The RISKS Digest
Volume 30 Issue 95

Saturday, 8th December 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Deadly Soul of a New Machine: Bots, AI, and Algorithms
Timothy Egan
How to train an AI
Mark Thorson
Texas straight-ticket voters report ballot concerns
Austin American Statesman
O2 outage: more than 30m mobile customers unable to get online
The Guardian et al.
Homeland Security Will Let Computers Predict Who Might Be a Terrorist on Your Plane—Just Don't Ask How It Works
The Intercept
A Dark Consensus About Screens and Kids Begins to Emerge in Silicon Valley
NYTimes
Rudy Giuliani Says Twitter Sabotaged His Tweet. Actually, He Did It Himself.
NYTimes
Teen electrocuted while using headphones on plugged-in mobile phone
yahoo.com
Auto theft on the rise in Toronto area, and a security expert thinks he knows why
CBC News
Starbucks and passwords ...
Rob Slade
New Attack Could Make Website Security Captchas Obsolete
ACM Tech News
Teachers Say There's a Disconnect in Computer Science Education
Tina Nazerian
Banks Adopt Military-Style Tactics to Fight Cybercrime
NYTimes
The backdrop of Jamal Khashoggi's killing: A chilling cyberwar
WashPost
Re: EU data rules have not stopped spam emails
DJC
Re: "Human intelligence is needed." Want to Purge Fake News? Try Crowdsourcing
Tom Russ
Re: Risks of Airport Wi-Fi
Jay Libove
Info on RISKS (comp.risks)

Deadly Soul of a New Machine: Bots, AI, and Algorithms (Timothy Egan)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 8 Dec 2018 10:09:43 PST
Timothy Egan, *The New York Times*, 8 Dec 2018,
  op-ed below the main editorial

At what point is control lost and the creations take over?
How about now?

This mentions the Lion Air Flight 610, where the pilots did not realize
that what they needed to do was to disable the autopilot.  It concludes:

  As haunting as those final moments inside the cockpit of Flight 610 were,
  it's equally haunting to grasp the full meaning of what happened.  The
  system overrode the humans and killed everyone.  Our invention.  Our
  folly.


How to train an AI

Mark Thorson <eee@dialup4less.com>
Wed, 5 Dec 2018 16:46:05 -0800
The obvious solution is a training signal.

http://www.smbc-comics.com/comics/1543932715-20181204.png


Texas straight-ticket voters report ballot concerns (Austin American Statesman)

Arthur Flatau <flataua@acm.org>
Sat, 27 Oct 2018 08:07:15 -0500
The idea that using hitting a button or other control while a screen is
rendering is a user error is astounding.  If the machine incorrectly
interprets user input it is a bug plain and simple.

Amid scattered complaints by straight-ticket early voters of both parties
that their ballots did not, at first, correctly record their choice of
either Democrat Beto O'Rourke or Republican Ted Cruz for U.S. Senate, state
and local election officials are cautioning voters to take their time in
voting and check the review screen for accuracy before casting ballots.

The elections officials say the problems resulted from user error in voting
on the Hart eSlate machines widely used in Texas—including in Travis,
Hays and Comal counties—and are not the result of a machine glitch or
malfunction.

“The Hart eSlate machines are not malfunctioning,'' said Sam Taylor,
communications director for the Texas secretary of state's office.  “The
problems being reported are a result of user error—usually voters hitting
a button or using the selection wheel before the screen is finished
rendering.''

Taylor said the office is aware of a handful of complaints and that the
voters were able to correct their ballots before casting their votes.

3Dhttps://www.statesman.com/news/20181026/texas-straight-ticket-voters-report-ballot-concerns


O2 outage: more than 30m mobile customers unable to get online (The Guardian et al.)

Monty Solomon <monty@roscom.com>
Fri, 7 Dec 2018 21:13:07 -0500
Users of Tesco Mobile and Sky Mobile also hit as O2 blames supplier's
software glitch
https://www.theguardian.com/business/2018/dec/06/o2-customers-unable-to-get-online

O2 announces goodwill gestures after millions hit by data outage
Provider repeats apology for customers' loss of connection and offers
compensation.
https://www.theguardian.com/business/2018/dec/07/o2-services-restored-after-millions-hit-by-data-outage

Ericsson apologises for O2 network outage
The data network crash, which affected millions of people worldwide, was
caused by an expired software certificate.
https://www.computing.co.uk/ctg/news/3067847/ericsson-apologises-for-o2-network-outage

Update on software issue impacting certain customers
https://www.ericsson.com/en/press-releases/2018/12/update-on-software-issue-impacting-certain-customers

