The RISKS Digest
Volume 30 Issue 92

Wednesday, 21st November 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Commentary on Florida Election Recounts
Rebecca Mercuri
670 ballots in a precinct with 276 voters, and other tales from Georgia's primary
MSN
Voting Machine Manual Instructed Election Officials to Use Weak Passwords
Kim Zetter
Electionland/ProPublica had a lovely collection of election problems already in the wee hours of election evening
PGN
At Doomed Flight's Helm, Pilots May Have Been Overwhelmed in Seconds
NYTimes
Boeing issues warning on potential instrument malfunction after Indonesia crash
WashPost
A Runway Train Traveled 57 Miles Through Australia's Outback
WiReD
Rules of the Road Evade Driverless Cars
WashPost
Siri Shortcuts can now be used with the VW Car-Net app to remotely control a vehicle
AppleInsider
Russia suspected of jamming GPS signal in Finland
BBC
Why Google Internet Traffic Rerouted Through China and Russia
WiReD
Operation Infektion
The New York Times
GPS week field roll-over
David Magda
System error: Japan cybersecurity minister admits he has never used a computer
TheGuardian.com
Tech CEOs Are in Love With Their Principal Doomsayer
Nellie Bowles
"IoT botnet infects 100,000 routers to send Hotmail, Outlook, and Yahoo spam"
Catalin Cimpanu
Buffer Overflows and Spectre
Henry Baker
Police decrypt 258,000 messages after breaking pricey IronChat crypto app
Ars Technica
Guns, drones, and surveillance equipment: Big Brother steps out in Tel Aviv
The Times of Israel
The House That Spied on me
Gizmodo
A DJI Bug Exposed Drone Photos and User Data
WiReD
Fake fingerprints can imitate real ones in biometric systems
The Guardian
Public Attitudes Toward Computer Algorithms
Pew Research Center
Guarding Against Backdoors and Malicious Hardware
Security Boulevard
U.S. Declines to Sign Declaration Discouraging Use of Cyberattacks
NYTimes
'The Cleaners' Looks At Who Cleans Up The Internet's Toxic Content
npr.org
HealthCare.gov breach compromised applicants' financial, immigration data
Washington Times
Apple IDs locked for unknown reasons for a number of iPhone users
Apple Insider
Debate in Germany over allowing Chinese to bid on 5G
Taipei Times
Bug bounty
Fortune
A thing to worry about: sleep study
Tom Van Vleck
A robot scientist will dream up new materials to advance computing and fight pollution
MIT Technology Review
AI News Anchor Makes Debut In China
npr.org
3 Crazy Excel Formulas That Do Amazing Things
MakeUseOf
Dementia risk: Five-minute scan 'can predict cognitive decline'
bbc.com
MAS issues principles to guide use of AI, data analytics in finance
The Straits Times
Awful AI is a curated list to track current scary usages of AI— hoping to raise awareness
David Dao
Google accused of 'trust demolition' over health app
BBC
AI Could Make Cyberattacks More Dangerous, Harder to Detect
WSJ
AmazonBasics Microwave Review: It's a Little Undercooked
WiReD
Elon Musk's SpaceX wins FCC approval to put Starlink Internet satellites into orbit
WashPost
Customer Complains About Tesla Forums, Tesla Accidentally Gives Him Control Over Them
Motherboard
Google had a secret bug
WashPost
For the first time, researchers say Facebook can cause depression
Brett Arends
Mozilla - *privacy not included
Gabe Goldberg
The digital epidemic killing Indians
bbc.com
Police: Woman remotely wipes phone in evidence after shooting
The Daily Gazette
He Helped People Cheat at Grand Theft Auto. Then His Home Was Raided.
NYTimes
MoneyGram agrees to pay $125 million for failing to crack down on fraudulent money transfers
WashPost
Report: Could Your Online Behavior Affect What You Pay for Car Insurance?
San Antonio Business Journal
Couple, homeless man in viral GoFundMe charged
BostonGlobe
The Dating Brokers
TacticalTech
Osaka woman terrifyingly attacked by intruder while playing video games in her home late at night
Sora News
Re: EMV card fraud statistics
David Alexander
Re: Ethics of whom to kill
Arthur T.
Re: Tesla
Wol
Re: Credit Card Chips Have Failed to Halt Fraud, Survey Shows
Phil Smith III
Re: Risks in Using Social Media to Spot Signs of Mental Distress
Richard Stein
Book review: You'll see this message when it is too late, by Josephine Wolff
Web Informant
Info on RISKS (comp.risks)

Commentary on Florida Election Recounts

Rebecca Mercuri <notable@mindspring.com>
Thu, 15 Nov 2018 11:19:02 -0500
BREAKING NEWS

This article features my thoughts on the recent Florida Election recounts:
https://www.weeklystandard.com/alice-b-lloyd/who-needs-hackers-when-you-have-human-error

This is actually the *third* time where ballot layouts in certain Florida
counties may have confused voters. Here's a detailed report about the 1988
election which led NIST (then NBS) researcher Roy Saltman to recommend
against the use of the "butterfly ballot" that was (later) front-and-center
in 2000.
http://aliciapatterson.org/stories/tale-weird-drop-offs-and-jump-ups-are-computer-vote-counts-honest

Different scanners now, no hanging chad, but a similar problem.
Coincidence? I think not.

Those who fail to learn from the past....
Rebecca Mercuri.


670 ballots in a precinct with 276 voters, and other tales from Georgia's primary (MSN)

Andrew Douglass <andr3wdouglass@gmail.com>
Thu, 8 Nov 2018 18:06:46 -0500
https://www.msn.com/en-us/news/politics/670-ballots-in-a-precinct-with-276-voters-and-other-tales-from-georgias-primary/ar-BBLBUA4

WASHINGTON - Habersham County's Mud Creek precinct in northeastern Georgia
had 276 registered voters ahead of the state's primary elections in May.

But 670 ballots were cast, according to the Georgia secretary of state's
office, indicating a 243 percent turnout.  Georgia is one of four states
that uses voting machines statewide that produce no paper record for voters
to verify, making them difficult to audit, experts say.

  Difficult indeed. Coincidentally (we hope), 83% of the county vote was for
  the outgoing secretary of state Kemp.

  It really only takes one story like this to prove the larger proposition
  that unauditable electronic voting machines are a menace to
  democracy. Only obvious errors like this bubble to the surface; who knows
  what goes on in other cases?


Voting Machine Manual Instructed Election Officials to Use Weak Passwords (Kim Zetter)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 6 Nov 2018 14:37:25 PST
Kim Zetter, Motherboard, 5 Nov 2018
<https://motherboard.vice.com/en_us/contributor/kim-zetter>

Voting Machine Manual Instructed Election Officials to Use Weak Passwords

A vendor manual for voting machines used in about ten states shows the
vendor instructed customers to use trivial easy-to-crack passwords and to
re-use the passwords when changing log-in credentials.

States and counties have had two years since the 2016 presidential election
to educate themselves about security best practices and to fix security
vulnerabilities in their election systems and processes. But despite
widespread concerns about election interference from state-sponsored hackers
in Russia and elsewhere, apparently not everyone received the memo about
security, or read it.

An election security expert who has done risk-assessments in several states
since 2016 recently found a reference manual that appears to have been
created by one voting machine vendor for county election officials and that
lists critical usernames and passwords for the vendor's tabulation system.
The passwords, including a system administrator and root password, are
trivial and easy to crack, including one composed from the vendor's name.
And although the document indicates that customers will be prompted
periodically by the system to change the passwords, the document instructs
customers to re-use passwords in some cases—alternating between two of
them—and in other cases to simply change a number appended to the end of
some passwords to change them.
https://motherboard.vice.com/en_us/article/kzvejx/voting-machine-manual-instructed-election-officials-to-use-weak-passwords


Electionland/ProPublica had a lovely collection of election problems already in the wee hours of election evening.

