Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Dan Goodin, Ars Technica, 21 Mar 2019, via IEEE Cipher HOT-WIRE MY HEART: Critical flaw lets hackers control lifesaving devices implanted inside patients; Implanted devices from Medtronic can have their firmware rewritten, DHS warns. https://arstechnica.com/information-technology/2019/03/critical-flaw-lets-hackers-control-lifesaving-devices-implanted-inside-patients/ Summary: There are many people alive today because they carry implanted medical devices in their bodies. The devices have computers and wireless communication capabilities. Unsurprisingly, if they are devoid of standard security protections, they are completely hackable. The Conexus Radio Frequency Telemetry Protocol, which is Medtronic's proprietary means for the monitors to wirelessly connect to implanted devices, has a "raft" of security weaknesses that leave them open to everything from privacy violations to complete reprogramming by anyone within wireless range. Medtronic emphasizes that no device has ever actually been hacked, and that they are responding to US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency' advisory https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01 with all due speed.
Cade Metz and Craig S. Smith, *The New York Times*, 21 Mar 2019 via ACM TechNews, 25 Mar 2019 Harvard University and Massachusetts Institute of Technology (MIT) researchers warn in a recently published study that new artificial intelligence (AI) technology designed to enhance healthcare is vulnerable to misuse, with "adversarial attacks" that can deceive the system into making misdiagnoses being one example. A more likely scenario is of doctors, hospitals, and other organizations manipulating the AI in billing or insurance software in an attempt to maximize revenue. The researchers said software developers and regulators must consider such possibilities as they build and evaluate AI technologies in the years to come. MIT's Samuel Finlayson said, "The inherent ambiguity in medical information, coupled with often-competing financial incentives, allows for high-stakes decisions to swing on very subtle bits of information." Changes doctors make to medical scans or other patient data in an effort to satisfy the AI used by insurance firms also could wind up in a patient's permanent record. https://www.nytimes.com/2019/03/21/science/health-medicine-artificial-intelligence.html [Monty Solomon noted from that article: Machine-learning systems could be a boon to medicine. But they also can be hacked to mislead, researchers are discovering. PGN]
https://www.lifewire.com/unusual-smart-home-devices-4145020 Smart: * Bed * Toaster * Fork * Garage door opener * Toilet * Egg tray * Toothbrush * Hairbrush * Pet feeder * Frying pan * Flood sensor What ever could go wrong?
http://www.washingtonpost.com/technology/2019/03/22/baristas-beware-robot-that-makes-gourmet-cups-coffee-has-arrived/ "The machine can make 100 cups per hour—the output of four baristas, the company says." "All the numbers and data in the world can't actually tell you how the coffee tastes," Geib said. "A big part of what a human brings is being able to taste the coffee during the process of dialing in the flavor." Risks: Denial of service, product satisfaction underachievement, and no kibitzing with the barista.
https://www.straitstimes.com/business/economy/two-singapore-consortia-to-develop-trial-driverless-road-cleaning-vehicles
[via Geoff Goodfellow]
[Be sure to chase down the Kaspersky securelist URL noted herein.
Also, see Kim Zetter's take on this one:
https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers
The cleverness here is quite remarkable. Bottom line for RISKS:
Beware of compromised automated update mechanisms. PGN]
The Taiwan-based tech giant ASUS is believed to have pushed the malware to
hundreds of thousands of customers through its trusted automatic software
update tool after attackers compromised the company's server and used it to
push the malware to machines.
https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers
EXCERPT:
Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the
world's largest computer makers, was used to unwittingly install a malicious
backdoor on thousands of its customers' computers last year after attackers
compromised a server for the company's live software update tool. The
malicious file was signed with legitimate ASUS digital certificates to make
it appear to be an authentic software update from the company, Kaspersky Lab
says.
