Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.fda.gov/news-events/press-announcements/fda-warns-patients-and-health-care-providers-about-potential-cybersecurity-concerns-certain I wish more products were recalled for cybersecurity vulnerabilities. "The potential risks are related to the wireless communication between Medtronic's MiniMed insulin pumps and other devices such as blood glucose meters, continuous glucose monitoring systems, the remote controller and CareLink USB device used with these pumps. The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump's settings. This could allow a person to over deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis (a buildup of acids in the blood)... "Medtronic is unable to adequately update the MiniMed 508 and Paradigm insulin pumps with any software or patch to address the devices' vulnerabilities... "The FDA, an agency within the U.S. Department of Health and Human Services, protects the public health by assuring the safety, effectiveness, and security of... medical devices. The agency also is responsible for the safety and security of our nation's food supply, cosmetics, dietary supplements, products that give off electronic radiation" [Gabe Goldberg noted Hackable Insulin Pumps https://securityboulevard.com/2019/07/more-medtronic-hack-malarkey-this-time-its-insulin-pumps/ PGN]
Sean Broderick, *Aviation Week*, 26 Jun 2019 https://aviationweek.com/penton_ur/nojs/user/register?path=node/1963138&nid=1963138&source=email See also https://www.bbc.com/news/business-48752932
https://www.nytimes.com/2019/06/27/opinion/census-question-supreme-court.html *The New York Times*, Editorial Board, 27 Jun 2019 The Supreme Court noted a disconnect between the Trump administration's stated reason for including a citizenship question on the census form and the actual rationale for doing so. In a win for good government, the Supreme Court on Thursday refused to give its full imprimatur to the Trump administration's irresponsible decision to add a citizenship question to the 2020 census form. [...]
Chris Hamby, *The New York Times*, 5 Jul 2019 [PGN-ed] https://www.nytimes.com/2019/07/03/us/2020-census-digital.html The Census Bureau had turned to Amazon Web Services for computing power and digital storage, but discovered that access credentials had been "lost" -- potentially allowing completely uncontrolled access. That vulnerability has now purportedly been fixed, but risks seem to remain. “If you wanted to provoke fears among the population as to how the census data could be used, the American population is fertile ground right now for conspiracy theories and manipulation.'' Nathaniel Persily, Stanford Law School professor.
[via Dave Farber] 4 Jul 2019 An AI fake text generator that can write paragraphs in a style based on just a sentence has raised concerns about its potential to spread false information https://www.theguardian.com/technology/2019/jul/04/ai-fake-text-gpt-2-concerns-false-information Earlier this month, an unexceptional thread appeared on Reddit announcing that there is a new way “to cook egg white[s] without a frying pan. As so often happens on this website, which calls itself “the front page of the internet'', this seemingly banal comment inspired a slew of responses. “I've never heard of people frying eggs without a frying pan,'' one incredulous Redditor replied. “I'm gonna try this,'' added another. One particularly enthusiastic commenter even offered to look up the scientific literature on the history of cooking egg whites without a frying pan. Every day, millions of these unremarkable conversations unfold on Reddit, spanning from cooking techniques to geopolitics in the Western Sahara to birds with arms. But what made this conversation about egg whites noteworthy is that it was not taking place among people, but artificial intelligence (AI) bots. The egg whites thread is just one in a growing archive of conversations on a subreddit—a Reddit forum dedicated to a specific topic—that is made up entirely of bots trained to emulate the style of human Reddit contributors. This simulated forum was created by a Reddit user called disumbrationist using a tool called GPT-2, a machine learning language generator that was unveiled in February by OpenAI, one of the world's leading AI labs. Jack Clark, policy director at OpenAI, told me that chief among these concerns is how the tool might be used to spread false or misleading information at scale. In a recent testimony given at a House intelligence committee hearing about the threat of AI-generated fake media, Clark said he foresees fake text being used “for the production of [literal] `fake news', or to potentially impersonate people who had produced a lot of text online, or simply to generate troll-grade propaganda for social networks''. GPT-2 is an example of a technique called language modeling, which involves training an algorithm to predict the next most likely word in a sentence. While previous language models have struggled to generate coherent longform text, the combination of more raw data—GPT-2 was trained on 8m online articles—and better algorithms has made this model the most robust yet. It essentially works like Google auto-complete or predictive text for messaging. But instead of simply offering one-word suggestions, if you prompt GPT-2 with a sentence, it can generate entire paragraphs of language in that style. For example, if you feed the system a line from Shakespeare, it generates a Shakespeare-like response. If you prompt it with a news headline, it will generate text that almost looks like a news article. Alec Radford, a researcher at OpenAI, told me that he also sees the success of GPT-2 as a step towards more fluent communication between humans and machines in general. He says the intended purpose of the system is to give computers greater mastery of natural language, which may improve tasks like speech recognition, which is used by the likes of Siri and Alexa to understand your commands; and machine translation, which is used to power Google Translate. But as GPT-2 spreads online and is appropriated by more people like disumbrationist—amateur makers who are using the tool to create everything from Reddit threads, to short stories and poems, to restaurant reviews—the team at OpenAI are also grappling with how their powerful tool might flood the internet with fake text, making it harder to know the origins of anything we read online. Clark and the team at OpenAI take this threat so seriously that when they unveiled GPT-2 in February this year, they released a blogpost alongside it stating that they weren't releasing the full version of the tool due to “concerns about malicious applications''. (They have since released a larger version of the model, which is being used to create the fake Reddit threads, poems and so on.)