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 7 Nov 2018 3:47:43 PST
https://www.propublica.org/electionland/

Probably lots more to report as well.


At Doomed Flight's Helm, Pilots May Have Been Overwhelmed in Seconds (NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 9 Nov 2018 10:15:09 -0500
https://www.nytimes.com/2018/11/08/world/asia/indonesia-plane-crash-last-moments.html

As American and Indonesian investigators puzzle through clues of troubles
that befell Flight 610, they are finding not a single lapse but a cascade of
issues.


Boeing issues warning on potential instrument malfunction after Indonesia crash (WashPost)

Lauren Weinstein <lauren@vortex.com>
Wed, 7 Nov 2018 08:00:58 -0800
https://www.washingtonpost.com/world/asia_pacific/boeing-issues-warning-on-potential-instrument-malfunction-after-indonesia-crash/2018/11/07/b43168b6-e265-11e8-a1c9-6afe99dddd92_story.html

  Airplane manufacturer Boeing said Wednesday that it has issued a bulletin
  to airlines worldwide warning of erroneous readings from flight-control
  software on its planes, after an almost-new Lion Air jetliner crashed into
  the sea soon after takeoff, killing the 189 people on board.  Boeing,
  which is assisting in an investigation into what went wrong in the Oct.
  29 crash of one of its new 737 Max 8 jets, said in a statement that it
  issued the bulletin Tuesday as "part of its usual process."


A Runway Train Traveled 57 Miles Through Australia's Outback (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Wed, 7 Nov 2018 18:54:51 -0500
Most things don't happen the way they do in the movies. Changes are less
sudden, incidents less surprising, humans less attractive. But when a
runaway train tore through the Australian outback, the action sequence that
followed seems to have come right out of a Tony Scott flick.

The whole mess started when the engineer stopped the 268-car,
four-locomotive train and hopped out to inspect one of the cars, according
to the Australian Transport Safety Board. While he was on the ground
(presumably distracted by giant spiders and roving kangaroos), the train
pulled away with nobody on board. Loaded down with iron ore, it was soon
hitting 68 mph. The train, operated by metals, mining, and petroleum giant
BHP, covered a remarkable 57 miles before the company stopped it--by
flinging it off the tracks.

Nobody was hurt, though the investigators, who are working to determine why
the train pulled away in the first place, rated the damage to the equipment
as `substantial'.  ...

Here's one spot of good news: The technology to prevent an extended runaway
train incident like this one already exists. Positive Train Control systems
use train- and rail-mounted GPS and sensors to track locomotive movement and
alert conductors and dispatchers to imminent derailments or collisions. If
humans don't react to the warnings, the systems are designed to
automatically brake trains before something terrible goes
down. Congressional legislation demanded that America's rail operators
implement Positive Train Control by 2015, but the Department of
Transportation extended the deadline to December 2018 after many struggled
to deploy the technology in time. According to the DOT's Positive Train
Control dashboard, just 18 of 40 railroads had PTC implemented on all their
locomotives by July of this year.

https://www.wired.com/story/australia-runaway-train-derailment/


Rules of the Road Evade Driverless Cars (WashPost)

Richard Stein <rmstein@ieee.org>
Tue, 13 Nov 2018 13:07:55 +0800
https://www.washingtonpost.com/business/rules-of-the-road-evade-driverless-cars/2018/11/09/1e1475a0-e484-11e8-ba30-a7ded04d8fac_story.html

"Ghosn also acknowledged a big barrier to innovation: regulations and
clearing any obstacles they raise before mass-marketing. This is more than
just a caveat. Legal questions from traffic rules to liability in an
accident ultimately will determine whether consumers—be they big
corporations or individuals—decide if they can live with driverless cars,
or can't live without them."

"Removing the driver reduces a company's cost of goods by as much as 90
percent, he said."

Risk: Cross-border compliance with traffic rules complicates AV deployment
and elevates safety underachievement potential without a binding
international treaty. Especially critical for freight delivery services.

Unwise to rely on GPS signal to automatically determine AV
navigation/driving rule localization enforcement especially near an
international border.


Siri Shortcuts can now be used with the VW Car-Net app to remotely control a vehicle (AppleInsider)

Gabe Goldberg <gabe@gabegold.com>
Tue, 13 Nov 2018 16:32:36 -0500
Volkswagen has updated its Car-Net mobile app with deeper Siri integration
to allow drivers to perform specific tasks remotely from their vehicle,
enabling users to lock or unlock their car from far away just by asking
Apple's digital assistant on an iPhone.

Announced on Monday, iPhones and iPads running iOS 12 can start to use Siri
with the Car-Net <http://www.vw.com/carnet> app to control their vehicle.
Once set up with the app, Siri can be used to change whether or not the car
is locked, and to check the estimated mileage remaining for fuel, or for
electric vehicles, how much charge is remaining.

If the driver has forgotten where the car is located in a parking lot, they
can also ask Sir to flash or honk the car's horn so it can be more easily
found.

There are also several shortcuts that can be enabled in Siri with
personalized phrases, including commands to start or stop charging, to
defrost the windows, to set the climate control temperature, and a "where is
my car?" query.

https://appleinsider.com/articles/18/11/12/siri-shortcuts-can-now-be-used-with-the-vw-car-net-app-to-remotely-control-a-vehicle

Hmm. What could go wrong with remote access to cars? I wonder how it's
secured...


Russia suspected of jamming GPS signal in Finland (BBC)

Paul Saffo <paul@saffo.com>
Wed, 14 Nov 2018 05:04:20 -0800
BBC, 12 Nov 2018
https://www.bbc.com/news/technology-27662580

Finnish Prime Minister Juha Sipila has said the GPS signal in his country's
northern airspace was disrupted during recent NATO war games in Scandinavia.
He said he believed the signal had been jammed deliberately and that it was
possible Russia was to blame because it had the means to do so.  Finland is
not a NATO member but joined the war games which began last month.  Norway
also reported GPS problems during the exercises near Russia's north-western
borders.

“It is difficult to say what the reasons could be but there are reasons to
believe it could be related to military exercise activities outside Norway's
borders,'' Wenche Olsen, director of the Civil Aviation Authority of Norway,
told the *Barents Observer* earlier this month.

Russia is also suspected of jamming the GPS signal in Norway's border area
last year when it held its own war games.  Relations between NATO and Russia
have been strained since Russia annexed Crimea from Ukraine in 2014.  How
serious was the disruption?  The Finnish region of Lapland and northern
parts of Norway close to the Russian border were affected, with the
Norwegian regional airline Widerøe confirming its pilots had
experienced GPS disruption, Germany's DW news site reports.

However, the airline pointed out that pilots aboard civilian aircraft had
other options when a GPS signal failed.

“This is not a joke, it threatened the air security of ordinary people,''
said Mr Sipila, who is himself an experienced pilot.  “It is possible that
Russia has been the disrupting party in this. Russia is known to possess
such capabilities.''

How could Russia block the signal?

GPS is a global navigation system originally devised by the US military
which works by sending signals from satellites above the Earth back down to
receivers.  "Technology-wise, it's relatively easy to disturb a radio
signal, and it's possible that Russia was behind it," Mr Sipila was quoted
as saying.  Russia's electronic warfare capability has impressed many NATO
commanders, the BBC's Jonathan Marcus wrote last year.

The country has its own, lesser-known global navigation system, called Glonass.

Why were the wargames held?

NATO'S biggest military exercise since the Cold War, code-named Trident
Juncture, rehearsed how the US-led alliance would respond to the invasion of
an ally.  All 29 NATO members, as well as Finland and Sweden, were involved
and it took place a few hundred miles from Norway's border with Russia.  At
one point in the exercises, a Russian maritime reconnaissance plane flew
past a US warship, the USS Mount Whitney.