ASUS, a multi-billion dollar computer hardware company based in Taiwan
https://www.asus.com/us/ that manufactures desktop computers, laptops,
mobile phones, smart home systems, and other electronics, was pushing the
backdoor to customers for at least five months last year before it was
discovered, according to new research from the Moscow-based security firm.
The researchers estimate half a million Windows machines received the
malicious backdoor through the ASUS update server, although the attackers
appear to have been targeting only about 600 of those systems. The malware
searched for targeted systems through their unique MAC addresses. Once on a
system, if it found one of these targeted addresses, the malware reached out
to a command-and-control server the attackers operated, which then installed
additional malware on those machines.
Kaspersky Lab said it uncovered the attack in January 2019 after adding a
new supply-chain detection technology to its scanning tool to catch
anomalous code fragments hidden in legitimate code or catch code that is
hijacking normal operations on a machine. The company plans to release a
full technical paper and presentation about the ASUS attack, which it has
dubbed ShadowHammer, next month at its Security Analyst Summit
https://sas.kaspersky.com/ in Singapore. In the meantime, Kaspersky has
published some of the technical details on its website. [...]
https://securelist.com/operation-shadowhammer/89992/
https://www.intego.com/mac-security-blog/ios-safari-flaw-allows-deceptive-web-page-previews-in-messages/
Check out these rather ordinary looking portraits. They're all fake. Not in the sense that they were Photoshopped, but rather they were *completely generated by artificial intelligence*. That's right: none of these people actually exist. NVIDIA researchers have published a new paper https://arxiv.org/pdf/1812.04948.pdf on easily customizing the style of realistic faces created by a generative adversarial network (GAN). *The Verge* points out that GAN has only existed for about four years. https://www.theverge.com/2018/12/17/18144356/ai-image-generation-fake-faces-people-nvidia-generative-adversarial-networks-gans In 2014, a landmark paper introduced the concept, and this is what the AI-generated results looked like at the time. https://arxiv.org/pdf/1406.2661.pdf
In the spring of 1990, Coke announced something called `MagiCans' ” you can see a (grainy) ad from the campaign here: https://www.youtube.com/watch?v=OBCKnhFwE_4 The stunt, the centerpiece to their $100 million `Magic Summer' marketing push, was simple. Some cans of Coca-Cola Classic were loaded with coupons, gift certificates, and most importantly, cash ” up to $500. The prize cans were spring-loaded, as seen above; if the mechanism worked properly, the prize would pop up once the can was popped open. Those cans didn't contain Coke, though; as the ad warned, “If you see anything other than Coca-Cola Classic in that can, don't drink from it,'' as prize cans were `winners' but, alas, didn't contain any actual soda. Instead, they contained a sealed chamber of chlorinated water with a foul odor, intending to mask the weight of the prize while also stopping winners from taking a sip in case it somehow leaked. http://nowiknow.com/the-spring-that-prematurely-ended-a-magical-summer/ Technology—what could go wrong? Too bad pre-Internet cans could have been WiFi enabled to automatically broadcast sight and sound of people's reactions to surprise contents. Not being a soda drinker, I missed this fun.