A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem. https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem
Catalin Cimpanu for Zero Day (Jul 4 2019) https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/ Hackers exploit 7-Eleven's poorly designed password reset function to make unwanted charges on 900 customers' accounts (and the equivalent of $.5M) after hackers hijacked their 7pay app accounts and made illegal charges in their names. The incident was caused by an appalling security lapse in the design of the company's 7pay mobile payment app, which 7-Eleven Japan launched in the country on Monday, July 1. However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner. A hacker only needed to know a 7pay user's email address, date of birth, and phone number. An additional field in the password reset section allowed the hacker to request that the password reset link be sent to a third-party email address (under the hacker's control), with no need to dig through the app's code or tamper with HTTP requests, like most of these hacks involve. Furthermore, if the user didn't enter their date of birth, the app would use a default of January 1, 2019, making some attacks even easier, according to a report in Yahoo Japan.
Denver drivers followed Google's detour down a dirt road A crash on the main road to Denver's airport led to hour-long delays this week. When Google Maps offered a quick detour, nearly a hundred drivers were led into trouble. https://www.bbc.com/news/av/world-us-canada-48779516/denver-drivers-followed-google-s-detour-down-a-dirt-road
Lily Hay Newman, WiReD, 27 Jun 2019 via ACM TechNews; Friday, June 28, 2019 Researchers at threat intelligence company Mimecast have found that a feature in Microsoft's Excel spreadsheet program can be exploited to orchestrate Office 365 system hacks. Excel's Power Query permits the combination of data from various sources via a spreadsheet, which can be manipulated to connect to a malicious Webpage hosting malware. Said Mimecast's Meni Farjon, "The exploit will work in all the versions of Excel as well as new versions, and will probably work across all operating systems, programming languages, and sub-versions, because it's based on a legitimate feature." Farjon thinks a Power Query connection to a malicious site could enable attacks similar to a Dynamic Data Exchange exploit. Meanwhile, Microsoft's security intelligence warns of another Excel hack, which uses malicious macros to compromise Windows systems, even with the newest security updates. 3Dhttps://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-20693x21cae2x069960&
https://www.forbes.com/sites/gordonkelly/2019/06/29/microsoft-windows-10-upgrade-registry-warning-upgrade-windows/#6f92a9b971ef https://www.extremetech.com/computing/294290-microsoft-kills-automatic-registry-backups-in-windows-10
An internal Cloudflare problem caused websites to fall bringing some parts of the internet to a crawl. ... How could this simple mistake cause so many problems? Cloudflare operates an extremely popular content delivery network (CDN). When it works right, its services protect website owners from peak loads, comment spam attacks, and Distributed Denial of Service (DDoS) attacks. When it doesn't work right, well, we get problems like this one. https://www.zdnet.com/article/cloudflare-stutters-and-the-internet-stumbles/
Over the past 25 years, email has weaved itself into the daily fabric of life. Our inboxes contain everything from very personal letters, to work correspondence, to unsolicited inbound sales pitches. In many ways, they are an extension of our homes: private places where we are free to deal with what life throws at us in whatever way we see fit. Have an inbox zero policy? Thatâs up to you. Let your inbox build into the thousands and only deal with what you can stay on top of? Thatâs your business too. It is disappointing then that one of the most hyped new email clients, Superhuman, has decided to embed hidden tracking pixels inside of the emails its customers send out. Superhuman calls this feature Read Receipts consent of its recipients, so you have most likely have been conditioned to believe its a simple [text garbled] https://mikeindustries.com/blog/archive/2019/06/superhuman-is-spying-on-you ...FAR too long for the simple point: it's secretly monitoring recipients' behavior/locations.
A new feature in the latest iOS 13 beta makes users appear as if they're looking directly at the camera to make eye contact during FaceTime calls, when actually they're looking away from the camera at the image of the other person on their screen. https://www.macrumors.com/2019/07/03/ios-13-beta-has-facetime-attention-correction/ ...what else can this "feature" do?
