Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
BREAKING NEWS This article features my thoughts on the recent Florida Election recounts: https://www.weeklystandard.com/alice-b-lloyd/who-needs-hackers-when-you-have-human-error This is actually the *third* time where ballot layouts in certain Florida counties may have confused voters. Here's a detailed report about the 1988 election which led NIST (then NBS) researcher Roy Saltman to recommend against the use of the "butterfly ballot" that was (later) front-and-center in 2000. http://aliciapatterson.org/stories/tale-weird-drop-offs-and-jump-ups-are-computer-vote-counts-honest Different scanners now, no hanging chad, but a similar problem. Coincidence? I think not. Those who fail to learn from the past.... Rebecca Mercuri.
https://www.msn.com/en-us/news/politics/670-ballots-in-a-precinct-with-276-voters-and-other-tales-from-georgias-primary/ar-BBLBUA4 WASHINGTON - Habersham County's Mud Creek precinct in northeastern Georgia had 276 registered voters ahead of the state's primary elections in May. But 670 ballots were cast, according to the Georgia secretary of state's office, indicating a 243 percent turnout. Georgia is one of four states that uses voting machines statewide that produce no paper record for voters to verify, making them difficult to audit, experts say. Difficult indeed. Coincidentally (we hope), 83% of the county vote was for the outgoing secretary of state Kemp. It really only takes one story like this to prove the larger proposition that unauditable electronic voting machines are a menace to democracy. Only obvious errors like this bubble to the surface; who knows what goes on in other cases?
Kim Zetter, Motherboard, 5 Nov 2018 <https://motherboard.vice.com/en_us/contributor/kim-zetter> Voting Machine Manual Instructed Election Officials to Use Weak Passwords A vendor manual for voting machines used in about ten states shows the vendor instructed customers to use trivial easy-to-crack passwords and to re-use the passwords when changing log-in credentials. States and counties have had two years since the 2016 presidential election to educate themselves about security best practices and to fix security vulnerabilities in their election systems and processes. But despite widespread concerns about election interference from state-sponsored hackers in Russia and elsewhere, apparently not everyone received the memo about security, or read it. An election security expert who has done risk-assessments in several states since 2016 recently found a reference manual that appears to have been created by one voting machine vendor for county election officials and that lists critical usernames and passwords for the vendor's tabulation system. The passwords, including a system administrator and root password, are trivial and easy to crack, including one composed from the vendor's name. And although the document indicates that customers will be prompted periodically by the system to change the passwords, the document instructs customers to re-use passwords in some cases—alternating between two of them—and in other cases to simply change a number appended to the end of some passwords to change them. https://motherboard.vice.com/en_us/article/kzvejx/voting-machine-manual-instructed-election-officials-to-use-weak-passwords
https://www.propublica.org/electionland/ Probably lots more to report as well.
https://www.nytimes.com/2018/11/08/world/asia/indonesia-plane-crash-last-moments.html As American and Indonesian investigators puzzle through clues of troubles that befell Flight 610, they are finding not a single lapse but a cascade of issues.
https://www.washingtonpost.com/world/asia_pacific/boeing-issues-warning-on-potential-instrument-malfunction-after-indonesia-crash/2018/11/07/b43168b6-e265-11e8-a1c9-6afe99dddd92_story.html Airplane manufacturer Boeing said Wednesday that it has issued a bulletin to airlines worldwide warning of erroneous readings from flight-control software on its planes, after an almost-new Lion Air jetliner crashed into the sea soon after takeoff, killing the 189 people on board. Boeing, which is assisting in an investigation into what went wrong in the Oct. 29 crash of one of its new 737 Max 8 jets, said in a statement that it issued the bulletin Tuesday as "part of its usual process."
Most things don't happen the way they do in the movies. Changes are less sudden, incidents less surprising, humans less attractive. But when a runaway train tore through the Australian outback, the action sequence that followed seems to have come right out of a Tony Scott flick. The whole mess started when the engineer stopped the 268-car, four-locomotive train and hopped out to inspect one of the cars, according to the Australian Transport Safety Board. While he was on the ground (presumably distracted by giant spiders and roving kangaroos), the train pulled away with nobody on board. Loaded down with iron ore, it was soon hitting 68 mph. The train, operated by metals, mining, and petroleum giant BHP, covered a remarkable 57 miles before the company stopped it--by flinging it off the tracks. Nobody was hurt, though the investigators, who are working to determine why the train pulled away in the first place, rated the damage to the equipment as `substantial'. ... Here's one spot of good news: The technology to prevent an extended runaway train incident like this one already exists. Positive Train Control systems use train- and rail-mounted GPS and sensors to track locomotive movement and alert conductors and dispatchers to imminent derailments or collisions. If humans don't react to the warnings, the systems are designed to automatically brake trains before something terrible goes down. Congressional legislation demanded that America's rail operators implement Positive Train Control by 2015, but the Department of Transportation extended the deadline to December 2018 after many struggled to deploy the technology in time. According to the DOT's Positive Train Control dashboard, just 18 of 40 railroads had PTC implemented on all their locomotives by July of this year. https://www.wired.com/story/australia-runaway-train-derailment/
https://www.washingtonpost.com/business/rules-of-the-road-evade-driverless-cars/2018/11/09/1e1475a0-e484-11e8-ba30-a7ded04d8fac_story.html "Ghosn also acknowledged a big barrier to innovation: regulations and clearing any obstacles they raise before mass-marketing. This is more than just a caveat. Legal questions from traffic rules to liability in an accident ultimately will determine whether consumers—be they big corporations or individuals—decide if they can live with driverless cars, or can't live without them." "Removing the driver reduces a company's cost of goods by as much as 90 percent, he said." Risk: Cross-border compliance with traffic rules complicates AV deployment and elevates safety underachievement potential without a binding international treaty. Especially critical for freight delivery services. Unwise to rely on GPS signal to automatically determine AV navigation/driving rule localization enforcement especially near an international border.
