The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 90

Friday 2 November 2018

Contents

Oops! on RISKS issues with missing subject lines
PGN
"Why a Helium Leak Disabled Every iPhone in a Medical Facility"
Daniel Oberhaus
Chinese spies orchestrated massive hack that stole aviation secrets
Ars Technica
How'd this government agency get infected with malware? 9,000 pages of porn.
WashPost
The spreading scourge of broken SSL implementation
Mark Thorson
Feds took woman's iPhone at border, she sued, now they agree to delete data
Ars Technica
Feds Also Using 'Reverse Warrants' To Gather Location/Identifying Info On Thousands Of Non-Suspects
TechDirt
The ethics of who to kill in a crash ...
Rob Slade
Robot backpack: How this Fusion bot aids collaboration
bbc.com
Bolton says he is conducting offensive cyber-action to thwart would-be election disrupters
WashPost
A new study finds potentially manipulative ads in apps for preschoolers
WashPost
Re: Explainable AI Simulation for AVs
Amos Shapir
Re: Toward Human-Understandable, Explainable AI
Richard Stein
Info on RISKS (comp.risks)

Oops! on RISKS issues with missing subject lines

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 1 Nov 2018 11:12:15 PDT
Apologies for causing the subject line of the previous two RISKS issues to
disappear, because of my forgetting to remove a header line in the draft
issue that comes from my mail system and enables me to append more items.
We are supposed to learn from our failures; long ago Henry Petroski noted
that we don't do that very well—and that we don't even learn enough from
our successes either.

This issue explicitly avoids the previous problem (which I have almost
always assiduously avoided in past RISKS issues), and I will revert to my
usual check-list in the future.  The combination of extraneous text
introduced by SRI's Office-365 mail system (safelinks messing with URLs,
insertion of `[EXTERNAL SENDER]'—which yesterday was changed to `[CAUTION
EXTERNAL]'—after protests that the clutter was annoying!—in subject
lines from mail from non-SRI subscribers, and huge piles of additional
header cruft) are making the editing of RISKS issues much more onerous and
time-consuming.

If you are submitting something for consideration for RISKS, please avoid
duplicating html versions of your ASCII submission, avoid including entire
copies of previous messages to which you are responding, try to minimize
non-utf-8 text, and otherwise reduce the amount of editing I have to do.
That will help me considerably.  Thanks!  PGN


"Why a Helium Leak Disabled Every iPhone in a Medical Facility" (Daniel Oberhaus)

Gene Wirchenko <genew@telus.net>
Thu, 01 Nov 2018 09:18:11 -0700
Motherboard, 30 Oct 2018,

https://motherboard.vice.com/en_us/article/gye4aw/why-a-helium-leak-disabled-every-iphone-in-a-medical-facility
Why a Helium Leak Disabled Every iPhone in a Medical FacilityT
The bizarre incident happened during the installation of an MRI machine and
was a surprise to everyone except Apple.

selected text:

An IT worker at a medical facility made a remarkable discovery about iPhones
and Apple watches earlier this month, after a freshly installed MRI machine
appeared to disable every iOS device in the hospital.

According to Woolridge, most of the Apple devices in the facility "seemed
completely dead." Many wouldn't give any indication of charging when plugged
into the wall and had issues connecting to the cellular network, but not the
wifi.

Woolridge ran some tests of his own to see if helium could shut down an
iPhone. He placed an iPhone 8+ in a sealed bag and added some helium. In a
video of the test Woolridge runs a stopwatch app on the phone. The stopwatch
increasingly speeds up throughout the course of the video before the iPhone
freezes at around eight minutes. The helium, it seemed, was messing with the
iPhone's clock.

  [Gabe Goldberg added:
    Helium: It's not just to make your voice sound funny.  PGN]


Chinese spies orchestrated massive hack that stole aviation secrets (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 31 Oct 2018 23:15:36 -0400
Feds say campaign hacked 13 firms in bid to help Chinese state-owned aerospace company.

https://arstechnica.com/tech-policy/2018/10/feds-say-chinese-spies-and-their-hired-hackers-stole-aviation-secrets/


How'd this government agency get infected with malware? 9,000 pages of porn. (WashPost)

Monty Solomon <monty@roscom.com>
Tue, 30 Oct 2018 23:11:54 -0400
How'd this government agency get infected with malware? 9,000 pages of porn.