SoftBank Apology for Mobile Communication Service Troubles
https://www.softbank.jp/en/corp/group/sbm/news/press/2018/20181206_02/


Homeland Security Will Let Computers Predict Who Might Be a Terrorist on Your Plane—Just Don't Ask How It Works (The Intercept)

Richard Stein <rmstein@ieee.org>
Wed, 5 Dec 2018 15:30:49 +0800
https://theintercept.com/2018/12/03/air-travel-surveillance-homeland-security/

Among the data items the DHS's GTAS (Global Travel Assessment System) will
consume when augmented by Virgina-based DataRobot's stack are:

"...the software's predictions must be able to function 'solely' using data
gleaned from ticket records and demographics—criteria like origin
airport, name, birthday, gender, and citizenship. The software can also draw
from slightly more complex inputs, like the name of the associated travel
agent, seat number, credit card information, and broader travel itinerary."

"If you ask DHS, this is a categorical win-win for all parties involved.
Foreign governments are able to enjoy a higher standard of security
screening; the United States gains some measure of confidence about the
millions of foreigners who enter the country each year; and passengers can
drink their complimentary beverage knowing that the person next to them
wasn't flagged as a terrorist by DataRobot's algorithm. But watchlists,
among the most notorious features of post-9/11 national security mania, are
of questionable efficacy and dubious legality. A 2014 report by The
Intercept pegged the U.S. Terrorist Screening Database, an FBI data set from
which the no-fly list is excerpted, at roughly 680,000 entries, including
some 280,000 individuals with 'no recognized terrorist group affiliation.'

Risk: Security by obscurity.

What historical data, beyond watch list name match, will tip the algorithm
into flagging a ticketed passenger for a pre-board interrogation? Perhaps a
preference for pretzels over peanuts?


A Dark Consensus About Screens and Kids Begins to Emerge in Silicon Valley (NYTimes)

Richard Stein <rmstein@ieee.org>
Mon, 29 Oct 2018 21:53:57 +0800
https://www.nytimes.com/2018/10/26/style/phones-children-silicon-valley.html

Mental illness traced to wireless mobile device (WMD) addiction has a label:
The 'iDisorder.'  See a book review:
https://www.nytimes.com/2012/05/13/business/in-idisorder-a-look-at-mobile-device-addiction-review.html

Excessive mobile device usage, induced by applications that easily
captivate, is unhealthy. Children are especially susceptible to overuse.
While there's no equivalent to the US Surgeon General's "Smoking causes
cancer" warning, strictly enforced mobile device access restrictions for
adolescents constitute wise parental guidance.

The National Institutes for Health archives several studies on the
physiological effects arising from excessive mobile device usage.

"The Potential Impact of Internet and Mobile Use on Headache and Other
Somatic Symptoms in Adolescence. A Population-Based Cross-Sectional Study"
published JUL2016 at https://www.ncbi.nlm.nih.gov/pubmed/27255862.

"Conclusion: Results highlighted the potential impact of excessive internet
and mobile use, which ranges from different types of headache to other
somatic symptoms. Further studies are needed to confirm these findings and
to determine if there is a need for promoting preventive health
interventions, especially in school setting."

"Evaluation of mobile phone addiction level and sleep quality in university
students" published JUL-AUG2013 at
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3817775/.

"Conclusion: The sleep quality worsens with increasing addiction level.  It
was concluded that referring the students with suspected addiction to
advanced healthcare facilities, performing occasional scans for early
diagnosis and informing the students about controlled mobile phone use would
be useful."


Rudy Giuliani Says Twitter Sabotaged His Tweet. Actually, He Did It Himself. (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Thu, 6 Dec 2018 11:51:05 -0500
A tweet from Mr. Giuliani now links to an anti-Trump page. The president's
lawyer blamed Twitter, but the culprit was his own typo (plus a prankster in
Atlanta).

https://www.nytimes.com/2018/12/05/us/politics/rudy-giuliani-twitter-links.html

Risks? Technology + Giuliani.


Teen electrocuted while using headphones on plugged-in mobile phone (yahoo.com)

Richard Stein <rmstein@ieee.org>
Wed, 5 Dec 2018 16:03:11 +0800
https://sg.news.yahoo.com/teen-electrocuted-while-using-headphones-053237666.html

"Injuries and accidents caused by power surges while mobile phones are
charging are not uncommon, and by now we should all know a few tips to keep
us safe while using mobile devices. Namely, try not to use your charging
phone. Plugged into a wall, the live socket could deliver up to 230 volts of
electric charge, which could be leaked by a loose cable, or inferior quality
charger than the one the manufacturer gave you."

The "stuff that comes out of the wall" in Malaysia is 230 volts @ 50Hz.