Volkswagen has updated its Car-Net mobile app with deeper Siri integration to allow drivers to perform specific tasks remotely from their vehicle, enabling users to lock or unlock their car from far away just by asking Apple's digital assistant on an iPhone. Announced on Monday, iPhones and iPads running iOS 12 can start to use Siri with the Car-Net <http://www.vw.com/carnet> app to control their vehicle. Once set up with the app, Siri can be used to change whether or not the car is locked, and to check the estimated mileage remaining for fuel, or for electric vehicles, how much charge is remaining. If the driver has forgotten where the car is located in a parking lot, they can also ask Sir to flash or honk the car's horn so it can be more easily found. There are also several shortcuts that can be enabled in Siri with personalized phrases, including commands to start or stop charging, to defrost the windows, to set the climate control temperature, and a "where is my car?" query. https://appleinsider.com/articles/18/11/12/siri-shortcuts-can-now-be-used-with-the-vw-car-net-app-to-remotely-control-a-vehicle Hmm. What could go wrong with remote access to cars? I wonder how it's secured...
BBC, 12 Nov 2018 https://www.bbc.com/news/technology-27662580 Finnish Prime Minister Juha Sipila has said the GPS signal in his country's northern airspace was disrupted during recent NATO war games in Scandinavia. He said he believed the signal had been jammed deliberately and that it was possible Russia was to blame because it had the means to do so. Finland is not a NATO member but joined the war games which began last month. Norway also reported GPS problems during the exercises near Russia's north-western borders. “It is difficult to say what the reasons could be but there are reasons to believe it could be related to military exercise activities outside Norway's borders,'' Wenche Olsen, director of the Civil Aviation Authority of Norway, told the *Barents Observer* earlier this month. Russia is also suspected of jamming the GPS signal in Norway's border area last year when it held its own war games. Relations between NATO and Russia have been strained since Russia annexed Crimea from Ukraine in 2014. How serious was the disruption? The Finnish region of Lapland and northern parts of Norway close to the Russian border were affected, with the Norwegian regional airline Widerøe confirming its pilots had experienced GPS disruption, Germany's DW news site reports. However, the airline pointed out that pilots aboard civilian aircraft had other options when a GPS signal failed. “This is not a joke, it threatened the air security of ordinary people,'' said Mr Sipila, who is himself an experienced pilot. “It is possible that Russia has been the disrupting party in this. Russia is known to possess such capabilities.'' How could Russia block the signal? GPS is a global navigation system originally devised by the US military which works by sending signals from satellites above the Earth back down to receivers. "Technology-wise, it's relatively easy to disturb a radio signal, and it's possible that Russia was behind it," Mr Sipila was quoted as saying. Russia's electronic warfare capability has impressed many NATO commanders, the BBC's Jonathan Marcus wrote last year. The country has its own, lesser-known global navigation system, called Glonass. Why were the wargames held? NATO'S biggest military exercise since the Cold War, code-named Trident Juncture, rehearsed how the US-led alliance would respond to the invasion of an ally. All 29 NATO members, as well as Finland and Sweden, were involved and it took place a few hundred miles from Norway's border with Russia. At one point in the exercises, a Russian maritime reconnaissance plane flew past a US warship, the USS Mount Whitney. The exercises began on 25 October and ended last Wednesday. Just after they ended, an oil tanker collided with one of the Norwegian warships involved, in a fjord in southern Norway. The warship had been repeatedly warned of its collision course with the tanker, the BBC was told.
For two hours Monday, Internet traffic that was supposed to route through Google's Cloud Platform <https://www.wired.com/story/google-cloud-security-command-center/> instead found itself in quite unexpected places, including Russia and China. But while the haphazard routing invoked claims of traffic hijacking—a real threat, given that nation states could use the technique to spy on web users or censor services—the incident turned out to be a simple mistake with outsized impacts. https://www.wired.com/story/google-internet-traffic-china-russia-rerouted/ [Li Gong noted this: https://www.darkreading.com/vulnerabilities---threats/google-traffic-temporarily-rerouted-via-russia-china/d/d-id/1333257 PGN]
https://www.nytimes.com/video/opinion/100000006210828/russia-disinformation-fake-news.html Informative series on disinformation campaigns (aka Active Measures == Bullsh*t), their discovery, patterns/characteristics, and mechanisms to counter them. Note: the United States has conducted, and likely continues to conduct, disinformation campaigns internationally to achieve certain strategic and/or tactical political/policy objectives. Interesting to note that a disinformation campaign, as conducted by Russia's GRU, follows 7 rules for deployment: Rule 1) "Find a Crack" Rule 2) "The Big Lie" Rule 3) "A Kernel of Truth" Rule 4) "Conceal your Hand" Rule 5) "The Useful Idiot" Rule 6) "Deny Everything" Rule 7) "The Long Game" Risks by the bushel: (a) uninformed electorate that believes disinformation despite factual evidence to the contrary; (b) political governance that applies similar disinformation tactics to mislead and polarize populace or is not versed in policy formulations to counteract it; (c) dissolution of democracy; (d) severing of strategic international relationships; (e) social media business profit preservation and prioritization (exploiting viral and divisive content) to subvert democratic process.