An employee at the U.S. Geological Survey visited more than 9,000
pornography websites and infected the agency's network with malware,
prompting calls to bolster security measures.

https://www.washingtonpost.com/technology/2018/10/30/howd-this-government-agency-get-infected-with-malware-pages-porn/


The spreading scourge of broken SSL implementation

Mark Thorson <eee@dialup4less.com>
Wed, 31 Oct 2018 17:00:19 -0700
I run the Safari browser on an iBook G4. Sure, it's an old machine, but it
works just fine for most of what I use it for.  There have always been
websites that don't work or work well with the Safari browser, and it was no
big deal not to bother looking at those ones.  But in the last year or so,
there has been a proliferation of broken websites I can't access at all, and
it has now spread to websites I care about.

When I write to the people who run these websites, the answer is always the
same: We have to go to https otherwise Google will penalize us in the page
rankings.  When I pointed out that I can access many https sites just fine,
one of them said that they checked with their ISP and were told that they
are running the latest SSL implementation.  I believe that is the problem.

What would be an example of a website that works perfectly fine with my
computer?  This one:

https://www.google.com/

What would be examples of websites that I care about which have dropped off
the web (as far as I'm concerned)?  Here's a few of my recently deceased
former favorites:

https://www.ncahf.org/
https://marginalrevolution.com/
https://www.goldmine-elec-products.com/

I think we can presume that Google has web engineers that are as good as any
in the business, and they don't run broken SSL, even if it is the latest
version.  They probably check many computers and browsers to see that they
work with the Google website, probably including mine.  And they made the
decision to use what they use because they don't want to dump any users like
me for no good reason.

The only solution appears to be to convince webmasters to use an SSL
implementation that isn't broken, like what Google itself uses.  And the
only way to do that is for Google to downgrade broken SSL in page rank,
upgrade the sites that use unbroken SSL, and make sure everybody knows it.


Feds took woman's iPhone at border, she sued, now they agree to delete data

Monty Solomon <monty@roscom.com>
Wed, 31 Oct 2018 23:19:03 -0400
CAIR lawyer pleasantly surprised: "We were prepared for much more pushback."

https://arstechnica.com/tech-policy/2018/10/feds-agree-to-delete-data-seized-off-womans-iphone-during-border-search/


Feds Also Using 'Reverse Warrants' To Gather Location/Identifying Info On Thousands Of Non-Suspects (TechDirt)

Monty Solomon <monty@roscom.com>
Thu, 1 Nov 2018 11:59:59 -0400
https://www.techdirt.com/articles/20181027/08301740920/feds-also-using-reverse-warrants-to-gather-location-identifying-info-thousands-non-suspects.shtml


The ethics of who to kill in a crash ...

Rob Slade <rmslade@shaw.ca>
Wed, 31 Oct 2018 09:42:58 -0700
Over on the (ISC)^2 "community" we're discussing the ethics of who to kill
in a crash, a la the old trolley problem.  Someone stated that he'd never
buy/get into a car that would choose to kill him.

The Faraday Auto Navigating Locomotive Company is proud to announce the
2019 Faraday Watt!

The Watt is our premier model, but priced for families.  It has the greatest
range of options in its class, including 29 cup-holders (unprecedented for a
five seat model) and a 73 inch dashboard display.

It also has the greatest range of user-selectable moral driving options,
including "don't kill me," "kill me but leave my passengers alive," and "I'm
done for, you go on and marry Alice."

Watt! The fun moral driving solution!

Personally, I suspect I'll have problems with cars that think they are
smarter than I am, but I know that we should implement them as soon as
possible because they already drive better than we do and there would be an
instant saving of lives as soon as we do it.  That's risk management.

(And, yes, I know that there are wonderfully horrifying tales of
self-driving cars failing recently.  The plural of anecdote is not data.)


Robot backpack: How this Fusion bot aids collaboration (bbc.com)

Richard Stein <rmstein@ieee.org>
Thu, 1 Nov 2018 13:17:12 +0800
https://www.bbc.com/news/av/technology-45992475/robot-backpack-how-this-fusion-bot-aids-collaboration

Risk: GBH (grievous bodily harm) via remote takeover.