Industry moves toward wireless updates to repair problems and deliver extras https://www.wsj.com/articles/auto-makers-steer-in-teslas-direction-on-wireless-updates-11553083202
*The plan is going to be tricky to pull off, both technically and politically, but the Kremlin has set its sights on self-sufficiency.* EXCERPT: In the next two weeks, Russia is planning to attempt something no other country has tried before. It's going to test whether it can disconnect from the rest of the world electronically while keeping the Internet running for its citizens. This means it will have to reroute all its data internally, rather than relying on servers abroad. The test is key to a proposed `sovereign Internet' law currently working its way through Russia's government. It looks likely to be eventually voted through and signed into law by President Vladimir Putin, though it has stalled in parliament for now. Pulling an iron curtain down over the Internet is a simple idea, but don't be fooled: it's a fiendishly difficult technical challenge to get right. It is also going to be very expensive. The project's initial cost has been set at $38 million by Russia's financial watchdog, but it's likely to require far more funding than that. One of the authors of the plan has said it'll be more like $304 million, Bloomberg reports, but even that figure, industry experts say, won't be enough to get the system up and running, let alone maintain it. Not only that, but it has already proved deeply unpopular with the general public. An estimated 15,000 people took to the streets in Moscow earlier this month to protest the law, one of the biggest demonstrations in years. * Operation disconnect* So how will Russia actually disconnect itself from the global Internet? “It is unclear what the `disconnect test' might entail,'' says Andrew Sullivan, president and CEO of the Internet Society. All we know is that if it passes, the new law will require the nation's Internet service providers (ISPs) to use only exchange points inside the country that are approved by Russia's telecoms regulator, Roskomnadzor. These exchange points are where Internet service providers connect with each other. It's where their cabling meets at physical locations to exchange traffic. These locations are overseen by organizations known as Internet exchange providers (IXPs). Russia's largest IXP is in Moscow, connecting cities in Russia's east but also Riga in neighboring Latvia. MSK-IX, as this exchange point is known, is one of the world's largest. It connects over 500 different ISPs and handles over 140 gigabits of throughput during peak hours on weekdays. There are six other Internet exchange points in Russia, spanning most of its 11 time zones. Many ISPs also use exchanges that are physically located in neighboring countries or that are owned by foreign companies. These would now be off limits. Once this stage is completed, it would provide Russia with a literal, physical `on/off switch' to decide whether its Internet is shielded from the outside world or kept open. * What's in a name?* As well as rerouting its ISPs, Russia will also have to unplug from the global domain name system (DNS) so traffic cannot be rerouted through any exchange points that are not inside Russia. The DNS is basically a phone book for the Internet: when you type, for example, `google.com' into your browser, your computer uses the DNS to translate this domain name into an IP address, which identifies the correct server on the Internet to send the request. If one server won't respond to a request, another will step in. Traffic behaves rather like water—it will seek any gap it can to flow through. “The creators of the DNS wanted to create a system able to work even when bits of it stopped working, regardless of whether the decision to break parts of it was deliberate or accidental,'' says Brad Karp, a computer scientist at University College London. This in-built resilience in the underlying structure of the Internet will make Russia's plan even harder to carry out. The actual mechanics of the DNS are operated by a wide variety of organizations, but a majority of the `root servers', which are its foundational layer, are run by groups in the US. Russia sees this as a strategic weakness and wants to create its own alternative, setting up an entire new network of its own root servers. “An alternate DNS can be used to create an alternate reality for the majority of Russian Internet users,'' says Ameet Naik, an expert on Internet monitoring for the software company ThousandEyes. “Whoever controls this directory controls the Internet.'' Thus, if Russia can create its own DNS, it will have at least a semblance of control over the Internet within its borders. This won't be easy, says Sullivan. It will involve configuring tens of thousands of systems, and it will be difficult, if not impossible, to identify all the different access points citizens use to get online (their laptops, smartphones, iPads, and so on). Some of them will be using servers abroad, such as Google's Public DNS, which Russia simply won't be able to replicate—so the connection will fail when a Russian user tries to access them... [...] MIT https://www.technologyreview.com/s/613138/russia-wants-to-cut-itself-off-from-the-global-internet-heres-what-that-really-means/
Condensed from a Twitter thread starting at: https://twitter.com/mainframed767/status/1108782021571076096, @mainframed767 tells the following story:
Auditors were reviewing logs for some appliance that used a default
account. Every time the account was used, it wrote the username and
password in the logs as an easy-to-identify log entry. ... So, how did
they fix it? The vendor wouldn't fix the issue because the product was no
longer supported, but the business still needed it for a few more years.
