Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Cars are getting smarter and more capable. They're even starting to drive themselves, a little. And they're becoming a cause of concern for European and American safety agencies and groups. They're all for putting better tech on the road, but automakers are selling systems like Tesla's Autopilot, or Nissan's Pro Pilot Assist, with the implied promise that they'll make driving easier and safer, and a new study is the latest to say that may not always be the case. More worryingly, drivers think these systems are far more capable than they really are. https://www.wired.com/story/semi-autonomous-systems-safety-research-euro-ncap-thatcham/
In the Wild West, a cowboy was a man who, if he had to go a mile north, would walk two miles south to get a horse, so he could ride there. The IoT appears to be a product of computer cowboys. Don Wagner <http://donwagner.dk>
http://www.computer.org/csdl/mags/co/2018/09/index.html Explainable AI (XAI), as defined by Hani Hagras, possesses these characteristics: "Transparency: We have a right to have decisions affecting us explained to us in terms, formats, and languages we can understand. "Causality: If we can learn a model from data, can this model provide us with not only correct inferences but also some explanation for the underlying phenomena? "Bias: How can we ensure that the AI system has not learned a biased view of the world based on shortcomings of the training data or objective function? "Fairness: If decisions are made based on an AI system, can we verify that they were made fairly? "Safety: Can we gain confidence in the reliability of our AI system without an explanation of how it reaches conclusions?" These XAI characteristics, if demonstrably deterministic, can aid triage and reconstruction of an AI platform's processing activities. A platform's XAI compliance certification may deter and preclude worst-case, post-deployment consequences. AI platform publishers can serve public health and welfare by demonstrating XAI characteristics prior to deployment. A public service that operates a compliance simulation can enhance public safety, and reinforce social trust for AI. XAI certification might be used as a selling point, similar to a label from the Underwriters Laboratory or a Consumer Reports ranking. Autonomous vehicles (AVs) exemplify AI platforms. They promote and aspire to embody safety capabilities that outperform carbon-based drivers, at least per NHTSA statistics. Unless operation and failure modes can be simply explained, AVs will remain a technological eight-ball. XAI characterization affords one means to educate a skeptical public. But AV manufacturers must proactively and transparently disclose traffic accident initiators and processing sequences. Attorneys will find it difficult to argue that Robocar-5 "LiDAR image Bayesian decision anomaly suppression logic" is safer than a distracted or inebriated carbon-based driver. Given the tarnished reputation acquired from prior incidents, AV manufacturers have become taciturn. See https://www.washingtonpost.com/technology/the-switch/shaken-by-hype-self-driving-leaders-adopt-new-strategy-shutting-up/2018/10/18/87bbb99a-91f7-42ec-9b9b-e0cb36ae6be8_story.html XAI compliance may be their best hope, and last chance, to rehabilitate their image.
https://blogs.scientificamerican.com/observations/when-ai-misjudgment-is-not-an-accident/ "Injecting deliberate bias into algorithmic decision-making could be devastatingly simple and effective. This might involve replicating or accelerating pre-existing factors that produce bias. Many algorithms are already fed biased data. Attackers could continue to use such data sets to train algorithms, with foreknowledge of the bias they contained. The plausible deniability this would enable is what makes these attacks so insidious and potentially effective. Attackers would surf the waves of attention trained on bias in the tech industry, exacerbating polarization around issues of diversity and inclusion. "The idea of 'poisoning' algorithms by tampering with training data is not wholly novel. Top U.S. intelligence officials have warned that cyber attackers may stealthily access and then alter data to compromise its integrity. Proving malicious intent would be a significant challenge to address and therefore to deter." Risk: AI-generated, published content that incites widespread civil unrest, or financial catastrophe.
https://www.washingtonpost.com/technology/2018/10/20/drink-too-much-beer-dallas-cowboys-game-now-free-robot-driven-van-will-scoop-you-up-afterward "Drive.ai has attempted to distinguish itself by prioritizing 'recognizability over beauty,' giving its Nissan vehicles bright orange paint jobs that are designed to grab the attention of pedestrians and drivers, according to company officials. "The vehicles operate along fixed routes, include human backup drivers and travel up to 35 mph. They also include exterior panels with messages—such as 'waiting for you to cross'—to take the place of a human driver making eye contact or gesturing with a pedestrian at a crosswalk, for example. At some point, the CEO said, backup drivers will be removed and the vehicles will operate autonomously."