Still a few months away, but perhaps worth knowing ahead of time: on Saturday, 6 April, 2019, 23:25 UTC, the GPS week counter field will roll over: > However, the [GPS data] field that contains the week number is a 10-bit > binary number. This limits the range of the week number to 0 “ 1023, > or 1024 total weeks. > > GPS week zero started January 6, 1980. The 1024 weeks counter ran out and > rolled over on August 21, 1999. The week counter then reset to zero, and > it has been recounting ever since. The next time the counter will reach > week 1023 and rollover to zero is on April 6, 2019. > > Receivers must properly interpret that week number as the correct date, > not 19.7 years into the past or future. To do this, receivers use various > methods to ensure that they are providing the correct date. One common > method is to use the firmware date as a reference. This works well if the > receiver is new or is receiving firmware updates. It is also possible > for the user to modify this reference date in some receivers. https://spectracom.com/resources/blog/lisa-perdue/2018/gps-2019-week-rollover-what-you-need-know I was reminded of this by a recent article: > When a Pennsylvania county's 911 system suddenly went down without > warning, garbled messages across the network impacted fire and police > agencies' ability to respond to emergency messages. The issue was traced > to a firmware malfunction on communications equipment, related to > provision of GPS timing. The firmware had not been updated > for 19-1/2 years. Why should it have been? Everything was working fine >—until it didn't. https://www.gpsworld.com/prepare-today-for-timing-disruptions-tomorrow/ This roll-over last occurred in August 1999, and a few incidents were mentioned in RISKS-20.55: https://catless.ncl.ac.uk/Risks/20/55 The world now uses GPS a lot more than it did twenty years ago, especially in embedded things.
https://www.theguardian.com/world/2018/nov/15/japan-cyber-security-ministernever-used-computer-yoshitaka-sakurada "A Japanese minister in charge of cybersecurity has provoked astonishment by admitting he has never used a computer in his professional life, and appearing confused by the concept of a USB drive." Risk: Incurious governance oversight of a cabinet-level portfolio diminishes public health and safety readiness. A "decider" decides w/o subject matter comprehension. "Magic 8-ball" governance can be simulated. [Gene Wirchenko saw another item on this story "Japanese cybersecurity minister finds computers a mystery" https://www.zdnet.com/article/japanese-cybersecurity-minister-finds-computers-a-mystery/ and noted “Can you spot the security risk?'' PGN]
[Note: This item comes from friend Paul Pangaro. DLH] Nellie Bowles, *The New York Times*, 9 Nov 2018 Tech CEOs Are in Love With Their Principal Doomsayer The futurist philosopher Yuval Noah Harari thinks Silicon Valley is an engine of dystopian ruin. So why do the digital elite adore him so? <https://www.nytimes.com/2018/11/09/business/yuval-noah-harari-silicon-valley [Long item pruned for RISKS. PGN]
Catalin Cimpanu for Zero Day | 7 Nov 2018 https://www.zdnet.com/article/iot-botnet-infects-100000-routers-to-send-hotmail-outlook-and-yahoo-spam/ IoT botnet infects 100,000 routers to send Hotmail, Outlook, and Yahoo spam Botnet infects routers and uses them to relay connections to webmail services. opening text: A new botnet made up of roughly 100,000 home routers has silently grown over the past two months. According to current evidence, the botnet's operators appear to use the infected routers to connect to webmail services and are most likely sending out massive email spam campaigns.
Spectre is no longer just an annoyance; it is a scandal bigger than Dieselgate, affecting *billions* of people. Is it just me, or does anyone else in computer science feel a deep sense of embarrassment and betrayal ? We professionals in computer science have spent 50+ years advocating proper code hygiene in which every array reference is properly bounds-checked to avoid the dreaded *buffer overflow*, which is the source of perhaps the largest fraction of software bugs and hacking vulnerabilities. We've beaten up on computer languages such as C & C++ for their bad hygiene, and attempted to steer students towards modern languages which are *safe by design*, because they obsessively and anally check every array reference. What has our caution, advice and conscientious programming netted us? We've been undone by our hardware vendors, whose CPU's *ignore* our *explicit instructions* (what is it about the words "instruction", "command", "order code" do these vendors not understand?) to check every array reference—e.g., hence the Spectre bugs. Isn't it time for a *class action lawsuit* against every CPU vendor whose *defective* and *dangerous* products exhibit Spectre vulnerabilities ? This is not just *negligence*, but outright *fraud*, because these CPU's violate their own specifications and advertising—their own instruction reference manuals ! It is as if an automobile manufacturer put a Spectre-like bug in our automobile braking systems which occasionally ignored the brake pedal because it adversely affected gas mileage. Who cares about a few "accidental" deaths here and there, if the manufacturer can claim a few percentage points additional gas mileage? ***What the CPU manufacturers have done is every bit as bad as what the auto manufacturers did to *cheat government emissions testing*! ***
https://arstechnica.com/information-technology/2018/11/police-decrypt-258000-messages-after-breaking-pricey-ironchat-crypto-app/
Some of the technology on show at the 5th International Homeland Security and Cyber-Exhibition is positively spooky https://www.timesofisrael.com/guns-drones-and-surveillance-equipment-big-brother-steps-out-in-tel-aviv/
[He] had the same view of Kashmir's house that her Internet Service Provider (ISP) has. After Congress voted last year to allow ISPs to spy on and sell their customers' Internet usage data, we were all warned that the ISPs could now sell our browsing activity, or records of what we do on our computers and smartphones. But in fact, they have access to more than that. If you have any smart devices in your home TV that connects to the Internet, an Echo, a Withings scale—your ISP can see and sell information about that activity too. With my router [he] was seeing the information about Kashmir and her family that Comcast, her ISP, could monitor and sell. https://gizmodo.com/the-house-that-spied-on-me-1822429852
DJI makes some of the most popular quadcopters <https://www.wired.com/story/guide-drones/> on the market, but its products have repeatedly drawn scrutiny <https://www.wired.com/story/army-dji-drone-ban/ government over privacy and security concerns. Most recently, the Department of Defense in May banned the purchase of consumer drones made by a handful of vendors, including DJI. <https://dronedj.com/2018/06/07/department-of-defense-bans-the-purchase-of-commercial-over-the-shelf-uas-including-dji-drones/> Now DJI has patched a problematic vulnerability in its cloud infrastructure that could have allowed an attacker to take over users' accounts and access private data like photos and videos taken during drone flights, a user's personal account information, and flight logs that include location data. A hacker could have even potentially accessed real-time drone location and a live camera feed during a flight. https://www.wired.com/story/dji-drones-bugs-exposed-users-data/
Another fascinating vulnerability for a particular algorithmic implementation of fingerprint recognition! This approaches what a master key does for classes of locks. This goes way beyond the individualized gummy-bear attacks. PGN https://www.theguardian.com/technology/2018/nov/15/fake-fingerprints-can-imitate-real-fingerprints-in-biometric-systems-research Researchers have used a neural network to generate artificial fingerprints that work as a "master key" for biometric identification systems and prove fake fingerprints can be created. According to a paper presented at a security conference in Los Angeles, the artificially generated fingerprints, dubbed "DeepMasterPrints" by the researchers from New York University, were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand.