 From Brazil, a similar event was reported 20FEB2018 at
https://www.thesun.co.uk/news/5626441/girl-17-electrocuted-with-headphones-melted-in-her-ears-while-using-her-mobile-that-was-charging/


Auto theft on the rise in Toronto area, and a security expert thinks he knows why (CBC News)

Jose Maria Mateos <chema@rinzewind.org>
Wed, 05 Dec 2018 15:33:07 -0500
https://www.cbc.ca/news/canada/toronto/car-thefts-rising-1.4930890

According to Bates, many of these thieves are using a method called "relay
theft."  Key fobs are constantly broadcasting a signal that communicates
with a specific vehicle, he said, and when it comes into a close enough
range, the vehicle will open and start.  "The way that the thieves are
getting around this is they're essentially amplifying that low power signal
coming off of the push start fob," he said.  "They will prey upon the
general consensus that most people are leaving their key fobs close to the
front door of their home and the vehicle will be in the driveway."

The thief will bring a device close to the home's door, close to where most
keys are sitting, to boost the fob's signal.  They leave another device near
the vehicle, which receives the signal and opens the car.  Many people don't
realize it, Bates said, but the thieves don't need the fob in the car to
drive it away.


Starbucks and passwords ...

Rob Slade <rmslade@shaw.ca>
Thu, 6 Dec 2018 09:57:45 -0800
For me, Starbucks is not the religious experience it is for those who call
it St. Arbucks.  But somebody gave me a Starbucks card, and I thought I'd
try out their registration and rewards program.

OK, I'm quitting the Starbucks rewards program.  I don't drink enough coffee
to justify it anyway, but I've got lots of other accounts lying around the
Net that I just let go dormant.  The thing is, I can't use the Starbucks
system.  Literally.  I can't sign back in.

The system refuses to let me use my existing password.  It tells me that
password is invalid.  When I try to reset my password, Starbucks sends me
email with a link.  It is some kind of weird formatting, because it won't
show as a link on that email system, and I have to read the raw message and
HTML and try to find the link.

Having found the link, I try to reset and set it to the one I have used when
I created the account.  But the system tells me I can't use it since I've
used it before.  But if I try to log in with it, the system tells me it is
invalid.

Starbucks also has one of those huge lists of requirements for passwords.
It's gotta be mixed case.  It's gotta have numbers.  It's gotta have
symbols.  It can't have certain symbols.  It's gotta have emojis.  It's
gotta have your favourite Star wars character.  (Regardless of whether or
not your even know what Star Wars is.)

I suppose I could figure out how to create a password acceptable to their
system, and hope that the system doesn't forget the new one like it did the
old one, but, frankly, Starbucks just isn't that important ...


New Attack Could Make Website Security Captchas Obsolete

ACM TechNews <technews-editor@acm.org>
Fri, 7 Dec 2018 11:41:40 -0500
Lancaster University (12/05/18) via ACM TechNews

Researchers at Lancaster University in the U.K., Northwest University, and
Peking University in China have demonstrated a deep learning algorithm that
could render captcha security and authentication redundant. The algorithm
solves captchas with substantially greater accuracy than earlier captcha
attack systems, and successfully cracks captcha versions that defeated
previous hacks. The system uses a generative adversarial network (GAN),
educating a captcha generator to produce large numbers of training captchas
that are indistinguishable from actual captchas. These are employed to
quickly train a solver, which is tested against real captchas; the algorithm
only needs 500 genuine captchas, rather than the millions required to train
a conventional attack program. Lancaster's Zheng Wang said, "Our work shows
that the security features employed by the current text-based captcha
schemes are particularly vulnerable under deep learning methods."

https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d719x2190f8x069241%26


Teachers Say There's a Disconnect in Computer Science Education (Tina Nazerian)

ACM TechNews <technews-editor@acm.org>
Fri, 7 Dec 2018 11:41:40 -0500
Tina Nazerian, EdSurge (CA) (3 Dec 2018 via ACM TechNews

Eighty-eight percent of teachers said computer science is critical for
students' success in the workplace, but two in 10 said their students are
not taught any computer science, according to a survey of 540 K-12 teachers
in the U.S. that was commissioned by Microsoft. The teachers attributed the
gap to computer science not being part of their schools' curricula, a lack
of funding for it, and computer science not being a subject on which
students are tested. Microsoft's Mark Sparvell said, "Computer science is
clearly in high demand. Teachers see it as a priority, parents see it as a
priority from previous research. And yet, it's in low supply." Sheena
Vaidyanathan, a computer science integration specialist in the Los Altos
School District in California, said computer science should be part of the
core U.S. education curriculum, like math and reading, rather than being
dependent on funding and involvement from tech companies.

https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d719x2190fex069241%26


Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Mon, 22 Oct 2018 16:50:22 -0400
Like many cybersecurity bunkers, IBM's foxhole has deliberately theatrical
touches. Whiteboards and giant monitors fill nearly every wall, with
graphics that can be manipulated by touch.

