during this time. Once we resolve these initial issues we are looking forward to a more efficient administration process which will provide greater service to our members. "
[High tech is so exciting except when it is not.]
Chris Matyszczyk for Technically Incorrect, ZDNet | October 7, 2018
https://www.zdnet.com/article/what-real-people-think-about-the-iphone-xs/
The reviews are excitable, but how do Apple's new phones look to real people
going about their daily lives?
selected text:
In reviewing the iPhone XS Max, he describes it as "the future of the iPhone."
What, though, do real people on the street think about this and its smaller
sibling, the iPhone XS?
I've spent the last couple of weeks asking people on both coasts.
Now, when I say people, I mean real people: The 99 percenters who are taken
advantage of every day.
[The upshot is that they are not impressed, and some did not even know
about it. Hey, neither did I. I am not a computer nerd for the fame.]
A casual search will result in any number of online services that will not only generate fake pay stubs, but will also answer phone calls and "confirm" income verbally, all for a fee. "Sites will have a disclaimer, claiming it's for novelty purposes or similar qualifying statements," said Berg. "Some are out of the country and not traceable. There are sites where you can buy credit lines to increase your credit." https://www.cnbc.com/2018/10/03/mortgage-fraud-is-getting-worse-as-more-people-lie-about-their-income.html What could go wrong with that?
[via NNSquad] Personally, I find the best filter for spam callers is simply to push ALL calls through to voicemail. 99% of spam callers will hang up without ever leaving a message, as demonstrated by missed call logs. Block the really persistent ones. Pretty easy, actually. No AI required.
Elevated upper-atmospheric CO2 levels preserve longevity of orbiting space junk, elevating collision potential between orbiting satellites. "In all, according to the ESA, there have been about 5,400 rocket launches since the space age began in 1957. They have placed about 8,650 satellites in orbit. Of these, about 4,700 are still in space, but only around 1,800 are still functioning. Space surveillance networks operated by the United States, Europe and other nations now estimate there are some 29,000 pieces of debris that are 10 centimeters in diameter or larger in orbit. Not all of them are being tracked." Satellite operators often burn propellant to avoid collisions. Low-earth-orbit satellite operational life time constraint compelled by "dodgeball."
"The DEA launched its National License Plate Reader Program in 2008; it was publicly revealed for the first time during a congressional hearing four years after that. The DEA's most recent budget describes the program as 'a federation of independent federal, state, local, and tribal law enforcement license plate readers linked into a cooperative system, designed to enhance the ability of law enforcement agencies to interdict drug traffickers, money launderers or other criminal activities on high drug and money trafficking corridors and other public roadways throughout the U.S.,' primarily along the southwest border region, and the country's northeast and southeast corridors. "There used to be an old police saying, 'If you robbed a bank, please drive carefully,' former NYPD Detective Sergeant and Bronx Cold Case Squad commander Joseph Giacalone told Quartz, explaining that if a getaway driver didn't do anything to attract the attention of police and get pulled over, they usually had a half-decent chance of fleeing. 'But that's no longer in effect because you can drive slow, you can stop at every red light, but these license plate readers and surveillance cameras track your every movement." The Panopticon has been activated. Will the US Health and Human Services tap into this database to identify and penalize obese citizens who travel to '31 Flavors' and are reliant on Medicare or other government entitlement programs?
There were a few new news articles on the topic: More than 250 people have died while trying to take selfies, study finds Our love for capturing the perfect selfie has introduced a new danger, selfie deaths, USA Today reports. The most common cause? Drowning. (CNBC, today Selfie deaths: 259 people reported dead seeking the perfect picture The quest for extreme selfies killed 259 people between 2011 and 2017, a 2018 global study has revealed. Researchers at the US National Library of Medicine ...
Richard Stein wrote that cellphone frequencies are far too low to cause ionization. He notes that cellphone radiation in the microwave frequency could cause a small amount of warming. That cellphone EM radiation does not ionize is a red herring. He neglects the affect of resonance with biological molecules. As far as I know, no dangerous resonances have been identified, but the possibility cannot be entirely discounted.
[via dave farber]
I find the declaration intriguing, but I fear that it will be unable to
launch, much less fly, because it is too heavily laden with contentious
issues (such as the right to be forgotten - which, by-the-way, I support).
For more than a decade I have been advocating a rather shorter formulation
that I believe is an initial step that can be more easily reached. This
formulation is, of course, in need of interpretation in order to sharpen the
distinctions that it makes.
First Law of the Internet
https://www.cavebear.com/old_cbblog/000059.html
+ Every person shall be free to use the Internet in any way that
is privately beneficial without being publicly detrimental.
- The burden of demonstrating public detriment shall be on those who
wish to prevent the private use.
- Such a demonstration shall require clear and convincing evidence of
public detriment.
- The public detriment must be of such degree and extent as to justify
the suppression of the private activity.
(By-the-way, I got the ideas for this out of the old 1954 Hush-A-Phone
decision and some of the subsequent cases, such as Carterphone and MIC, that
tried to define the boundary between what was then a monolithic and
intensely controlling "the telephone company" and users who wanted to do
more than simply talk.)
HB> "It is a file-by-file [search] on your phone. We're not going into 'the HB> cloud'. We'll examine your phone while it's on flight mode," Customs HB> spokesperson Terry Brown said. Do they even wash their hands first, or end up getting cupcake residue on the buttons? (Or a real (flu) virus.) And are their fingers sufficiently non-fat, to avoid hitting the delete key on my files? And what if they burst out laughing when they find out what my password is and can't help repeating it many times all over the airport, whilst dropping my phone on the floor?
On 10/2/2018 4:33 PM, RISKS List Owner wrote: > CB (Carbon-based) 100VMT for 2016: 1.2 (~270M registered vehicles)* > SB (Silicon-based) 100VMT for 2016: 3 (~100 registered vehicles)^ > > This hypothetical statistic demonstrates a safety disadvantage for AVs. Not > a likely selling point for consumers currently. Also, the AV sample size is > at least 4 orders of magnitude smaller than the CB population. That's for all SB vehicles. What happens if we segregate the statistics by manufacturer? Are *any* of those fatalities due to Waymo vehicles? I haven't tried a full statistical analysis, but what I remember from newspaper reports is that at least 2 of those 3 are from Uber's SB Vehicles, not from Waymo. This would _tend to_ suggest that Waymo is more careful than Uber in designing their hardware/software systems to avoid accidents. And in testing their vehicles: Waymo had SB vehicles "driving" around with a human (CB) in the car to take over in case of emergency. Unfortunately, given the numbers in Stein's posting, that would leave a sample size way too small. At least if we insist on measuring only fatalities. I remember this arising a couple of years ago when I was reading analyses in the newspapers, that said that fatal accidents were so rare (1.2 per million VMT per the NHTSA figures Stein quotes) that it would take a long time to accumulate enough VMTs on SB vehicles to know if they were "safe enough". I was skeptical then, and I remain skeptical. You don't have to count only fatalities, because fatalities correlate positively* with (1) non-fatal injuries, and (2) non-injury collisions. So if we look at injury accidents per 1E8 VMT for SB vs. CB "drivers", we should get a pretty good idea of whether SB "drivers" are better or worse than CB drivers. * Not necessarily proportionally, although I suspect that fatalities are proportional to non-fatal injuries.
Please report problems with the web pages to the maintainer