The exercises began on 25 October and ended last Wednesday.

Just after they ended, an oil tanker collided with one of the Norwegian
warships involved, in a fjord in southern Norway. The warship had been
repeatedly warned of its collision course with the tanker, the BBC was told.


Why Google Internet Traffic Rerouted Through China and Russia (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Tue, 13 Nov 2018 19:59:08 -0500
For two hours Monday, Internet traffic that was supposed to route through
Google's Cloud Platform
<https://www.wired.com/story/google-cloud-security-command-center/> instead
found itself in quite unexpected places, including Russia and China. But
while the haphazard routing invoked claims of traffic hijacking—a real
threat, given that nation states could use the technique to spy on web users
or censor services—the incident turned out to be a simple mistake with
outsized impacts.

https://www.wired.com/story/google-internet-traffic-china-russia-rerouted/

  [Li Gong noted this:
https://www.darkreading.com/vulnerabilities---threats/google-traffic-temporarily-rerouted-via-russia-china/d/d-id/1333257
  PGN]


Operation Infektion (The New York Times)

Richard Stein <rmstein@ieee.org>
Tue, 13 Nov 2018 21:21:55 +0800
https://www.nytimes.com/video/opinion/100000006210828/russia-disinformation-fake-news.html

Informative series on disinformation campaigns (aka Active Measures
== Bullsh*t), their discovery, patterns/characteristics, and mechanisms to
counter them. Note: the United States has conducted, and likely continues to
conduct, disinformation campaigns internationally to achieve certain
strategic and/or tactical political/policy objectives.

Interesting to note that a disinformation campaign, as conducted by Russia's
GRU, follows 7 rules for deployment:

Rule 1) "Find a Crack"
Rule 2) "The Big Lie"
Rule 3) "A Kernel of Truth"
Rule 4) "Conceal your Hand"
Rule 5) "The Useful Idiot"
Rule 6) "Deny Everything"
Rule 7) "The Long Game"

Risks by the bushel: (a) uninformed electorate that believes disinformation
despite factual evidence to the contrary; (b) political governance that
applies similar disinformation tactics to mislead and polarize populace or
is not versed in policy formulations to counteract it; (c) dissolution of
democracy; (d) severing of strategic international relationships; (e) social
media business profit preservation and prioritization (exploiting viral and
divisive content) to subvert democratic process.


GPS week field roll-over

David Magda <dmagda@ee.ryerson.ca>
Wed, 14 Nov 2018 11:01:15 -0500
Still a few months away, but perhaps worth knowing ahead of time: on
Saturday, 6 April, 2019, 23:25 UTC, the GPS week counter field will roll
over:

> However, the [GPS data] field that contains the week number is a 10-bit
> binary number. This limits the range of the week number to 0 “ 1023,
> or 1024 total weeks.
>
> GPS week zero started January 6, 1980. The 1024 weeks counter ran out and
> rolled over on August 21, 1999. The week counter then reset to zero, and
> it has been recounting ever since. The next time the counter will reach
> week 1023 and rollover to zero is on April 6, 2019.
>
> Receivers must properly interpret that week number as the correct date,
> not 19.7 years into the past or future. To do this, receivers use various
> methods to ensure that they are providing the correct date. One common
> method is to use the firmware date as a reference. This works well if the
> receiver is new or is receiving firmware updates. It is also possible
> for the user to modify this reference date in some receivers.

https://spectracom.com/resources/blog/lisa-perdue/2018/gps-2019-week-rollover-what-you-need-know

I was reminded of this by a recent article:

> When a Pennsylvania county's 911 system suddenly went down without
> warning, garbled messages across the network impacted fire and police
> agencies' ability to respond to emergency messages. The issue was traced
> to a firmware malfunction on communications equipment, related to
> provision of GPS timing. The firmware had not been updated
> for 19-1/2 years. Why should it have been?  Everything was working fine
>—until it didn't.

https://www.gpsworld.com/prepare-today-for-timing-disruptions-tomorrow/

This roll-over last occurred in August 1999, and a few incidents were
mentioned in RISKS-20.55:  https://catless.ncl.ac.uk/Risks/20/55

The world now uses GPS a lot more than it did twenty years ago, especially
in embedded things.


System error: Japan cybersecurity minister admits he has never used a computer (TheGuardian.com)

Richard Stein <rmstein@ieee.org>
Thu, 15 Nov 2018 14:13:29 +0800
https://www.theguardian.com/world/2018/nov/15/japan-cyber-security-ministernever-used-computer-yoshitaka-sakurada

"A Japanese minister in charge of cybersecurity has provoked astonishment
by admitting he has never used a computer in his professional life, and
appearing confused by the concept of a USB drive."

Risk: Incurious governance oversight of a cabinet-level portfolio diminishes
public health and safety readiness.

A "decider" decides w/o subject matter comprehension. "Magic 8-ball"
governance can be simulated.

  [Gene Wirchenko saw another item on this story
    "Japanese cybersecurity minister finds computers a mystery"
https://www.zdnet.com/article/japanese-cybersecurity-minister-finds-computers-a-mystery/
  and noted “Can you spot the security risk?''  PGN]


Tech CEOs Are in Love With Their Principal Doomsayer (Nellie Bowles)

Dewayne Hendricks <dewayne@warpspeed.com>
November 12, 2018 at 1:24:45 AM GMT+9
  [Note:  This item comes from friend Paul Pangaro.  DLH]

Nellie Bowles, *The New York Times*, 9 Nov 2018
Tech CEOs Are in Love With Their Principal Doomsayer
The futurist philosopher Yuval Noah Harari thinks Silicon Valley is an
engine of dystopian ruin. So why do the digital elite adore him so?

<https://www.nytimes.com/2018/11/09/business/yuval-noah-harari-silicon-valley

  [Long item pruned for RISKS.  PGN]


"IoT botnet infects 100,000 routers to send Hotmail, Outlook, and Yahoo spam" (Catalin Cimpanu)

Gene Wirchenko <genew@telus.net>
Wed, 07 Nov 2018 11:36:54 -0800
Catalin Cimpanu for Zero Day | 7 Nov 2018
https://www.zdnet.com/article/iot-botnet-infects-100000-routers-to-send-hotmail-outlook-and-yahoo-spam/

IoT botnet infects 100,000 routers to send Hotmail, Outlook, and Yahoo spam
Botnet infects routers and uses them to relay connections to webmail services.

opening text:

A new botnet made up of roughly 100,000 home routers has silently grown over
the past two months. According to current evidence, the botnet's operators
appear to use the infected routers to connect to webmail services and are
most likely sending out massive email spam campaigns.


Buffer Overflows and Spectre

Henry Baker <hbaker1@pipeline.com>
Tue, 20 Nov 2018 09:19:17 -0800
Spectre is no longer just an annoyance; it is a scandal bigger than
Dieselgate, affecting *billions* of people.

Is it just me, or does anyone else in computer science feel a deep sense of
embarrassment and betrayal ?

We professionals in computer science have spent 50+ years advocating proper
code hygiene in which every array reference is properly bounds-checked to
avoid the dreaded *buffer overflow*, which is the source of perhaps the
largest fraction of software bugs and hacking vulnerabilities.

We've beaten up on computer languages such as C & C++ for their bad hygiene,
and attempted to steer students towards modern languages which are *safe by
design*, because they obsessively and anally check every array reference.

What has our caution, advice and conscientious programming netted us?

We've been undone by our hardware vendors, whose CPU's *ignore* our
*explicit instructions* (what is it about the words "instruction",
"command", "order code" do these vendors not understand?) to check every
array reference—e.g., hence the Spectre bugs.