Americans express broad concerns over the fairness and effectiveness of computer programs making important decisions in people's lives http://www.pewinternet.org/2018/11/16/public-attitudes-toward-computer-algorithms/ ... but doesn't seem to motivate most people to opt out where it's possible.
In a post-Supermicro-scoop world, it's important for security teams to review the basics on detecting and guarding against hardware backdoors. Malicious software is relatively easy to find, but what if your actual device is the enemy? Last month, Bloomberg Businessweek broke a story on Chinese nation-state actors secretly implanting spy chips in targeted motherboards manufactured by mega-supplier Supermicro, compromising large enterprises in both the public sector and the private sector. This story came on the heels of multiple revelations earlier this year by security researchers backed by the Department of Homeland Security that the firmware of millions of Chinese-manufactured smartphones was compromised. There is much skepticism over the Bloomberg story because of vehement denials by the organizations implicated and other factors. If nothing else, though, it serves as a good wake-up call to IT security for guarding against hardware-embedded backdoors. For years, after all, it has been anticipated that China would try--or has already tried--embedding malicious backdoors directly into hardware. In 2012, researchers discovered a serious embedded backdoor in a Chinese-manufactured FPGA chipset used by military and aerospace organizations in the West. In this instance, for what it's worth, the cybersecurati generally agreed that this backdoor was inadvertent, not malicious. However, even inadvertent backdoors can be converted to malicious ones if discovered by the wrong person. https://securityboulevard.com/2018/11/guarding-against-backdoors-and-malicious-hardware/
https://www.nytimes.com/2018/11/12/us/politics/us-cyberattacks-declaration.html The Trump administration, leery of limiting its options, chose not to sign on to the nonbinding pact put forward by President Emmanuel Macron of France.
https://www.npr.org/2018/11/12/667118322/the-cleaners-looks-at-who-cleans-up-the-internets-toxic-content '"I have seen hundreds of beheadings. Sometimes they're lucky that it's just a very sharp blade that's being used to them," one content moderator says in a clip from the film.' '"By the end of this year we're gonna have more than 20,000 people working on security and content review,' Zuckerberg said. See https://catless.ncl.ac.uk/Risks/30/09%23subj17.1 on Internet cleaning. Risk: PTSD—post-traumatic stress disorder from a desk job.
Personal data including immigration status and employment information were compromised in a breach of HealthCare.gov that affected people who applied for coverage under the Affordable Care Act, former President Barack Obama's hallmark healthcare reform law, the Department of Health and Human Services said Friday. The Centers for Medicare and Medicaid Services (CMS), the division of HHS responsible for running HealthCare.gov's online application portal -- designated the Marketplace—has begun notifying approximately 75,000 people affected by the previously disclosed data breach, officials announced in an update about the incident. https://www.washingtontimes.com/news/2018/nov/10/healthcaregov-breach-compromised-applicants-financ/
A number of iPhone users have discovered their Apple ID has been locked on all of their Apple devices, preventing them from accessing stored data and related services, with the lockdowns occurring for seemingly unknown reasons. ... It is unclear exactly what is happening to cause the accounts to be locked, but the significant rise in online complaints suggests it has happened to a large number of people at the same time with the first "wave" at about midnight eastern time. While it could be caused in error by Apple's account security protocols, there is also the chance that the accounts are being probed by a malicious actor, though ultimately the reason behind the locking of accounts is unknown in this case. Sources inside Apple not authorized to speak for the company advised to /AppleInsider/ "At present, this doesn't appear to be an Apple bug. Whatever it is, it is only impacting a minute percentage of our users." https://appleinsider.com/articles/18/11/13/apple-ids-locked-for-unknown-reasons-for-a-number-of-iphone-users
Pressure to exclude Chinese from bidding on 5G build-out, as U.S. and Australia already do. http://www.taipeitimes.com/News/front/archives/2018/11/15/2003704249 Maybe Huawei should go open source? Then, all we'd have to worry about is spy chips.