"You can't have a fusion center unless you have really cool TVs," quipped
Lawrence Zelvin, a former Homeland Security official who is now Citigroup's
global cybersecurity head, at a recent cybercrime conference. "It's even
better if they do something when you touch them.  It doesn't matter what
they do. Just something."

Security pros mockingly refer to such eye candy as "pew pew" maps, an
onomatopoeia for the noise of laser guns in 1980s movies and video
arcades. They are especially useful, executives concede, to put on display
when V.I.P.s or board members stop by for a tour. Two popular "pew pew" maps
are from FireEye and the defunct security vendor Norse, whose video
game-like maps show laser beams zapping across the globe.  Norse went out of
business two years ago, and no one is sure what data the map is based on,
but everyone agrees that it looks cool.

https://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html

Of course, a comment on the article has the solution:

BLOCKCHAIN Software guarantees a valid trail of corrupted files, preserving
the data. I wonder how long it will be until even that system is
defeated. What BlockChain software the power is its distributive system,
meaning that the data is stored in multiple private computers.  Whether that
system meets legal requirements for privacy is another question. But the
logic is clear: if data is distributed according to a randomizing algorithm,
that makes it a lot more complicated for intruders to be able to follow data
and to corrupt the system to a point where it shuts down. Or worse, becomes
subject to malware that results in ransom or other maneuvers of financial
plundering. it is, no doubt, the bane of our digital world that the
vulnerabilities are incomprehensible to the lay person and difficult if not
impossible for the experts to protect fully. Things may not be at the point
where investors are advised to purchase gold and hide under a mattress. But
we may well be headed in that direction.


The backdrop of Jamal Khashoggi's killing: A chilling cyberwar (WashPost)

Monty Solomon <monty@roscom.com>
Fri, 7 Dec 2018 22:19:30 -0500
Inside the 21st-century battle of ideas waged by the fearful crown prince
and a conniving courtier.

https://www.washingtonpost.com/opinions/global-opinions/how-a-chilling-saudi-cyberwar-ensnared-jamal-khashoggi/2018/12/07/f5f048fe-f975-11e8-8c9a-860ce2a8148f_story.html


Re: EU data rules have not stopped spam emails

DJC <djc@resiak.org>
Tue, 4 Dec 2018 10:12:59 +0100
I get spam and phishing mail in English, many different accents of broken
English, Chinese, Korean, Spanish, Serbian, German, French, and Hungarian;
and perhaps I've forgotten a couple.  The originating systems can be
anywhere on the net, lately with an unusual concentration of personal
systems in South America, probably infected, plus lots of Russian systems.

The GDPR doesn't seem likely to touch this business, and I can't imagine why
people ever thought it would.  The GDPR does, however, impede a nonprofit I
work with from helping many of our signed-up email recipients actually get
the mail they want from us.

You might say it could use more thinking and more work.


Re: "Human intelligence is needed." Want to Purge Fake News? Try Crowdsourcing (RISKS-30.94)

Tom Russ <taruss@google.com>
Tue, 4 Dec 2018 11:36:27 -0800
It seems that a major problem with the fake news epidemic has been the use
of bot networks to promote articles. It seems like any sort of
crowd-sourcing of news validation will just cause the bad actors to move
their botnets to the new feedback buttons to swamp the real users in the
voting process.  The "wisdom of the crowd" presumes that you have some
reasonable sample of people and not an auditorium packed with your paid
shills.


Re: Risks of Airport Wi-Fi (RISKS-30.94)

Jay Libove <libove@felines.org>
Tue, 4 Dec 2018 08:48:06 +0000
Responding to Geoff Goodfellow's posting about an LA Times article about the
risks of airport Wi-Fi, I've never understood why we consider this such a
high threat.  All mobile devices which ever sit outside of very strongly
secured networks (which is basically all mobile devices) must be their own
security perimeters. We must assume, and appropriately configure our devices
to work securely in the case, that the Internet connection is being
monitored, DNS can be hijacked, and unencrypted data sessions may be
monitored or even tampered with.  On that basis, an airport or coffee shop
or any other Wi-Fi or 3G mobile or hotel or friend's home or any other
network at all is no different than computing/networking in the general use
case.  So why do we continue to raise flags about "insecure WiFi" and evil
twins, rather than push for secure-enough general configurations?

Please report problems with the web pages to the maintainer

x
Top