Isn't it time for a *class action lawsuit* against every CPU vendor whose
*defective* and *dangerous* products exhibit Spectre vulnerabilities ?

This is not just *negligence*, but outright *fraud*, because these CPU's
violate their own specifications and advertising—their own instruction
reference manuals !

It is as if an automobile manufacturer put a Spectre-like bug in our
automobile braking systems which occasionally ignored the brake pedal
because it adversely affected gas mileage.  Who cares about a few
"accidental" deaths here and there, if the manufacturer can claim a few
percentage points additional gas mileage?

***What the CPU manufacturers have done is every bit as bad as what the auto
   manufacturers did to *cheat government emissions testing*! ***


Police decrypt 258,000 messages after breaking pricey IronChat crypto app (Ars Technica)

Monty Solomon <monty@roscom.com>
Sat, 10 Nov 2018 10:44:27 -0500
https://arstechnica.com/information-technology/2018/11/police-decrypt-258000-messages-after-breaking-pricey-ironchat-crypto-app/


Guns, drones, and surveillance equipment: Big Brother steps out in Tel Aviv (The Times of Israel)

Gabe Goldberg <gabe@gabegold.com>
Thu, 15 Nov 2018 13:42:05 -0500
Some of the technology on show at the 5th International Homeland Security
and Cyber-Exhibition is positively spooky

https://www.timesofisrael.com/guns-drones-and-surveillance-equipment-big-brother-steps-out-in-tel-aviv/


The House That Spied on me (Gizmodo)

Gabe Goldberg <gabe@gabegold.com>
Sun, 11 Nov 2018 11:33:50 -0500
[He] had the same view of Kashmir's house that her Internet Service Provider
(ISP) has. After Congress voted last year to allow ISPs to spy on and sell
their customers' Internet usage data, we were all warned that the ISPs could
now sell our browsing activity, or records of what we do on our computers
and smartphones. But in fact, they have access to more than that. If you
have any smart devices in your home TV that connects to the Internet, an
Echo, a Withings scale—your ISP can see and sell information about that
activity too. With my router [he] was seeing the information about Kashmir
and her family that Comcast, her ISP, could monitor and sell.

https://gizmodo.com/the-house-that-spied-on-me-1822429852


A DJI Bug Exposed Drone Photos and User Data (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 11 Nov 2018 15:25:37 -0500
DJI makes some of the most popular quadcopters
<https://www.wired.com/story/guide-drones/>
on the market, but its products have repeatedly drawn scrutiny
<https://www.wired.com/story/army-dji-drone-ban/ government over privacy and
security concerns. Most recently, the Department of Defense in May banned
the purchase of consumer drones made by a handful of vendors, including DJI.
<https://dronedj.com/2018/06/07/department-of-defense-bans-the-purchase-of-commercial-over-the-shelf-uas-including-dji-drones/>

Now DJI has patched a problematic vulnerability in its cloud infrastructure
that could have allowed an attacker to take over users' accounts and access
private data like photos and videos taken during drone flights, a user's
personal account information, and flight logs that include location data. A
hacker could have even potentially accessed real-time drone location and a
live camera feed during a flight.

https://www.wired.com/story/dji-drones-bugs-exposed-users-data/


Fake fingerprints can imitate real ones in biometric systems (The Guardian)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 15 Nov 2018 11:06:03 PST
Another fascinating vulnerability for a particular algorithmic
implementation of fingerprint recognition!  This approaches what a master
key does for classes of locks.  This goes way beyond the individualized
gummy-bear attacks.   PGN

https://www.theguardian.com/technology/2018/nov/15/fake-fingerprints-can-imitate-real-fingerprints-in-biometric-systems-research

  Researchers have used a neural network to generate artificial fingerprints
  that work as a "master key" for biometric identification systems and prove
  fake fingerprints can be created.  According to a paper presented at a
  security conference in Los Angeles, the artificially generated
  fingerprints, dubbed "DeepMasterPrints" by the researchers from New York
  University, were able to imitate more than one in five fingerprints in a
  biometric system that should only have an error rate of one in a thousand.


Public Attitudes Toward Computer Algorithms (Pew Research Center)

Gabe Goldberg <gabe@gabegold.com>
Mon, 19 Nov 2018 18:02:23 -0500
Americans express broad concerns over the fairness and effectiveness of
computer programs making important decisions in people's lives

http://www.pewinternet.org/2018/11/16/public-attitudes-toward-computer-algorithms/

... but doesn't seem to motivate most people to opt out where it's possible.


Guarding Against Backdoors and Malicious Hardware (Security Boulevard)

Gabe Goldberg <gabe@gabegold.com>
Sun, 11 Nov 2018 21:43:53 -0500
In a post-Supermicro-scoop world, it's important for security
teams to review the basics on detecting and guarding against hardware
backdoors.

Malicious software is relatively easy to find, but what if your actual
device is the enemy?

Last month, Bloomberg Businessweek broke a story on Chinese nation-state
actors secretly implanting spy chips in targeted motherboards manufactured
by mega-supplier Supermicro, compromising large enterprises in both the
public sector and the private sector. This story came on the heels of
multiple revelations earlier this year by security researchers backed by the
Department of Homeland Security that the firmware of millions of
Chinese-manufactured smartphones was compromised.

There is much skepticism over the Bloomberg story because of vehement
denials by the organizations implicated and other factors. If nothing else,
though, it serves as a good wake-up call to IT security for guarding against
hardware-embedded backdoors. For years, after all, it has been anticipated
that China would try--or has already tried--embedding
malicious backdoors directly into hardware. In 2012, researchers discovered
a serious embedded backdoor in a Chinese-manufactured FPGA chipset used by
military and aerospace organizations in the West. In this instance, for what
it's worth, the cybersecurati generally agreed that this backdoor
was inadvertent, not malicious. However, even inadvertent backdoors can be
converted to malicious ones if discovered by the wrong person.

https://securityboulevard.com/2018/11/guarding-against-backdoors-and-malicious-hardware/


U.S. Declines to Sign Declaration Discouraging Use of Cyberattacks (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Mon, 12 Nov 2018 23:56:38 -0500
https://www.nytimes.com/2018/11/12/us/politics/us-cyberattacks-declaration.html

The Trump administration, leery of limiting its options, chose not to sign
on to the nonbinding pact put forward by President Emmanuel Macron of
France.


'The Cleaners' Looks At Who Cleans Up The Internet's Toxic Content (npr.org)

Richard Stein <rmstein@ieee.org>
Tue, 13 Nov 2018 14:02:05 +0800
https://www.npr.org/2018/11/12/667118322/the-cleaners-looks-at-who-cleans-up-the-internets-toxic-content

'"I have seen hundreds of beheadings. Sometimes they're lucky that it's just
a very sharp blade that's being used to them," one content moderator says in
a clip from the film.'

'"By the end of this year we're gonna have more than 20,000 people working
on security and content review,' Zuckerberg said.

See https://catless.ncl.ac.uk/Risks/30/09%23subj17.1
on Internet cleaning.

Risk: PTSD—post-traumatic stress disorder from a desk job.


HealthCare.gov breach compromised applicants' financial, immigration data (Washington Times)

Gabe Goldberg <gabe@gabegold.com>
Tue, 13 Nov 2018 19:54:08 -0500
Personal data including immigration status and employment information were
compromised in a breach of HealthCare.gov that affected people who applied
for coverage under the Affordable Care Act, former President Barack Obama's
hallmark healthcare reform law, the Department of Health and Human Services
said Friday.