UB News Center, 16 Oct 2018, via ACM TechNews, 19 Oct 2018 University at Buffalo researchers have outlined the first accurate technique for tracing a three-dimensionally (3D)-printed object to the machine that produced it, which they think could help law enforcement and intelligence agencies track the origin of 3D-printed firearms and counterfeit products. The PrinTracker method identifies the unique signatures of 3D printers by reading the tiny imperfections within the in-fill patterns they produce in printed objects. The team created a set of keys from 14 common printers, then generated digital images of each key. Each image was filtered to characterize the in-fill pattern, then an algorithm aligned and calculated each key's variations to confirm the printer signature's authenticity; PrinTracker matched each key to its originating printer with 99.8% accuracy. PrinTracker was presented this week at the ACM Conference on Computer and Communications Security (ACM CCS 2018) in Toronto, Canada. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1ccf3x217f1ax069069
https://www.itprotoday.com/data-security-encryption/ssh-authentication-bug-opens-door-if-you-say-youre-logged
https://www.zdnet.com/article/hackers-steal-data-of-75000-users-after-healthcare-gov-ffe-breach/
When invaders turned the digital information space into a battlefield, citizen volunteers innovated a new kind of combat. Ukrainian activists are working on the front lines to fight information aggression. For better or for worse, warfare drives technology innovation. World War I turned the airplane from a rickety contraption into an essential force in battlefield dominance; World War II brought us jet planes, radar, and atom bombs. Today, attacks come through the Internet, not from the sky—and so do the responses. The cyberattack offensive that Russia launched in Ukraine in 2014 introduced a new doctrine, hybrid warfare, that blends special-forces military action, sophisticated propaganda, social media manipulation, and hacking. And the resistance is coming from volunteers who work together. https://www.hpe.com/us/en/insights/articles/disrupting-cyberwar-with-open-source-intelligence-1810.html
https://www.nytimes.com/2018/10/23/us/politics/russian-hacking-usa-cyber-command.html American operatives are messaging Russians working on disinformation campaigns to let them know they've been identified. It's a measured step to keep Moscow from escalating.
Archive for researchers provides picture of Internet Research Agency's influence ops. https://arstechnica.com/tech-policy/2018/10/twitter-publishes-dump-of-accounts-tied-to-russian-iranian-influence-campaigns/
The kingdom silences dissent online by sending operatives to swarm critics. It also recruited a Twitter employee suspected of spying on users, interviews show. https://www.nytimes.com/2018/10/20/us/politics/saudi-image-campaign-twitter.html
Like many cybersecurity bunkers, IBM's foxhole has deliberately theatrical touches. Whiteboards and giant monitors fill nearly every wall, with graphics that can be manipulated by touch. “You can't have a fusion center unless you have really cool TVs,'' quipped Lawrence Zelvin, a former Homeland Security official who is now Citigroup's global cybersecurity head, at a recent cybercrime conference. “It's even better if they do something when you touch them. It doesn't matter what they do. Just something.'' Security pros mockingly refer to such eye candy as `pew pew' maps, an onomatopoeia for the noise of laser guns in 1980s movies and video arcades. They are especially useful, executives concede, to put on display when V.I.P.s or board members stop by for a tour. Two popular `pew pew' maps are from FireEye and the defunct security vendor Norse, whose video game-like maps show laser beams zapping across the globe. Norse went out of business two years ago, and no one is sure what data the map is based on, but everyone agrees that it looks cool. https://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html Of course, a comment on the article has the solution: BLOCKCHAIN Software guarantees a valid trail of corrupted files, preserving the data. I wonder how long it will be until even that system is defeated. What BlockChain software the power is its distributive system, meaning that the data is stored in multiple private computers. Whether that system meets legal requirements for privacy is another question. But the logic is clear: if data is distributed according to a randomizing algorithm, that makes it a lot more complicated for intruders to be able to follow data and to corrupt the system to a point where it shuts down. Or worse, becomes subject to malware that results in ransom or other maneuvers of financial plundering. it is, no doubt, the bane of our digital world that the vulnerabilities are incomprehensible to the lay person and difficult if not impossible for the experts to protect fully. Things may not be at the point where investors are advised to purchase gold and hide under a mattress. But we may well be headed in that direction.