Bug bounty programs were a major topic of discussion during a panel on risk management at the Money20/20 finance and tech conference in Las Vegas a couple weeks ago. These programs compensate hackers for poking holes in a company's products and finding and reporting any vulnerabilities to the people who can fix them. Ideally, they help companies root out flaws in their code and hardware, making the world safer for businesses and consumers. https://view.email.fortune.com/%3Fqs%3D4eeb8fb07f569ef3f979cf14268fa83115990788ea48131265220db52f436cd60ec6f6c3730c71af18f048b7f1e25608112f3e42b011768b92d040d012711efef2f1fda5cacf467b
What I have in mind is the paper in the latest CACM, November 2018, Vol. 61 No. 11, Pages 157-165. "LIBS: A Bioelectrical Sensing System from Human Ears for Staging Whole-Night Sleep Study" Sleep study. Good thing, right. Replace the electrode cap applied by a technician with some foam earplugs, saves money, do it at home, results almost as good, plus you can get not only EEG but eye tracking and muscle contractions. They sound very proud. Then their paper ends with a section on other stuff they could do with this. - autism onset detection - meditation training - eating habit monitoring Well hmm. - autonomous audio steering... train a hearing aid to favor amplifying sounds from where the user is looking - also combine with the EEG signal and micro expression to see how pleased the wearers are with the sound they hear - distraction and drowsiness detection .. see if drivers are alert - child's interest assessment .. see what the student is paying attention to in class OK, but then this could be used to -- see if Winston Smith is paying attention to the telescreen -- determine if Winston Smith is pleased by what he hears from Big Brother -- weed out malcontent and rebellious students -- detect physiological responses to stimuli ("lie detectors") oh, not to worry, just don't let anybody stick earplugs with wires on them in your ears. and make sure nobody invents a remote-sensing EEG, and beware of high quality sensor cameras that might pick up your micro expressions and other body responses yup, nobody would ever use this for evil, right. if Alexa or Siri offers us a useful gadget that promises to make us happy, will we be allowed to decline? I bet Joe Weizenbaum would be cautious.
https://www.technologyreview.com/s/612388/a-robot-scientist-will-dream-up-new-materials-to-advance-computing-and-fight-pollution/ From the what-if sci-fi risk category. Suppose the material-bot finds a compound that can literally "rip CO2" from the atmosphere by the boat load, and thereby suppress the hockey-stick rise in greenhouse gas concentration. But...the material must be constructed from highly radioactive and toxic combination of elements: radium, thorium, and polonium. Would pursuit of this CO2 scrubber be ethically justifiable if it was the "last chance" to save the Earth's ecosystem?
https://www.npr.org/2018/11/09/666239216/ai-news-anchor-makes-debut-in-china "It's quite difficult to watch for more than a few minutes. It's very flat, very single-paced, it's not got rhythm, pace or emphasis," Michael Wooldridge from the University of Oxford told the BBC. And compared to a trusted human news anchor, he says that "if you're just looking at animation you've completely lost that connection to an anchor." A "real silicon muppet" news anchor appeal to a broader audience? As simulation improves, succeeding generations of viewers may accept and trust silicon muppet as authoritative voice or face of governance. RISK: Pure propaganda broadcast sows confusion, or stiffens polarization despite contradictory, factual evidence. Recall "Dirty Laundry" lyrics by Don Henley and Danny Kortchmar (see https://www.lyricsfreak.com/d/don%2Bhenley/dirty%2Blaundry_20042033.html "We can do 'The Innuendo' / We can dance and sing / When it's said and done we haven't told you a thing / We all know that Crap is King / Give us dirty laundry!"
https://www.makeuseof.com/tag/3-crazy-excel-formulas-that-do-amazing-things/ Fun with Excel. I barely understand some of this but will study it. Already learned from this the (trivial) ways to conditionally format cells. Reading more sophisticated techniques scares the bejeezus out of me—how do you test/debug/validate arcane formulas producing results/dashboards/graphs/etc. Mostly can't, right? Great.
https://www.bbc.com/news/health-46155607 "Scientists used ultrasound scanners to look at blood vessels in the necks of more than 3,000 people and monitored them over the next 15 years. "They found those with the most intense pulses went on to experience greater cognitive decline over the next decade than the other study participants. "Researchers hope it may offer a new way to predict cognitive decline. "An international team of experts, led by University College London (UCL), measured the intensity of the pulse traveling towards the brain in 3,191 people in 2002. "A more intense pulse can cause damage to the small vessels of the brain, structural changes in the brain's blood vessel network and minor bleeds known as mini-strokes." Catch-22. More powerful ultrasonic pulses required to spot cognitive decline potential, but powerful pulses damage blood vessels and possible contribute to TIA—transient ischemic aneurysm (aka stroke). Not a Therac-25 situation, though pulse intensity must be carefully controlled.
https://www.straitstimes.com/business/banking/mas-issues-principles-to-guide-use-of-artificial-intelligence-data-analytics-in "The Monetary Authority of Singapore (MAS) has issued a set of principles to promote fairness, ethics, accountability and transparency (FEAT) in the use of artificial intelligence (AI) and data analytics in finance." http://www.mas.gov.sg/~/media/MAS/News%2520and%2520Publications/Monographs%2520and%2520Information%2520Papers/FEAT%2520Principles%2520Final.pdf The four principles are identified as: * Fairness * Ethics * Accountability * Transparency The section on Ethics for AIDA (Artificial Intelligence and Data Analytics) is short: * Use of AIDA is aligned with the firm's ethical standards, values and codes of conduct. * AIDA - driven decisions are held to at least the same ethical standards as human-driven decisions. Mapping explainable AI characteristics to these principles is a challenge. Risks: Brand outrage. AIDA deployment promotes and accelerates organizational profit-seeking behaviors that throttle ethics, fairness, accountability, and transparency parameters.
https://github.com/daviddao/awful-ai Artificial intelligence in its current state is unfair, easily susceptible to attacks and notoriously difficult to control. Nevertheless, more and more concerning the uses of AI technology are appearing in the wild. This list aims to track all of them. We hope that Awful AI can be a platform to spur discussion for the development of possible contestational technology (to fight back!).
via NNSquad [Ignore the rants!] https://www.bbc.com/news/technology-46206677 A controversial health app developed by artificial intelligence firm DeepMind will be taken over by Google, it has been revealed. Streams was first used to send alerts in a London hospital but hit headlines for gathering data on 1.6 million patients without informing them. DeepMind now wants the app to become an AI assistant for nurses and doctors around the world. One expert described the move as "trust demolition". IGNORE THE RANTS! - Google taking over this app does ABSOLUTELY NOTHING to reduce the privacy protections included therein, nor does it mean that the related health data will be combined with any other Google data. A textbook example of wacky knee-jerk reactions!