The Centers for Medicare and Medicaid Services (CMS), the division of HHS
responsible for running HealthCare.gov's online application portal --
designated the Marketplace—has begun notifying approximately 75,000
people affected by the previously disclosed data breach, officials announced
in an update about the incident.

https://www.washingtontimes.com/news/2018/nov/10/healthcaregov-breach-compromised-applicants-financ/


Apple IDs locked for unknown reasons for a number of iPhone users (Apple Insider)

Gabe Goldberg <gabe@gabegold.com>
Tue, 13 Nov 2018 13:51:12 -0500
A number of iPhone users have discovered their Apple ID has been locked on
all of their Apple devices, preventing them from accessing stored data and
related services, with the lockdowns occurring for seemingly unknown
reasons. ...

It is unclear exactly what is happening to cause the accounts to be locked,
but the significant rise in online complaints suggests it has happened to a
large number of people at the same time with the first "wave" at about
midnight eastern time. While it could be caused in error by Apple's account
security protocols, there is also the chance that the accounts are being
probed by a malicious actor, though ultimately the reason behind the locking
of accounts is unknown in this case.

Sources inside Apple not authorized to speak for the company advised to
/AppleInsider/ "At present, this doesn't appear to be an Apple bug.
Whatever it is, it is only impacting a minute percentage of our users."

https://appleinsider.com/articles/18/11/13/apple-ids-locked-for-unknown-reasons-for-a-number-of-iphone-users


Debate in Germany over allowing Chinese to bid on 5G (Taipei Times)

Mark Thorson <eee@dialup4less.com>
Wed, 14 Nov 2018 16:15:22 -0800
Pressure to exclude Chinese from bidding on 5G build-out,
as U.S. and Australia already do.

http://www.taipeitimes.com/News/front/archives/2018/11/15/2003704249

Maybe Huawei should go open source?  Then, all we'd have to worry about is
spy chips.


Bug bounty (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sun, 11 Nov 2018 15:38:41 -0500
Bug bounty programs were a major topic of discussion during a panel on risk
management at the Money20/20 finance and tech conference in Las Vegas a
couple weeks ago. These programs compensate hackers for poking holes in a
company's products and finding and reporting any vulnerabilities to the
people who can fix them. Ideally, they help companies root out flaws in
their code and hardware, making the world safer for businesses and
consumers.

https://view.email.fortune.com/%3Fqs%3D4eeb8fb07f569ef3f979cf14268fa83115990788ea48131265220db52f436cd60ec6f6c3730c71af18f048b7f1e25608112f3e42b011768b92d040d012711efef2f1fda5cacf467b


A thing to worry about: sleep study

Tom Van Vleck <thvv@multicians.org>
Fri, 9 Nov 2018 14:55:47 -0500
What I have in mind is the paper in the latest CACM, November 2018, Vol. 61
No. 11, Pages 157-165.
"LIBS: A Bioelectrical Sensing System from Human Ears for Staging
  Whole-Night Sleep Study"

Sleep study.  Good thing, right.
Replace the electrode cap applied by a technician with some foam earplugs,
saves money, do it at home, results almost as good,
plus you can get not only EEG but eye tracking and muscle contractions.
They sound very proud.

Then their paper ends with a section on other stuff they could do with this.
- autism onset detection
- meditation training
- eating habit monitoring
Well hmm.
- autonomous audio steering... train a hearing aid to favor amplifying
  sounds from where the user is looking
- also combine with the EEG signal and micro expression to see how pleased
  the wearers are with the sound they hear
- distraction and drowsiness detection .. see if drivers are alert
- child's interest assessment .. see what the student is paying attention to
  in class

OK, but then this could be used to
-- see if Winston Smith is paying attention to the telescreen
-- determine if Winston Smith is pleased by what he hears from Big Brother
-- weed out malcontent and rebellious students
-- detect physiological responses to stimuli ("lie detectors")

oh, not to worry, just don't let anybody stick earplugs with wires on them
in your ears.  and make sure nobody invents a remote-sensing EEG, and beware
of high quality sensor cameras that might pick up your micro expressions and
other body responses

yup, nobody would ever use this for evil, right.

if Alexa or Siri offers us a useful gadget that promises to make us happy,
will we be allowed to decline?

I bet Joe Weizenbaum would be cautious.


A robot scientist will dream up new materials to advance computing and fight pollution (MIT Technology Review)

Richard Stein <rmstein@ieee.org>
Mon, 12 Nov 2018 09:21:50 +0800
https://www.technologyreview.com/s/612388/a-robot-scientist-will-dream-up-new-materials-to-advance-computing-and-fight-pollution/

 From the what-if sci-fi risk category.

Suppose the material-bot finds a compound that can literally "rip CO2" from
the atmosphere by the boat load, and thereby suppress the hockey-stick rise
in greenhouse gas concentration. But...the material must be constructed from
highly radioactive and toxic combination of elements: radium, thorium, and
polonium.

Would pursuit of this CO2 scrubber be ethically justifiable if it was the
"last chance" to save the Earth's ecosystem?


AI News Anchor Makes Debut In China (npr.org)

Richard Stein <rmstein@ieee.org>
Sat, 10 Nov 2018 11:59:00 +0800
https://www.npr.org/2018/11/09/666239216/ai-news-anchor-makes-debut-in-china

"It's quite difficult to watch for more than a few minutes. It's very flat,
very single-paced, it's not got rhythm, pace or emphasis," Michael
Wooldridge from the University of Oxford told the BBC. And compared to a
trusted human news anchor, he says that "if you're just looking at animation
you've completely lost that connection to an anchor."

A "real silicon muppet" news anchor appeal to a broader audience? As
simulation improves, succeeding generations of viewers may accept and trust
silicon muppet as authoritative voice or face of governance.

RISK: Pure propaganda broadcast sows confusion, or stiffens polarization
despite contradictory, factual evidence.

Recall "Dirty Laundry" lyrics by Don Henley and Danny Kortchmar (see
https://www.lyricsfreak.com/d/don%2Bhenley/dirty%2Blaundry_20042033.html

"We can do 'The Innuendo' / We can dance and sing /
When it's said and done we haven't told you a thing /
We all know that Crap is King /
Give us dirty laundry!"


3 Crazy Excel Formulas That Do Amazing Things (MakeUseOf)

Gabe Goldberg <gabe@gabegold.com>
Tue, 6 Nov 2018 22:31:48 -0500
https://www.makeuseof.com/tag/3-crazy-excel-formulas-that-do-amazing-things/

Fun with Excel. I barely understand some of this but will study it.  Already
learned from this the (trivial) ways to conditionally format cells.

Reading more sophisticated techniques scares the bejeezus out of me—how
do you test/debug/validate arcane formulas producing
results/dashboards/graphs/etc. Mostly can't, right? Great.


Dementia risk: Five-minute scan 'can predict cognitive decline' (bbc.com)

Richard Stein <rmstein@ieee.org>
Mon, 12 Nov 2018 17:30:56 +0800
https://www.bbc.com/news/health-46155607

"Scientists used ultrasound scanners to look at blood vessels in the necks
of more than 3,000 people and monitored them over the next 15 years.

"They found those with the most intense pulses went on to experience greater
cognitive decline over the next decade than the other study participants.

"Researchers hope it may offer a new way to predict cognitive decline.

"An international team of experts, led by University College London (UCL),
measured the intensity of the pulse traveling towards the brain in 3,191
people in 2002.

"A more intense pulse can cause damage to the small vessels of the brain,
structural changes in the brain's blood vessel network and minor bleeds
known as mini-strokes."

Catch-22. More powerful ultrasonic pulses required to spot cognitive decline
potential, but powerful pulses damage blood vessels and possible contribute
to TIA—transient ischemic aneurysm (aka stroke).

Not a Therac-25 situation, though pulse intensity must be carefully
controlled.