Brian Wang, Next Big Future, 18 Oct 2018, via ACM TechNews, 19 Oct 2018 IBM researchers have mathematically validated certain problems that require only a fixed circuit depth when performed on a quantum computer regardless of how the number of quantum bits used for inputs increase; these same problems require larger circuit depths on classical computers. The proof is that there will be problems that can only be executed on quantum systems, and others which can be conducted much faster on quantum computers. The research proves fault-tolerant quantum computers will do some tasks better than classical computers, and offers guidance on how to further current technology to leverage this as rapidly as possible. This marks the first demonstration of unconditional partitioning between quantum and classical algorithms. In practical terms, short-depth circuits are part of the deployments of algorithms, so this result does not specifically state how and where quantum computers might be better options for particular business problems. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1ccf3x217f19x069069
Buggy updates point at deeper problems. https://arstechnica.com/gadgets/2018/10/microsofts-problem-isnt-shipping-windows-updates-its-developing-them/
[I agree with Susan] A Final Update on Our Priorities for 2018 https://youtube-creators.googleblog.com/2018/10/a-final-update-on-our-priorities-for.html Article 13 as written threatens to shut down the ability of millions of people—from creators like you to everyday users—to upload content to platforms like YouTube. And it threatens to block users in the EU from viewing content that is already live on the channels of creators everywhere. This includes YouTube's incredible video library of educational content, such as language classes, physics tutorials and other how-tos. This legislation poses a threat to both your livelihood and your ability to share your voice with the world. And, if implemented as proposed, Article 13 threatens hundreds of thousands of jobs, European creators, businesses, artists and everyone they employ. The proposal could force platforms, like YouTube, to allow only content from a small number of large companies. It would be too risky for platforms to host content from smaller original content creators, because the platforms would now be directly liable for that content. I agree 100% with Susan regarding the EU's horrific Article 13 and the immense damage that it would do, particularly to smaller creators.
https://www.bloomberg.com/news/articles/2018-10-22/now-apps-can-track-you-even-after-you-uninstall-them
https://spectrum.ieee.org/the-human-os/biomedical/devices/these-researchers-want-to-send-smells-over-the-internet Risk: Scent molecules trigger an allergic reaction or are accidentally/intentionally blended into a poisonous vapor. The IoT evolves into the IoA—Internet of Aromas; IoO—Internet of Odors. "The Emperor of Scent" by Chandler Burr discusses Luca Turin's theory of how the human nose scent glands apply inelastic electron tunneling to distinguish aromas. [See RISKS-28.78 for *Scent Received, With a Tap of a Smartphone*, Smell-o-Vision, Scent of Mystery, and Smell-O-Phones. The nose knows, and the nos have it? An aye for an aye! Say Neigh to the Internet of Thinks Stinks? PGN]
Australians are endlessly fascinated by correspondence and articles about the failures and fiddles associated with the US voting system. We have always believed a stable and trustworthy system of ballots to be fundamental to democracy, and we wonder why Americans don't to reform the whole system. Australia has a preferential ballot system, and what is erroneously called *compulsory voting*. No one has to vote, because we also have secret ballots (we claim to have invented them). So if you write obscenities on the paper or leave it unmarked, then no one will be the wiser. However you do need to attend a local booth on the day of the election and have your name crossed on the electoral roll, and you might get a small fine if you don't vote and don't have a legitimate excuse why you didn't perform this basic civil duty. My American friends see this as a draconian infringement on their human rights. Yet (by comparison) as Rob Slade (Jury Duty, 19 Oct) points out, his civic jury duty for a trial is likely to last 3 months - for those too *stupid* not to get themselves disqualified. So the argument about infringement on rights is trivial to the point of ridiculous. In my long life-time, jury duties and Vietnam War/National Service conscription have been greater impositions than fifteen minutes spent every few years to vote. Security comes from the universality of enrollment. Australia rarely has