Adam Janofsky, *The Wall Street Journal, 13 Nov 2018 via ACM TechNews, Wednesday, November 14, 2018 Scientists warn that hackers could weaponize artificial intelligence (AI) to conceal and accelerate cyberattacks and potentially escalate their damage. IBM researchers last month demonstrated "DeepLocker" AI-powered malware designed to hide its damaging payload until it reaches a specific victim, identifying its target with indicators like facial- and voice-recognition and geolocation. IBM's Marc Stoecklin said with DeepLocker, "AI becomes the decision maker to determine when to unlock the malicious behavior." Meanwhile, the Stevens Institute of Technology's Giuseppe Ateniese has investigated the use of generative adversarial networks (GANs), which contain two neural networks that collaborate to deceive safeguards like passwords; he designed a GAN that fed leaked passwords found online into an AI model, to analyze patterns and narrow down likely passwords faster than brute-force attacks. Said Ateniese, "We need to study how AI can be used in attacks, or we won't be ready for them." https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d288x218730x069217%26
China's state media introduced an AI based virtual news anchor. But there are still a few bugs. It referred to Jack Ma—the founder of Alibaba—as Jack Massachusetts, https://radiichina.com/xinhua-unveils-first-english-speaking-virtual-news-anchor/
Connected, he sped through a battery of tests, which tended to either get the job done or leave him wondering if anyone at Amazon who actually cooks gave this thing a whirl before it was released to the public. https://www.wired.com/review/amazonbasics-microwave/ The risk? Rampant IoT adding "di" after first letter.
https://www.washingtonpost.com/technology/2018/11/15/elon-musks-spacex-wins-fcc-approval-put-starlink-internet-satellites-into-orbit '"My favorite example is an innocuous little screwdriver that slipped through an astronaut's grasp and has been circling low Earth orbit at up to 21,600 miles per hour for the last 35 years," said FCC Commissioner Jessica Rosenworcel. "At these speeds, even a common household item can wreak havoc."' Risk: ~2X the current orbital satellite population w/o collisions and no orbit reentry plan. See https://catless.ncl.ac.uk/Risks/30/86%23subj22.1 Average Joe is ineligible to play orbital dodgeball.
"The customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum," a Tesla spokesperson told Motherboard in an email on Monday. "We revoked the access as soon as it was reported, and made other changes to adjust privileges accordingly following a full audit." https://motherboard.vice.com/en_us/article/7xy8ey/customer-complains-about-tesla-forums-tesla-accidentally-gives-him-control-over-them "...as soon as it was reported...". Nice security. I hope their car patches system is more secure.
Craig Timberg, Renae Merle and Cat Zakrzewski, *The Washington Post*, 8 Oct 2018 Google for months kept secret a bug that imperiled the personal data of Google+ users https://www.washingtonpost.com/technology/2018/10/08/google-overhauls-privacy-rules-after-discovering-exposure-user-data/ Google found a serious privacy bug in its Google+ service, but it did not inform government regulators or users for several months. At that time, it announced that it would be winding down the Google+ service, it would impose new privacy limits on developer's for Android apps, and it would limit the sharing of information about Gmail users. Google said it could not notify users about the bug when it was first discovered because it was not sure which users were affected.
Brett Arends, MarketWatch, 12 Nov 2018 https://www.marketwatch.com/story/new-study-claims-facebook-instagram-and-snapchat-are-linked-to-depression-2018-11-09 Spending too much time on "social media" sites like Facebook is making people more than just miserable. It may also be making them depressed. A new study conducted by psychologists at the University of Pennsylvania has shown—for the first time—a causal link between time spent on social media and depression and loneliness, the researchers said. It concluded that those who drastically cut back their use of sites like Facebook, Instagram and Snapchat often saw a marked improvement in their mood and in how they felt about their lives. "It was striking," says Melissa Hunt, psychology professor at University of Pennsylvania, who led the study. "What we found over the course of three weeks was that rates of depression and loneliness went down significantly for people who limited their (social media) use." Many of those who began the study with moderate clinical depression finished just a few weeks later with very mild symptoms, she says. The study, "No More FOMO: Limiting Social Media Decreases Loneliness and Depression," was conducted by Melissa Hunt, Rachel Marx, Courtney Lipson and Jordyn Young, is being published by the peer-reviewed Journal of Social and Clinical Psychology.
Shop Safe This Holiday Season Teddy bears that connect to the Internet. Smart speakers that listen to commands. Great gifts--unless they spy on you. We created this guide to help you buy safe, secure products this holiday season. This shows how creepy users find these products. Scroll to see it change. Click on a product to rate it. https://foundation.mozilla.org/en/privacynotincluded/ Dial-a-risk, nicely calibrated.
https://www.bbc.com/news/av/stories-46152427/the-digital-epidemic-killing-indians (part of a BBC series on fake news and misinformation). Misinformation drives crowds to act maliciously against civilians. Crowd-sourced vigilantism. Risk: Ineffective regulation and irresponsible oversight of messaging application content threatens public order, weakens civility, and erodes public trust.