MAS issues principles to guide use of AI, data analytics in finance (The Straits Times)

Richard Stein <rmstein@ieee.org>
Tue, 13 Nov 2018 13:43:21 +0800
https://www.straitstimes.com/business/banking/mas-issues-principles-to-guide-use-of-artificial-intelligence-data-analytics-in

"The Monetary Authority of Singapore (MAS) has issued a set of principles to
promote fairness, ethics, accountability and transparency (FEAT) in the use
of artificial intelligence (AI) and data analytics in finance."

http://www.mas.gov.sg/~/media/MAS/News%2520and%2520Publications/Monographs%2520and%2520Information%2520Papers/FEAT%2520Principles%2520Final.pdf

The four principles are identified as:

* Fairness
* Ethics
* Accountability
* Transparency

The section on Ethics for AIDA (Artificial Intelligence and Data Analytics)
is short:

* Use of AIDA is aligned with the firm's ethical standards, values and
   codes of conduct.
* AIDA - driven decisions are held to at least the same ethical
   standards as human-driven decisions.

Mapping explainable AI characteristics to these principles is a challenge.

Risks: Brand outrage. AIDA deployment promotes and accelerates organizational
profit-seeking behaviors that throttle ethics, fairness, accountability, and
transparency parameters.


Awful AI is a curated list to track current scary usages of AI—hoping to raise awareness (David Dao)

Jose Maria Mateos <chema@rinzewind.org>
Tue, 13 Nov 2018 15:17:59 -0500
https://github.com/daviddao/awful-ai

Artificial intelligence in its current state is unfair, easily susceptible
to attacks and notoriously difficult to control. Nevertheless, more and more
concerning the uses of AI technology are appearing in the wild. This list
aims to track all of them. We hope that Awful AI can be a platform to spur
discussion for the development of possible contestational technology (to
fight back!).


Google accused of 'trust demolition' over health app (BBC)

Lauren Weinstein <lauren@vortex.com>
Wed, 14 Nov 2018 08:49:10 -0800
via NNSquad [Ignore the rants!]
https://www.bbc.com/news/technology-46206677

  A controversial health app developed by artificial intelligence firm
  DeepMind will be taken over by Google, it has been revealed.  Streams was
  first used to send alerts in a London hospital but hit headlines for
  gathering data on 1.6 million patients without informing them.  DeepMind
  now wants the app to become an AI assistant for nurses and doctors around
  the world.  One expert described the move as "trust demolition".

IGNORE THE RANTS! - Google taking over this app does ABSOLUTELY NOTHING to
reduce the privacy protections included therein, nor does it mean that the
related health data will be combined with any other Google data. A textbook
example of wacky knee-jerk reactions!


AI Could Make Cyberattacks More Dangerous, Harder to Detect (WSJ)

ACM TechNews <technews-editor@acm.org>
Wed, 14 Nov 2018 11:50:09 -0500
Adam Janofsky, *The Wall Street Journal, 13 Nov 2018
via ACM TechNews, Wednesday, November 14, 2018

Scientists warn that hackers could weaponize artificial intelligence (AI) to
conceal and accelerate cyberattacks and potentially escalate their
damage. IBM researchers last month demonstrated "DeepLocker" AI-powered
malware designed to hide its damaging payload until it reaches a specific
victim, identifying its target with indicators like facial- and
voice-recognition and geolocation. IBM's Marc Stoecklin said with
DeepLocker, "AI becomes the decision maker to determine when to unlock the
malicious behavior." Meanwhile, the Stevens Institute of Technology's
Giuseppe Ateniese has investigated the use of generative adversarial
networks (GANs), which contain two neural networks that collaborate to
deceive safeguards like passwords; he designed a GAN that fed leaked
passwords found online into an AI model, to analyze patterns and narrow down
likely passwords faster than brute-force attacks. Said Ateniese, "We need to
study how AI can be used in attacks, or we won't be ready for them."

https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d288x218730x069217%26


David Tarabar <dtarabar@acm.org>
Wed, 14 Nov 2018 15:24:49 -0500
China's state media introduced an AI based virtual news anchor. But there
are still a few bugs. It referred to Jack Ma—the founder of Alibaba—as
Jack Massachusetts,

https://radiichina.com/xinhua-unveils-first-english-speaking-virtual-news-anchor/


AmazonBasics Microwave Review: It's a Little Undercooked (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 18 Nov 2018 23:05:25 -0500
Connected, he sped through a battery of tests, which tended to either get
the job done or leave him wondering if anyone at Amazon who actually cooks
gave this thing a whirl before it was released to the public.

https://www.wired.com/review/amazonbasics-microwave/

The risk? Rampant IoT adding "di" after first letter.


Elon Musk's SpaceX wins FCC approval to put Starlink Internet satellites into orbit (WashPost)

Richard Stein <rmstein@ieee.org>
Sun, 18 Nov 2018 17:24:14 +0800
https://www.washingtonpost.com/technology/2018/11/15/elon-musks-spacex-wins-fcc-approval-put-starlink-internet-satellites-into-orbit

'"My favorite example is an innocuous little screwdriver that slipped
through an astronaut's grasp and has been circling low Earth orbit at up to
21,600 miles per hour for the last 35 years," said FCC Commissioner Jessica
Rosenworcel. "At these speeds, even a common household item can wreak
havoc."'

Risk: ~2X the current orbital satellite population w/o collisions and no
orbit reentry plan. See https://catless.ncl.ac.uk/Risks/30/86%23subj22.1

Average Joe is ineligible to play orbital dodgeball.


Customer Complains About Tesla Forums, Tesla Accidentally Gives Him Control Over Them (Motherboard )

Gabe Goldberg <gabe@gabegold.com>
Mon, 19 Nov 2018 23:43:35 -0500
"The customer was inadvertently granted a higher level of
permissions than he should have had to the Tesla forum," a Tesla
spokesperson told Motherboard in an email on Monday. "We revoked
the access as soon as it was reported, and made other changes to adjust
privileges accordingly following a full audit."

https://motherboard.vice.com/en_us/article/7xy8ey/customer-complains-about-tesla-forums-tesla-accidentally-gives-him-control-over-them

"...as soon as it was reported...". Nice security. I hope their car patches
system is more secure.


Google had a secret bug (WashPost)

"Peter G. Neumann" <neumann@csl.sri.com>
Friday 9 Nov 2018 11:17:22 PST
Craig Timberg, Renae Merle and Cat Zakrzewski, *The Washington Post*,
  8 Oct 2018
Google for months kept secret a bug that imperiled the personal data
of Google+ users

https://www.washingtonpost.com/technology/2018/10/08/google-overhauls-privacy-rules-after-discovering-exposure-user-data/

Google found a serious privacy bug in its Google+ service, but it did
not inform government regulators or users for several months.  At that
time, it announced that it would be winding down the Google+ service,
it would impose new privacy limits on developer's for Android apps,
and it would limit the sharing of information about Gmail users.
Google said it could not notify users about the bug when it was first
discovered because it was not sure which users were affected.


For the first time, researchers say Facebook can cause depression (Brett Arends)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Mon, 12 Nov 2018 10:41:25 -0700
Brett Arends,  MarketWatch, 12 Nov 2018
https://www.marketwatch.com/story/new-study-claims-facebook-instagram-and-snapchat-are-linked-to-depression-2018-11-09

  Spending too much time on "social media" sites like Facebook is making
  people more than just miserable. It may also be making them depressed.

  A new study conducted by psychologists at the University of Pennsylvania
  has shown—for the first time—a causal link
  between time spent on social media and depression and loneliness, the
  researchers said.

  It concluded that those who drastically cut back their use of sites like
  Facebook, Instagram and Snapchat often saw a marked improvement in their
  mood and in how they felt about their lives.

  "It was striking," says Melissa Hunt, psychology professor at University
  of Pennsylvania, who led the study. "What we found over the course of
  three weeks was that rates of depression and loneliness went down
  significantly for people who limited their (social media) use."