Search your heart and guess what they did:
1 - Migrated to a new app
2 - Disabled logging as a whole
3 - Changed the default password to ********
If you guessed option 3 you're right! They changed the password to
********, and then when the auditors reviewed it they just assumed it was
fixed because the passwords looked as if they had been masked! Genius.
[I took the liberty of a little detwittered editing for readability.
PGN]
https://www.gazettenet.com/GPS-misleads-Jeep-into-Whately-woods-24262171
https://onezero.medium.com/how-googles-bad-data-wiped-a-neighborhood-off-the-map-80c4c13f1c2b
https://onezero.medium.com/the-internets-phone-book-is-broken-9fcdd6ca726b
The two tech giants fell victim to an elaborate scheme orchestrated by the defendant, prosecutors say https://www.wsj.com/articles/lithuanian-man-pleads-guilty-to-100-million-fraud-against-google-facebook-11553126126
The EU has passed their nightmare copyright legislation that will crush the rights of ordinary EU users and will attempt to infect the rest of the world with its poisons. My recommendation—seriously—is to cut EU countries off from the Net in all related respects as soon as they start to try make trouble for non-EU countries or global firms. Based on Article 11, I'd cut them off from Google News entirely, and drastically cut back their appearances in Google Search if they try to push their link tax onto Google. Global firms should consider refusing all content uploads from EU countries where Article 13 issues are in force. If the EU wants to treat their own citizens in such an atrocious way that's their business. But the rest of the planet doesn't have to put up with this sociopathic behavior by the EU. Wall off the EU from all associated global Internet services until they come to their senses.
It was a foggy night. My pal parked his spanking new rental car on the remote mountaintop. Everything was fine except that one red blinking dashboard light that we couldn't get to turn off. (That might mean a dead battery when we get back... Stranded on the mountain!) Each "on" part of the light's on-off cycle was so short that there was not enough time for the eye to figure out its complex shape and thus meaning. Shining a flashlight on it just revealed a flat panel, with the shape template invisible below. "Hmmm, all doors closed, but perhaps not locked." I said. (No criminals on the misty mountain, plus I bet he will lock himself out, but let's try it anyway.) "I need to use the rental company app to lock the doors, but my phone is out of battery." he said. RISK: one dead battery leads to another dead battery when an app is involved. (How about just disconnecting the battery cable? Better not. What if the car starts talking in Italian like in Toy Story, or detect it is being attacked and lift off and fly home to mother?)
Author says: I recently spoke to Nimit Sawhney, CEO and cofounder of Voatz, the blockchain-based, mobile voting software provider, whose technology West Virginia piloted https://click.email.fortune.com/?qs£42b38f08e68b2b352488b282394d1e6b44ec5566899b5687131ecd06b8e9c5d752e501e43c57f03cb6ac596f17e3c2140abff8659b9873 during last year's general midterm election. Sawhney came up with the idea https://click.email.fortune.com/?qs£42b38f08e68b2b3da3b37e741b3624abe33987cbb5c477226b214de4958cbf48e029bde2823e428c611669ca877284a9c350dfa917201a for the project with his brother when the two competed in—and won—a hackathon at Austin's SXSW festival in 2014. Since then, Sawhney has formally established a company, based in Boston, to develop the product. Voatz's technology is making inroads. Sawhney's 14-person team recently won over Denver, Colo. https://click.email.fortune.com/?qs£42b38f08e68b2b861611ebd403f430f4dd8863abe4563daa28d537552afe116eb1e69e65be9ecb502717262fb47d01edd581c6df8536af as the second testing ground for its voting system. The city is trying the app in its May 7th municipal election, early voting for which starts today. I asked Sawhney why he decided to incorporate a blockchain into his system. He says it's so that IT administrators within and outside his company can't manipulate or delete records at will. Voatz uses so-called permissioned ledgers, meaning only authorized parties can operate them. In this case, the voting database is distributed across 32 computing nodes running the Linux Foundation's Hyperledger Fabric and Hyperledger Sawtooth