She now faces evidence tampering and prosecution hindering counts https://dailygazette.com/article/2018/11/08/police-woman-remotely-wipes-phone-in-evidence-after-shooting
A gamer in Melbourne has had his assets frozen in connection with a popular video game cheat. He's one of many being sued by game companies worldwide, raising questions about copyright law and the policing of online civility. https://nyti.ms/2yZR4mz
MoneyGram pays huge penalty to settle FTC and DOJ allegations that it didn't do enough to stop fraudsters from using its money transfer system https://www.washingtonpost.com/business/2018/11/09/moneygram-agrees-pay-million-failing-crack-down-fraudulent-money-transfers/
https://www.bizjournals.com/sanantonio/prnewswire/press_releases/Texas/2018/11/13/DA70769 Charlie Osborne for Zero Day | November 15, 2018 The Zebra, the nation's leading car insurance search engine, today released findings of an investigative report that explores whether the U.S. auto insurance industry—which serves 250 million U.S. drivers—is collecting and using data about consumers' online behaviors and preferences (their "digital footprints") to calculate what people pay for their car insurance policies. Link to report: https://www.thezebra.com/research/digital-footprint-car-insurance/
"The entire campaign was predicated on a lie." https://www.boston.com/news/national-news/2018/11/15/homeless-man-viral-gofundme-arrested
https://datadating.tacticaltech.org/viz In May 2017 artist Joana Moll and Tactical Tech purchased 1 million online dating profiles for 136€ from USDate, a supposedly US-based company that trades in dating profiles from all over the globe. The batch of dating profiles we purchased included pictures (almost 5 million of them), usernames, e-mail addresses, nationality, gender, age and detailed personal information about all of the people who had created the profiles, such as their sexual orientation, interests, profession, thorough physical characteristics and personality traits. Purchasing this data exposed a vast network of companies that are capitalising on this information without the conscious consent of the users, whom ultimately are the ones being exploited. This project attempts to make parts of that network, and how it works, visible to everyone.
[Yes, it is not directly computer-related, but consider the security risks: 1) headphones while playing alone (What if the intruder had not cut the power first? (possible surprise)) 2) The fuse box being right by the front door. It would be too easy for a computer programmer to be similarly ambushed.] https://soranews24.com/2018/11/19/osaka-woman-terrifyingly-attacked-by-intruder-while-playing-video-games-in-her-home-late-at-night/ [This story] is like something out of an urban legend. At nearly 2 a.m. on 18 November, a 29-year-old woman was playing video games in her apartment in the Mitsumatsu area of Kaizuka City, Osaka Prefecture. She was playing with a pair of headphones on so as not to disturb the neighbors in her building. However, in the middle of her game all the power in her apartment suddenly went out. She walked toward the front door where the fuse box was, but instead found the silhouette of a strange man standing inside her apartment, having somehow gained entrance to her home. He had apparently pulled the circuit breaker moments earlier, and his entrance had been drowned out by the sounds of her gaming. Fuse boxes are often found next to the front door of Japanese apartments.
I would just like to point out that, just because a card is EMV enabled, it does not mean it cannot be attacked by other means such as compromising the POS device. I have recently returned to the UK from a trip that took me to Texas, New Mexico and California. While I was pleased to see a lot of merchants are now using chip and PIN in the US there were a disappointingly high number of places where the mag stripe on my EMV card was `swiped' through the reader and I still had to sign for my purchase. I know that will not account for anything like all of the 90% quoted in the article but it would be worth analysing if there is still a disproportionately high risk from merchants who have yet to migrate to chip and PIN. The problem is that enough data to commit fraud is still held in the mag stripe on the card. Until such time as the mag stripe can be eliminated the cards will be vulnerable. I haven't yet been brave enough to run a strong magnet over the stripe on one of my cards to see what the effect might be.
On 6 Nov 2018 13:44:32 -0500, in comp.risks (Message-ID:<CMM.0.90.4.1541529734.risko@chiron.csl.sri.com1852>) risko@csl.sri.com (RISKS List Owner) wrote: > Has Rob Slade not heard of "The exception proves the rule"? Yes I know > this saying is horribly mis-used, but it almost certainly comes from the > fact that it only takes ONE inconvenient fact to destroy a scientific > theory. That turns out not to be the case. It's a very old legal maxim which says that an exception in the law presupposes the rule it's an exception to. So a sign saying that parking is allowed on Tuesdays implies that there's a rule that it's not allowed on the other days. There are several sites which trace the etymology; one of the more trusted might be <https://www.snopes.com/fact-check/exceptional-proof/ > It is also an inconvenient fact that people dismiss inconvenient facts as > "oh that's just an anecdote". But it only takes one inconvenient anecdote > to be verifiable, at which point it becomes a data point capable of > destroying your theory and lifetime's work. As we just saw, what's "obvious" or "almost certain" may not be true. Anecdotes tend to be passed along and morphed by the whisper-down-the-lane effect. The other problem with anecdotes is confirmation bias. There are, say, ten horrible crashes of self-driving cars. But how many would have been avoided by an alert driver? How many miles of self-driving have there been total, and how does that compare to human-driven miles vs. crashes? > If there are a lot of anecdotes out there you cannot just dismiss and > ignore them. "My cousin's friend was abducted by aliens. What you gotta say about that, Mr. Scientist?" While there are anecdotes which shouldn't be ignored, there are some which which should be. There are enough reputable people on all sides of the self-driving car controversies that I expect the truth to come out, and probably in a timely fashion.