  Many of those who began the study with moderate clinical depression
  finished just a few weeks later with very mild symptoms, she says.

  The study, "No More FOMO: Limiting Social Media Decreases Loneliness and
  Depression," was conducted by Melissa Hunt, Rachel Marx, Courtney Lipson
  and Jordyn Young, is being published by the peer-reviewed Journal of
  Social and Clinical Psychology.


Mozilla - *privacy not included

Gabe Goldberg <gabe@gabegold.com>
Tue, 13 Nov 2018 19:30:55 -0500
  Shop Safe This Holiday Season

Teddy bears that connect to the Internet. Smart speakers that listen to
commands. Great gifts--unless they spy on you. We created this guide to help
you buy safe, secure products this holiday season.

This shows how creepy users find these products. Scroll to see it
change. Click on a product to rate it.

https://foundation.mozilla.org/en/privacynotincluded/

Dial-a-risk, nicely calibrated.


The digital epidemic killing Indians (bbc.com)

Richard Stein <rmstein@ieee.org>
Mon, 12 Nov 2018 18:25:13 +0800
https://www.bbc.com/news/av/stories-46152427/the-digital-epidemic-killing-indians
(part of a BBC series on fake news and misinformation).

Misinformation drives crowds to act maliciously against civilians.
Crowd-sourced vigilantism.

Risk: Ineffective regulation and irresponsible oversight of messaging
application content threatens public order, weakens civility, and erodes
public trust.


Police: Woman remotely wipes phone in evidence after shooting (The Daily Gazette)

Gabe Goldberg <gabe@gabegold.com>
Tue, 13 Nov 2018 13:35:35 -0500
She now faces evidence tampering and prosecution hindering counts

https://dailygazette.com/article/2018/11/08/police-woman-remotely-wipes-phone-in-evidence-after-shooting


He Helped People Cheat at Grand Theft Auto. Then His Home Was Raided. (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Fri, 9 Nov 2018 14:15:04 -0500
A gamer in Melbourne has had his assets frozen in connection with a popular
video game cheat. He's one of many being sued by game companies worldwide,
raising questions about copyright law and the policing of online civility.

https://nyti.ms/2yZR4mz


MoneyGram agrees to pay $125 million for failing to crack down on fraudulent money transfers (WashPost)

Monty Solomon <monty@roscom.com>
Thu, 8 Nov 2018 23:40:38 -0500
MoneyGram pays huge penalty to settle FTC and DOJ allegations that it didn't
do enough to stop fraudsters from using its money transfer system

https://www.washingtonpost.com/business/2018/11/09/moneygram-agrees-pay-million-failing-crack-down-fraudulent-money-transfers/


Report: Could Your Online Behavior Affect What You Pay for Car Insurance? (San Antonio Business Journal)

Jose Maria Mateos <chema@rinzewind.org>
Wed, 14 Nov 2018 07:53:15 -0500
https://www.bizjournals.com/sanantonio/prnewswire/press_releases/Texas/2018/11/13/DA70769

Charlie Osborne for Zero Day | November 15, 2018
The Zebra, the nation's leading car insurance search engine, today released
findings of an investigative report that explores whether the U.S. auto
insurance industry—which serves 250 million U.S. drivers—is collecting
and using data about consumers' online behaviors and preferences (their
"digital footprints") to calculate what people pay for their car insurance
policies.

Link to report: https://www.thezebra.com/research/digital-footprint-car-insurance/


Couple, homeless man in viral GoFundMe charged (BostonGlobe)

Monty Solomon <monty@roscom.com>
Thu, 15 Nov 2018 20:52:00 -0500
"The entire campaign was predicated on a lie."

https://www.boston.com/news/national-news/2018/11/15/homeless-man-viral-gofundme-arrested


The Dating Brokers (TacticalTech)

Jose Maria Mateos <chema@rinzewind.org>
Wed, 07 Nov 2018 12:52:23 -0500
https://datadating.tacticaltech.org/viz

In May 2017 artist Joana Moll and Tactical Tech purchased 1 million online
dating profiles for 136€ from USDate, a supposedly US-based company that
trades in dating profiles from all over the globe. The batch of dating
profiles we purchased included pictures (almost 5 million of them),
usernames, e-mail addresses, nationality, gender, age and detailed personal
information about all of the people who had created the profiles, such as
their sexual orientation, interests, profession, thorough physical
characteristics and personality traits. Purchasing this data exposed a vast
network of companies that are capitalising on this information without the
conscious consent of the users, whom ultimately are the ones being
exploited.  This project attempts to make parts of that network, and how it
works, visible to everyone.


Osaka woman terrifyingly attacked by intruder while playing video games in her home late at night (Sora News)

Gene Wirchenko <genew@telus.net>
Mon, 19 Nov 2018 23:08:25 -0800
  [Yes, it is not directly computer-related, but consider the security
  risks: 1) headphones while playing alone (What if the intruder had not cut
  the power first?  (possible surprise)) 2) The fuse box being right by the
  front door.  It would be too easy for a computer programmer to be
  similarly ambushed.]

https://soranews24.com/2018/11/19/osaka-woman-terrifyingly-attacked-by-intruder-while-playing-video-games-in-her-home-late-at-night/

[This story]  is like something out of an urban legend.

At nearly 2 a.m. on 18 November, a 29-year-old woman was playing video games
in her apartment in the Mitsumatsu area of Kaizuka City, Osaka Prefecture.
She was playing with a pair of headphones on so as not to disturb the
neighbors in her building. However, in the middle of her game all the power
in her apartment suddenly went out.

She walked toward the front door where the fuse box was, but instead found
the silhouette of a strange man standing inside her apartment, having
somehow gained entrance to her home. He had apparently pulled the circuit
breaker moments earlier, and his entrance had been drowned out by the sounds
of her gaming.

Fuse boxes are often found next to the front door of Japanese apartments.


Re: EMV card fraud statistics (Goldberg, RISKS-30.91)

David Alexander <davidalexander440@btinternet.com>
Tue, 13 Nov 2018 09:28:20 +0000 (UTC)
I would just like to point out that, just because a card is EMV enabled, it
does not mean it cannot be attacked by other means such as compromising the
POS device. I have recently returned to the UK from a trip that took me to
Texas, New Mexico and California. While I was pleased to see a lot of
merchants are now using chip and PIN in the US there were a disappointingly
high number of places where the mag stripe on my EMV card was `swiped'
through the reader and I still had to sign for my purchase.  I know that
will not account for anything like all of the 90% quoted in the article but
it would be worth analysing if there is still a disproportionately high risk
from merchants who have yet to migrate to chip and PIN.

The problem is that enough data to commit fraud is still held in the mag
stripe on the card. Until such time as the mag stripe can be eliminated the
cards will be vulnerable. I haven't yet been brave enough to run a strong
magnet over the stripe on one of my cards to see what the effect might be.


Re: Ethics of whom to kill (RISKS-30.90,91)

"Arthur T." <risks2018a.10.atsjbt@xoxy.net>
Tue, 06 Nov 2018 19:07:43 -0500
On 6 Nov 2018 13:44:32 -0500, in comp.risks
(Message-ID:<CMM.0.90.4.1541529734.risko@chiron.csl.sri.com1852>)
risko@csl.sri.com (RISKS List Owner) wrote:

> Has Rob Slade not heard of "The exception proves the rule"? Yes I know
> this saying is horribly mis-used, but it almost certainly comes from the
> fact that it only takes ONE inconvenient fact to destroy a scientific
> theory.