software on machines hosted by Amazon https://click.email.fortune.com/?qs£42b38f08e68b2bb7d7dae8fe85186812ca961c46c93054b3e79e8532d99c531666b5e2f8871bf3335510949d8dfa40f0c9545eda231fb1 Web Services and Microsoft https://click.email.fortune.com/?qs£42b38f08e68b2b213946a7073ace4502c08fcbcc22aaee793f78c06f7d9fc354ec43b46a86fb861ee7a3761c4ef590a56aed4e8f9d83d6 Azure. Voatz stewards the nodes alongside select nonprofits that act as independent monitors, a small cadre Voatz hopes to expand to include other major stakeholders—political parties, media entities, and others—over time. https://view.email.fortune.com/?qsY2c9ecd5951d82b21b03ca032478224af503a2b8e1ae0ec8aab39184d16029f7ad4c2e57d415978db00277b7fd2de81bdef1c5ab69c08fcd3ab61add7f656fcf3de08f777373f1f
I have been known, from time to time, to make ... "unkind" ... remarks about the ability of the general (and sometimes even the trade) media to gets things right when addressing technical, and particularly infosec, topics. So I was intrigued to find that I'm getting some agreement from scientists in general. They are even calling it "fake news." https://vancouversun.com/news/local-news/vancouver-scientists-critical-of-media-misrepresentation-of-their-work-in-era-of-fake-news or https://is.gd/pfIFXF I'm not sure if the media, under increasing pressure from the online world, is getting worse, or if people are getting fed up, or if the increasing mass of real fake news (mostly from the online world) is making people more attuned to the problem ...
Apple has always had partisans with a devotion bordering on fanaticism. (Although UNIX is the one, true operating system, and Thompson is its prophet, it is Apple that has inspired the most hard core religious wars in computerdom.) Apple started out with the "open" Apple ][ system. Since then, with the Mac and various iOS devices, Apple has been firmly closed, and has increasingly tried to lock users into the Apple branded world. With the iPod, and iTunes, Apple moved to control music, expanding somewhat into movies, with extensions into podcasts (the very word deriving from the iPod) and other audio and video content. Then came Apple TV and Apple News. With the recent "plus"es added to those, Apple has an enormous platform for information, entertainment, infotainment, and all manner of content delivery, all within the Apple environment and under Apple control. Interest has been expressed in the medical benefits of the fitness tracker on the Apple watch, with its ability to alert the user (or others) when anomalous fitness readings are detected. All of this, your phone and email contacts and traffic, and many home IoT devices, can be controlled, managed, recorded (and the details fed back to Apple) by Siri. People have been concerned over the information that Facebook and Google collect on users: it's very difficult to believe that Apple has less access to personal user data. Buried in yesterday's announcement was the Apple credit card. With its enormous cash reserves, Apple can easily become a bank, and provide (and manage) all kinds of financial services. All Apple needs is a piece of Amazon's retail sector, and perhaps a ride-sharing service (or, maybe, Apple might do an end-run, and start up a drone-sharing telepresence service) and the Apple World+ is complete. Many science-fiction stories have posited a world where governments have become irrelevant and been replaced by corporations: I suspect Apple is closest to making this holistic control over the user's life a reality. I expect iReligion+ to be announced any day. Where others might go for the cut-rate "Repent and be saved! This is an exclusive TV offer" 20% off salvation route, I presume Apple will for for the premium offer to save your soul (backed up in the clouds) to an Apple branded heaven, with easy access to forbidden fruit, as long as you only take one bite ...
If YouTube really wanted to be able to control the spread of video like this, it would be simple. They could simply shutdown uploads for a time, until they can figure out how to screen the videos for the offensive content. Or they could, for a period of time, make it so uploads have to be reviewed by a person before going live. Obviously this would hinder other people uploading to YouTube for a time. However if they really wanted to limit the rapid dissemination of certain videos, they could do so easily, they just choose not to.