more than trivial voting scandals because it is almost impossible to manipulate the system without it becoming glaringly obvious. So citizens don't need to have identification when they vote; no one ever gets scrubbed from the rolls. There are no disputes to hold up the voting queues, and you can cast a vote in a distant electoral district if you are away from home. Voting machines are unnecessary also because many people can vote at the time (which saves millions of dollars). We just put numbers alongside the names on the ballot paper and most Australians can count from 1 to 5. Local scrutineers (who are aligned with the candidates) watch while the count is tallied after the close of voting. The system is designed to keep it simple, keep technology at a distance, and have every citizen involved in making the final decision. You register to vote once when you come of age, and that is it—unless you change addresses (or names when women get married). Preferential voting also produces an outcome more aligned to the will of the local electorate, and it has the additional benefit of diminishing the over-riding power of the two major political parties. Preference voting encourages independent candidates to enter the political conversation and add their weight to the discussion. American will always have problems with the current US voting systems, and its about time that people faced up to that and looked at alternatives. Stewart Fist, 70 Middle Harbour Rd, LINDFIELD NSW 2070
> ...Paper ballots and better security for election machines. Fine, but not > a solution. Counting millions of paper ballots in thousands of locations > is not secure or affordable. That is clearly false, since we conducted elections with hand counted paper ballots in thousands of locations for centuries. Canada still does. The ballot counting machines we use in New York count the ballots as the voters put them in the machine. I assume that after the polls close, they can lock the machine, read the totals, and call them in to get the tentative results. There are procedures for sealing the machines, delivering the ballots, and so forth which I used to know when I was an election official, but have since forgotten. I realize this may come as a surprise for people expecting instant gratification, but there is no need to report the results of an election quickly. I used to live in Cambridge MA where we used paper ballots to do single transferrable vote elections for city council and school committee. After the polls closed, they took the ballots to the high school gym where they counted them with observers and challenges. It took about a week, which was no problem at all since that still left plenty of time before the winners were certified and the new boards seated a month and a half later.
I think John Levine sees the need for independently checking paper ballots. The story of Cambridge and other places shows that hand-checking is expensive. The US has 100 to 140 million long ballots to count, and a history of shenanigans. Canadian voters typically vote on one contest during each election, so counting is far simpler and cheaper than in the US where we often have pages of choices. Ballot-counting machines in NY and most states do read each ballot and produce totals. Those machines are computers, and can be hacked when they get annual updates or sit unguarded at polling places the night before an election, so the "totals" they show may not reflect the ballots. A really good feature is that NY also recounts ballots from 3% of the machines, manually or with an independent machine. I'd like to see more independent counts, since a nation-state could hack the independent machine too, but NY is far ahead of states which don't check a good sample at all. https://www.verifiedvoting.org/state-audit-laws/
This is likely because it is irrelevant. Once you have the requisite NT AUTHORITY\SYSTEM level access that is required to carry out the "registry hack" to enable this "backdoor" there is no point in going to all the trouble—and there are much easier ways to obtain and maintain "Administrator" rights (or whatever rights you want) on Windows—especially after you have once subverted the Operating System and obtained NT AUTHORITY\SYSTEM privileges. Besides which, this is not really a security problem/flaw, the system is merely working as designed. You can achieve just about the same thing in any Operating System authorization system by making similar changes to the information base used to generate the authorization token, and it is just as trivially easy once you ALREADY HAVE "Act as part of the Operating System" privilege.
Please report problems with the web pages to the maintainer