The malware downloads a tourist's text messages, calendar entries, and phone logs, as well as scans the device for over 70,000 different files. https://www.vice.com/amp/en_us/article/7xgame/at-chinese-border-tourists-forced-to-install-a-text-stealing-piece-of-malware
EXCERPT: It appears other countries besides China are heading toward a bleak dystopian future where a human being is scored by their online activities. Only this time, it's a tech company and not a government implementing the social credit score. While not as bleak as China's social credit system, today Line, Japan's dominant social media company, introduced a slew of new products—the most alarming among them, Line Score, reports the *Verge* https://www.theverge.com/2019/6/27/18760928/line-conference-2019-score-sticker-vision-mini-app-tokyo?utm_campaign=theverge&utm_content=chorus&utm_medium=social&utm_source=twitter Line Score will use AI to give a social credit score to Line users. The strength of their social credit score will allow them to get access to better special deals and offers that Line users with lower social credit scores will not have access to. While the new product is unnerving, it's not completely out of character for Line. Recently the company has been positioning itself as a fintech provider, and its Line Pay digital wallet system is wildly popular in Japan. Line Pay also allows users to shop for insurance and allows them to invest in personal portfolios. Line Score builds on top of Line Pay by offering those with higher scores better perks. However, before George Orwell rolls over in his grave, it's important to note that Line stresses Line Score is opt-in only and that the company will never share a user's Line Score with third parties without the user's permission and it will not read a user's online chats to determine their Line Score. Still, it's unnerving that tech companies seem to think that social credit ratings are the next big thing for now. Hopefully, this is a trend that will not catch on. https://www.fastcompany.com/90370203/line-just-went-orwellian-on-japanese-users-with-its-social-credit-scoring-system
Google's operating system manages access to your personal information. But what happens when apps refuse to play by the rules? https://www.fastcompany.com/90372033/these-are-the-sneaky-new-ways-that-android-apps-are-tracking-you
Not sure if this is relevant here, but one example which comes to mind is just around the corner from my house. There's a crossroads where a main road and residential street meet. At each side of the junction, the main road is divided into three lanes: left-hand lane (this is in drive-on-left Britain) is for turning left or driving straight on, with traffic lights on the left-hand side of the road; middle lane is for turning right, with a traffic light on the right-hand side of the road; and the right-hand lane is for traffic coming in the opposite direction. Drivers unfamiliar with the area are occasionally confused by separate traffic lights on each side of the road, so presumably autonomous vehicles may also have the same problem unless they can distinguish the small green arrows indicating the permitted direction. A possible additional complication is the red and green pushbutton-controlled lights for pedestrians and cyclists mounted on the traffic light posts at shoulder height. Personally I feel that the simplest solution would be to have some sort of radio/wi-fi signal for autonomous vehicles (and maybe to conventional vehicles with driver-information systems) giving them an unambiguous warning of the traffic light indication ("OK for northbound-to-westbound turns, stop otherwise") rather than expecting them to figure out visual signs intended only for humans, but then that would mean special provision for them..?
[Richard Thieme, a long-time friend, invites interested parties to review small pieces of his novel in progress as it comes off the line, offering suggestions. He's been around this `space' for a long time, not as long as I have, but at least a quarter century. I believe he has friends who may have worked in hidden places, but I don't believe he actually did. On the other hand, creative fiction sometimes bears a remarkable resemblance to reality. If you are interested, e-mail him at rthieme@thiemeworks.com, or check him out at www.thiemeworks.com. PGN] Mobius: A Memoir by Richard Thieme A Note from the Author All CIA officers, as a condition of employment, sign the standard CIA secrecy agreement when entering on duty. This agreement requires submission of all written and spoken material to the Publications Review Board for approval. The absence of such submission in this instance indicates clearly that while some of the allusions in this memoir are to that agency, some are to other agencies, and some are to fictional agencies. That mashup is intentional. The account has been fictionalized to (1) avoid publication review which can drag on for years and (2) protect identities, sources and methods. This memoir is accordingly like a reflection in a fun-house mirror: recognizable but distorted, unlike agency-redacted materials which are distorted but unrecognizable. That said, the following holds true: While the author told the least untruthful things he could say about his work, this memoir is a work of fiction. Names of characters, places, and incidents are either the product of the author's imagination or are used fictitiously. Any resemblance to actual persons, living or dead, or to locales is entirely coincidental. In addition, the names of the author's colleagues have been changed to protect their identities. In particular, `Penny' does not refer to a specific person but is a conflation of a number of relationships the author had over several decades. That accounts for seeming contradictions and omissions. The author is grateful to all of his colleagues who contributed to this memoir. He must single out `Jamison' who willingly provided details of how he was taught to torture prisoners and to one physician in particular, referred to as `Brooks', who acknowledged that his monitoring of torture, learning from same, and bringing those hard-won lessons to the next session, might in fact constitute violations of international law dating back to Nuremberg and account for our withdrawal from the proceedings of the International Criminal Court lest the law be applied equally to all. Special thanks to Fatou Bensouda (not his real name, because it can't be, right?) for his insights in this matter. The incidents in this memoir took place over half a century in two dozen countries. The author's long-term memories are crisp despite his advanced age. His sleep continues to be disturbed by some of the reported incidents and his `partner' frequently shakes him awake when he cries out during nightmares. (It is a false rumor that he has sixteen flashlights in strategic locations in his home. He has only two and both are in bedside drawers). Richard Thieme
Please report problems with the web pages to the maintainer