> larger engines and altered aerodynamics—led to the complex flight > control software system I guess this list is very familiar with these but in case not I have to bring up Joseph Tainter here about the increasing cost of complexity (more complex solutions solve previous complexity problems) https://www.youtube.com/watch?v=G0R09YzyuCI|45af72342bde4ceb7ed608d6ae55cb1d|40779d3379c44626b8bf140c4d5e9075|1 And an old joke about the Space Shuttle dimensions and two horses' behinds http://www.astrodigital.org/space/stshorse.html I also understand that the Stealth Bomber is such a complex shape that it can only be flown by software. It seems like the risk of something going wrong is not a risk but a certainty?
Mr. Ward made a number of statements about for-profit businesses working in healthcare that sound quite reasonable. I ask, are there studies to support them? For instance, "... the more sick people there are (especially those that need expensive treatments), the more profit there is to be made." For the same premiums, insurance companies *far* prefer healthy clients to sick ones. "Managing symptoms is more profitable than curing a disease;" Really? Perhaps Big Pharma makes little on cough medicine, but has a tidy margin on treatments for TB. "Expensive drugs are more profitable than, for example, recommending simple changes to diet ..." Sadly, few Americans follow recommendations to change their diet. Americans *will* take pills. "... encouraging unhealthy habits is beneficial to a healthcare company." My insurance company and the mailers I get from hospitals and doctors all encourage me to have healthy habits. "... its a good business practice to test for everything ..." Much over-testing is a reaction to massive litigation in the U.S. Doctors and hospitals may be sued for millions if they ever fail to test for some rare disease. Government-run medicine is no panacea. The U.S. federal government has been incredibly wasteful and has not always picked winners, for instance, the Tuskegee Syphilis Study and the Enron scandal.
> When healthcare is a business, the more sick people there are > (especially those that need expensive treatments), the more profit > there is to be made. This has many bad consequences: Not directly and not in and of itself. In all things, there are factors which encourage, and there are factors which discourage, and in the end, you get what you get. I may be wrong, but I concur with the above description as *a* factor. There are however *more* factors - a primary factor being competition: for example, if a single entity offers cure, rather than symptom management, they clean up the market, and on sane person will prefer a provider with endless tests and symptom management over a few tests and a cure. The extent to which competition is removed from the market, which can happen through many means, such as absence of information for making choices, or through State regulation constraining choice of provider (as happens in the USA, through tax relief on employer provided health care) or, by being heavy and onerous regulation, preventing new entry to market and so defending a few large, existing, entrenched entities, the more the unpleasantness Mr. Ward describes becomes less discouraged. > Contrast this with universal healthcare and government-funded medical > research. If you are allocated with a certain budget per person and > tasked with improving health you will have a very different set of > priorities. The State obtains funding through taxation and creates a health care entity. All patients -must- pay (taxation) and if the service is no good, there is nowhere else for them to go, or, if private health care is permitted, they must continue to pay anyway for State health care. In all things there are factors which encourage, and factors which discourage, and in the end, you get what you get : to be sure there will be professionalism and human decency, both encouraging factors for positive patient outcomes, but there will also be apathy, carelessness, inefficiency and empire building, with no forces at work to remove them, for the really profound encouraging factors, that the customer pays you and can go somewhere else, are removed. You then get what you get. I may be wrong, but I think the great safety for normal, ordinary, powerless people, is competition. Safety lies in choice, which requires both the freedom to buy as they wish and the freedom for there to *be* many different providers to buy from. Removal of one or both of these freedoms is an encumbrance of serfdom. Many evils come from ordinary people being constrained, such that they are unable then to say "this is bloody awful, I'm leaving" and are instead forced to endure.
https://catless.ncl.ac.uk/Risks/ Cert expired on 22 Mar, apparently. [NOW FIXED, TNX to Lindsay. PGN]
Please report problems with the web pages to the maintainer