That turns out not to be the case. It's a very old legal maxim which says
that an exception in the law presupposes the rule it's an exception to. So a
sign saying that parking is allowed on Tuesdays implies that there's a rule
that it's not allowed on the other days. There are several sites which trace
the etymology; one of the more trusted might be
<https://www.snopes.com/fact-check/exceptional-proof/

> It is also an inconvenient fact that people dismiss inconvenient facts as
> "oh that's just an anecdote". But it only takes one inconvenient anecdote
> to be verifiable, at which point it becomes a data point capable of
> destroying your theory and lifetime's work.

As we just saw, what's "obvious" or "almost certain" may not be
true. Anecdotes tend to be passed along and morphed by the
whisper-down-the-lane effect.

The other problem with anecdotes is confirmation bias.  There are, say, ten
horrible crashes of self-driving cars.  But how many would have been avoided
by an alert driver?  How many miles of self-driving have there been total,
and how does that compare to human-driven miles vs. crashes?

> If there are a lot of anecdotes out there you cannot just dismiss and
> ignore them.

"My cousin's friend was abducted by aliens. What you gotta say about that,
Mr. Scientist?" While there are anecdotes which shouldn't be ignored, there
are some which which should be. There are enough reputable people on all
sides of the self-driving car controversies that I expect the truth to come
out, and probably in a timely fashion.


Re: Tesla (Risks-30.91)

Wols Lists <antlists@youngman.org.uk>
Wed, 7 Nov 2018 01:30:03 +0000
On 06/11/18 18:42, RISKS List Owner wrote:
> Now, the Tesla can do that, too. If it notices that you're being blocked,
> and that there's room in the next lane, a notification appears on your
> screen. It informs you that if you put on your turn signal, Autopilot will
> take it from there. It does the passing maneuver smoothly and
> gracefully. (It doesn't actually return to your original lane, however --
> just changes into a faster lane, passing the slowpoke, and stays there.)

Which is illegal - staying in the outside lane, that is. Certainly in
the UK. And I got fined in the old GDR for doing that.

In the UK, every lane except the nearside is designated a passing (or
overtaking) lane and is supposed to be used *only* for that purpose. If
there's a lot of traffic, people stay in the outer lanes because they're
continually overtaking other vehicles.

Or they stay in the outer lanes when they shouldn't, which is actually a
major problem. Hogging the middle lane on a motorway is seen as a minor
infringement, but on a motorway many vehicles are not allowed to use the
outside lane. So if I'm doing 60 towing a caravan, and come across a
lane-hog doing 50, I can't get past! If I undertake that's called dangerous
driving, and if I overtake then I'm in big trouble for using a lane I am
explicitly barred from.


Re: Credit Card Chips Have Failed to Halt Fraud, Survey Shows (Goldberg, RISKS-30.91)

Phil Smith III <phsiii@gmail.com>
Wed, 7 Nov 2018 15:56:07 -0500
Gabe Goldberg wrote about
http://fortune.com/2018/11/05/credit-card-chips-fail-to-halt-fraud-survey-says/

Terrible article by Fortune. EMV was never expected to "put an end to
rampant credit card fraud". EMV was expected to make it harder to do CP
(Card-Present) fraud, which it has done. And to nobody's surprise (in the
Payments industry, anyway) CNP (Card-Not-Present) fraud has gone up while CP
fraud has gone down, just as it has in every other market when EMV was
introduced.

As has surely been discussed here before, the U.S. issuers chose chip &
signature instead of chip & PIN as is used in other markets. The stated
reason for this is that PINs are "inconvenient", and are thus seen as a
competitive disadvantage: if my Chase Visa requires a PIN and my Citi Visa
doesn't, the theory is that I'm more likely to use the Citi card.

This logic seems thin at best. I believe a more likely real reason is that
chip&signature was easier for issuers to implement in their mostly
home-grown back-end systems. And this seems to be supported by the fact that
most U.S. issuers don't even support chip&PIN. If not for the implementation
cost, one would assume that issuers would have added chip&PIN *support* at
least while adding EMV support, and thus would at least allow PINs.

A few domestic issuers do support chip&PIN: if you ask, they will issue a
PIN. But that doesn't mean using the card will ask for a PIN in most
cases. It does, however, prepare you for international travel, where
chip&PIN is pretty well universal and you may be SOL if you don't have a
PIN.


Re: Risks in Using Social Media to Spot Signs of Mental Distress (Solomon, RISKS-28.45)

Richard Stein <rmstein@ieee.org>
Sun, 18 Nov 2018 18:15:34 +0800
https://www.npr.org/2018/11/17/668408122/facebook-increasingly-reliant-on-a-i-to-predict-suicide-risk

'"To just give you a sense of how well the technology is working and rapidly
improving...in the last year we've had 3,500 reports," she says.  That means
AI monitoring is causing Facebook to contact emergency responders an average
of about 10 times a day to check on someone—and that doesn't include
Europe, where the system hasn't been deployed.  (That number also doesn't
include wellness checks that originate from people who report suspected
suicidal behavior online.)

"Davis says the AI works by monitoring not just what a person writes online,
but also how his or her friends respond. For instance, if someone starts
streaming a live video, the AI might pick up on the tone of people's
replies.

'"Maybe like, 'Please don't do this,' 'We really care about you.' There are
different types of signals like that that will give us a strong sense that
someone may be posting of self-harm content," Davis says.'

The National Institute for Mental Health (NIHM) sites these statistics for
2016 (https://www.nimh.nih.gov/health/statistics/suicide.shtml):

* Suicide was the tenth leading cause of death overall in the United States,
claiming the lives of nearly 45,000 people.  * Suicide was the second
leading cause of death among individuals between the ages of 10 and 34, and
the fourth leading cause of death among individuals between the ages of 35
and 54.

* There were more than twice as many suicides (44,965) in the United States
as there were homicides (19,362).

The age-adjusted suicide rate (per 100,000 persons) in 2016 was 21.3 for
men, 6.0 for women, with a 13.4 suicides/day national average (see Table 1
from the shtml page above).

One year post-deployment of Facebook's AI algorithm to spot customer suicide
potential w/o a statement of false positive detection or false negative
detection is curious.

The reference in Solomon's post
(https://catless.ncl.ac.uk/Risks/28/45%23subj3 70% detection accuracy was
achievable by analyzing Twitter posts from 171 users. Equivalent arithmetic
for Facebook suggests (1-0.7)*3500 = 1050 emergency calls are false
positives.

The NIMH age-adjusted statistics of 13.4 daily case average suggests that
not all potential suicides are either engaged or tracked via Facebook,
despite the estimated ~203M users in 2017 (see
https://www.statista.com/statistics/408971/number-of-us-facebook-users/

Risk: Emergency service response dilution from suicide detection algorithm
contextual analysis bias.


Book review: You'll see this message when it is too late, by Josephine Wolff (Web Informant)

Gabe Goldberg <gabe@gabegold.com>
Mon, 19 Nov 2018 19:58:48 -0500
A new book from Professor Josephine Wolff at Rochester Inst. of Technology
called *You'll see this message when it is too late* is worth reading
<https://www.amazon.com/Youll-this-message-when-late/dp/0262038854/davidstromswebin>
there are plenty of other infosec books on the market, to my knowledge this
is first systematic analysis of different data breaches over the past
decade.

She reviews a total of nine major data breaches of the recent past and
classifies them into three different categories, based on the hackers'
motivations; those that happened for financial gain (TJ Maxx and the South
Carolina Department of Revenue and various ransomware attacks); for
cyberespionage (DigiNotar and US OPM) and online humiliation (Sony and
Ashley Madison). She takes us behind the scenes of how the breaches were
discovered, what mistakes were made and what could have been done to
mitigate the situation.

A lot has been already written on these breaches, but what sets Wolff's book
apart is that she isn't trying to assign blame but *dive into their root
causes and link together various IT and corporate policy failures that led
to the actual breach*.

http://blog.strom.com/wp/%3Fp%3D6905

Please report problems with the web pages to the maintainer

x
Top