On 06/11/18 18:42, RISKS List Owner wrote: > Now, the Tesla can do that, too. If it notices that you're being blocked, > and that there's room in the next lane, a notification appears on your > screen. It informs you that if you put on your turn signal, Autopilot will > take it from there. It does the passing maneuver smoothly and > gracefully. (It doesn't actually return to your original lane, however -- > just changes into a faster lane, passing the slowpoke, and stays there.) Which is illegal - staying in the outside lane, that is. Certainly in the UK. And I got fined in the old GDR for doing that. In the UK, every lane except the nearside is designated a passing (or overtaking) lane and is supposed to be used *only* for that purpose. If there's a lot of traffic, people stay in the outer lanes because they're continually overtaking other vehicles. Or they stay in the outer lanes when they shouldn't, which is actually a major problem. Hogging the middle lane on a motorway is seen as a minor infringement, but on a motorway many vehicles are not allowed to use the outside lane. So if I'm doing 60 towing a caravan, and come across a lane-hog doing 50, I can't get past! If I undertake that's called dangerous driving, and if I overtake then I'm in big trouble for using a lane I am explicitly barred from.
Gabe Goldberg wrote about http://fortune.com/2018/11/05/credit-card-chips-fail-to-halt-fraud-survey-says/ Terrible article by Fortune. EMV was never expected to "put an end to rampant credit card fraud". EMV was expected to make it harder to do CP (Card-Present) fraud, which it has done. And to nobody's surprise (in the Payments industry, anyway) CNP (Card-Not-Present) fraud has gone up while CP fraud has gone down, just as it has in every other market when EMV was introduced. As has surely been discussed here before, the U.S. issuers chose chip & signature instead of chip & PIN as is used in other markets. The stated reason for this is that PINs are "inconvenient", and are thus seen as a competitive disadvantage: if my Chase Visa requires a PIN and my Citi Visa doesn't, the theory is that I'm more likely to use the Citi card. This logic seems thin at best. I believe a more likely real reason is that chip&signature was easier for issuers to implement in their mostly home-grown back-end systems. And this seems to be supported by the fact that most U.S. issuers don't even support chip&PIN. If not for the implementation cost, one would assume that issuers would have added chip&PIN *support* at least while adding EMV support, and thus would at least allow PINs. A few domestic issuers do support chip&PIN: if you ask, they will issue a PIN. But that doesn't mean using the card will ask for a PIN in most cases. It does, however, prepare you for international travel, where chip&PIN is pretty well universal and you may be SOL if you don't have a PIN.
https://www.npr.org/2018/11/17/668408122/facebook-increasingly-reliant-on-a-i-to-predict-suicide-risk '"To just give you a sense of how well the technology is working and rapidly improving...in the last year we've had 3,500 reports," she says. That means AI monitoring is causing Facebook to contact emergency responders an average of about 10 times a day to check on someone—and that doesn't include Europe, where the system hasn't been deployed. (That number also doesn't include wellness checks that originate from people who report suspected suicidal behavior online.) "Davis says the AI works by monitoring not just what a person writes online, but also how his or her friends respond. For instance, if someone starts streaming a live video, the AI might pick up on the tone of people's replies. '"Maybe like, 'Please don't do this,' 'We really care about you.' There are different types of signals like that that will give us a strong sense that someone may be posting of self-harm content," Davis says.' The National Institute for Mental Health (NIHM) sites these statistics for 2016 (https://www.nimh.nih.gov/health/statistics/suicide.shtml): * Suicide was the tenth leading cause of death overall in the United States, claiming the lives of nearly 45,000 people. * Suicide was the second leading cause of death among individuals between the ages of 10 and 34, and the fourth leading cause of death among individuals between the ages of 35 and 54. * There were more than twice as many suicides (44,965) in the United States as there were homicides (19,362). The age-adjusted suicide rate (per 100,000 persons) in 2016 was 21.3 for men, 6.0 for women, with a 13.4 suicides/day national average (see Table 1 from the shtml page above). One year post-deployment of Facebook's AI algorithm to spot customer suicide potential w/o a statement of false positive detection or false negative detection is curious. The reference in Solomon's post (https://catless.ncl.ac.uk/Risks/28/45%23subj3 70% detection accuracy was achievable by analyzing Twitter posts from 171 users. Equivalent arithmetic for Facebook suggests (1-0.7)*3500 = 1050 emergency calls are false positives. The NIMH age-adjusted statistics of 13.4 daily case average suggests that not all potential suicides are either engaged or tracked via Facebook, despite the estimated ~203M users in 2017 (see https://www.statista.com/statistics/408971/number-of-us-facebook-users/ Risk: Emergency service response dilution from suicide detection algorithm contextual analysis bias.
A new book from Professor Josephine Wolff at Rochester Inst. of Technology called *You'll see this message when it is too late* is worth reading <https://www.amazon.com/Youll-this-message-when-late/dp/0262038854/davidstromswebin> there are plenty of other infosec books on the market, to my knowledge this is first systematic analysis of different data breaches over the past decade. She reviews a total of nine major data breaches of the recent past and classifies them into three different categories, based on the hackers' motivations; those that happened for financial gain (TJ Maxx and the South Carolina Department of Revenue and various ransomware attacks); for cyberespionage (DigiNotar and US OPM) and online humiliation (Sony and Ashley Madison). She takes us behind the scenes of how the breaches were discovered, what mistakes were made and what could have been done to mitigate the situation. A lot has been already written on these breaches, but what sets Wolff's book apart is that she isn't trying to assign blame but *dive into their root causes and link together various IT and corporate policy failures that led to the actual breach*. http://blog.strom.com/wp/%3Fp%3D6905
Please report problems with the web pages to the maintainer