Bolton says he is conducting offensive cyber-action to thwart would-be election disrupters (WashPost)

Richard Stein <rmstein@ieee.org>
Thu, 1 Nov 2018 13:01:14 +0800
[Note: Might make a good April Fools contribution for 2019]

https://www.washingtonpost.com/world/national-security/bolton-acknowledges-us-has-taken-action-to-thwart-would-be-election-disrupters/2018/10/31/0c5dfa64-dd3d-11e8-85df-7a6b4d25cfbb_story.html

"Brett Bruen, a former National Security Council official who has worked on
countering Russian disinformation, called signaling 'a pretty ineffective'
warning shot. 'What we have seen over recent months have been largely
superficial steps, mostly for domestic consumption, to be able to say that
we are doing something,' he said."

A more effective warning shot would be analogous to what transpired in
"French Connection 2." The French Chief Superintendent of Police in
Marseilles called Popeye Doyle's mother.

Call the hacker's mother and explain that her son or daughter is paid to
interfere with American elections and post fake news stories to disrupt
democracy. If a mother's admonishment can't change a hacker's behavior, and
convince them to pursue less provocative career employment, nothing will!


A new study finds potentially manipulative ads in apps for preschoolers (WashPost)

Richard Stein <rmstein@ieee.org>
Wed, 31 Oct 2018 20:17:45 +0800
https://www.washingtonpost.com/technology/the-switch/a-new-study-finds-potentially-manipulative-ads-in-apps-for-preschoolers/2018/10/30/3cc5b606-d764-496b-a5be-b8977fbb9b4c_story.html

"'Our findings show that the early childhood app market is a Wild West, with
a lot of apps appearing more focused on making money than the child's play
experience,' Jenny Radesky, a developmental behavioral expert and an author
of the study, said in a statement. 'This has important implications for
advertising regulation, the ethics of child app design, as well as how
parents discern which children's apps are worth downloading.'

"Children use mobile devices one hour every day, on average, highlighting
the importance of researching what they encounter and how it may affect
their health, Radesky added."


Re: Explainable AI Simulation for AVs (Stein, Risks 30.89)

Amos Shapir <amos083@gmail.com>
Thu, 1 Nov 2018 18:07:25 +0200
What's missing from the detailed list of suggested tests for qualifying
AV's is, IMHO, the most important aspect of driving: interaction with other
drivers, understanding their intentions, and conveying our intentions to
them.

This point is exemplified by the accident in Las Vegas, where a truck
backed into the path of an AV:  A human driver would have either used his
horn to alert the truck's driver, or start backing up, assuming the driver
behind him would realize what was going on, and also back up; the AV in
this case did neither.

Human drivers make a lot of decisions based upon their social experience,
not available to the current generation of AV (and probably many future
generations): How to make sure other drivers understand our intentions?
How are they going to react to our actions?  Such decisions take into
account our assessment of who the other driver is—male or female, young
or old, etc.—and also on parameters like "Is it socially acceptable to
use the horn in this place, or at this time of night?"

Driving is a team effort; it seem likely that AVs will need to share the
roads with human drivers for quite a long time, and would have to be taught
some social skills, before they can blend in safely.


Re: Toward Human-Understandable, Explainable AI (Resiak, RISKS-30.88)

Richard Stein <rmstein@ieee.org>
Wed, 31 Oct 2018 12:08:35 +0800
djc@resiak.org wrote:

 >Though I'm all in favor of the kind of transparency Hani Hagras proposes,
 >I find it difficult to imagine how we can effectively grasp and achieve
 >it.

Vehicular manslaughter trial juries will likely be equally confounded.
Consequently, vehicle manufacturers/operators will need hefty product
liability insurance policies, unless there's regulatory or legislative
indemnification relief.

Unlike nuclear warfare's existential threat, the AV experiment on public
roads raises a public health and safety risk. I certainly agree that
sometimes, it is best to not pursue a solution that risks public health and
safety.

There's a lot of VC and institutional investor money expecting rapid AV
industrial expansion. No risk, no reward. The wheels are greased to move
forward with a bet that AVs constitute a "good enough" simulated equivalence
of carbon-based motorist accident potential. Only a "Red Asphalt" outcome
comparison per NHTSA statistics will prove this equivalence.

Please report problems with the web pages to the maintainer

Top