The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 56

Tuesday 4 February 2020

Contents

Iowa's Tally-by-App Experiment Fails
WSJ
Risks in the Iowa Tally fiasco
Sundry
Live frogs
Flyer Talk
Computers threaten saffron harvest
Eric Sosman
No smoke, no water, no waste. VR could train the next generation of firefighters
cnn.com
Artificial intelligence-created medicine to be used on humans for first time
bbc.com
Why asking an AI to explain itself can make things worse
MIT Tech Review
AI License Plate Readers Are Cheaper: Drive Carefully
WiReD
No more Punxsutawney Phil: It's long overdue for an AI groundhog instead, PETA says.
The Washington Post
Android Users Beware: this dangerous menace is already hiding on 43 million phones
Forbes
Why Google Backtracked on Its New Search Results Look
NYTimes
Regis University's cyberattack was “a crisis of the highest order, But investigators couldn't trace its origin
Denver Post
An artist wheeled 99 smartphones around in a wagon to create fake traffic jams on Google Maps
Business Insider
Very strange, still receiving security patches/updates for Windows 7 systems
Gabe Goldberg
Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable
Security Ledger
The Fractured Future of Browser Privacy
WiReD
NYTimes: How Chaos at Chain Pharmacies Is Putting Patients at Risk
NYTimes
IKEA Promises New Data Controls for Consumers
WSJ
Facebook shows you how it stalks you. Here are the privacy settings to change.
WashPost
Re: Boeing 737s can't land facing west
R. G. Newbury
Re: Should Automakers Be Responsible for Accidents?
John Levine
Re: Election Security At The Chip Level
John Levine
Gabe Goldberg
Info on RISKS (comp.risks)

Iowa's Tally-by-App Experiment Fails (WSJ)

Monty Solomon <monty@roscom.com>
Tue, 4 Feb 2020 12:27:23 -0500
https://www.wsj.com/articles/iowa-caucus-results-delayed-by-apparent-app-issue-11580801699


Risks in the Iowa Tally fiasco (Sundry)

"Peter G. Neumann" <peter.neumann@sri.com>
Tue, 4 Feb 2020 13:38:15 -0800
https://go.ind.media/webmail/546932/550762215/0ed6efde19172f984587fb6624e=
4e481dc208bc0a3090465ab7fedfcc3c2b280=20

Shadow Inc reportedly sent out the caucus reporting app via TestFairy, which
seemingly could enable lots of intruders to interpose themselves.

https://docs.testfairy.com/Testers/How_to_test_Android_apps.html
https://www.vice.com/en_us/article/y3m33x/heres-the-shadow-inc-app-that-failed-in-iowa-last-night

  [However, officials were quick to state that this was a "code error", not
  a hacking episode.  Nevertheless, the entire system seems rather flaky, as
  do most of the other approaches to ensuring voting integrity.  PGN]


Live frogs (Flyer Talk)

"Wendy M. Grossman" <wendyg@pelicancrossing.net>
Sat, 1 Feb 2020 12:38:47 +0000
Here's a risk you won't have solved in the 1960s on Multics. From the
FlyerTalk American Airlines forum:

https://www.flyertalk.com/forum/american-airlines-aadvantage/2006995-delayed-due-live-frogs.html

>> Delayed due to... live frogs

Yep you read that correctly, live frogs. On 2559 yesterday from DFW>DTW, we
were delayed a few minutes at the gate in DFW due to a load of live
frogs. According to the captain (who made two very nice, detailed
announcements about it), there was a load of live frogs in the aft cargo
hold and the computer just didn't like it and either wouldn't allow them
there or it couldn't compute them being there. So thankfully instead of
keeping us delayed, they offloaded them for a later flight.

The funniest part was that after we landed, and on the looooong taxi at DTW
to the gate, I heard what sounded like frogs. It was probably just somebody
still asleep and snoring intermittently, but part of me wonders if there was
a load in the forward hold that did get to travel.

Just might be the funniest delay I've encountered.>>


Computers threaten saffron harvest

Eric Sosman <esosman@comcast.net>
Tue, 4 Feb 2020 13:55:29 -0500
Over-reliance on technology may doom the United States' latest attempt to
produce saffron in commercially significant quantities. The spice comes from
the /crocus sativus/ flower, grown primarily in a region stretching from
Spain to Kashmir. From (admittedly fragmentary) reports it appears American
farmers and entrepreneurs have been using computer- aided methods to attempt
to grow this crocus in the American Midwest, perhaps for fear of (or in
hopes of) higher tariffs against the import of foreign saffron.
Unfortunately, the effort has run into a snag: computer malfunctions are
said to have messed up the Iowa crocuses.


No smoke, no water, no waste. VR could train the next generation of firefighters (cnn.com)

Richard Stein <rmstein@ieee.org>
Wed, 29 Jan 2020 16:02:10 -0800
https://www.cnn.com/2020/01/29/tech/virtual-reality-firefighter-training/index.html

Conserving material resources during training, via computer simulation, is
an environmental gain, but can a simulator prepare superior fire-fighter
capability for deployment during a city-wide conflagration, or during a
catastrophic forest fire?

The essay describes mechanical fire-hose force feedback as a simulator
feature. The simulation effectively renders smoke, flame, foam application,
and other combustion effects. A thermal suit heats up the trainee when
approaching a simulated flame wall. Is the simulation fidelity sufficiently
meritorious to fully abandon hands-on training and fire suppression
equipment deployment?

I wonder if the simulator can train a firefighter how to use a PyroLance
(http://money.cnn.com/2018/02/05/technology/business/pyrolance-firefighting-gun/index.html)?

Risk: VR training supplement versus traditional hands-on person-in-the-loop
firefighter qualification effectiveness.


Artificial intelligence-created medicine to be used on humans for first time (bbc.com)

Richard Stein <rmstein@ieee.org>
Thu, 30 Jan 2020 20:10:57 -0800
https://www.bbc.com/news/technology-51315462

Historically, there's 1000 to 1 odds against a candidate drug succeeding in
the marketplace. See
http://blogs.einstein.yu.edu/the-high-cost-of-and-uncertain-path-to-a-blockbuster-drug/.

"Typically, drug development takes about five years to get to trial, but the
AI drug took just 12 months.

"Exscienta chief executive Prof Andrew Hopkins described it as a 'key
milestone in drug discovery.'"

That AI drug design is applied to accelerate synthesis may improve these
odds. It would appear to reduce the human effort expended for development.

Whether or not patient outcome benefit materializes is to be shown (or not)
by clinical studies, and hopefully, a double-blind clinical study BEFORE
final regulatory approval is granted.


Why asking an AI to explain itself can make things worse (MIT Tech Review)

geoff goodfellow <geoff@iconia.com>
February 3, 2020 4:06:02 JST
Creating neural networks that are more transparent can lead us to over-trust
them. The solution might be to change how they explain themselves.

Upol Ehsan once took a test ride in an Uber self-driving car
<https://www.technologyreview.com/smart-cities/self-driving-cars/>. Instead
of fretting about the empty driver's seat, anxious passengers were
encouraged to watch a *pacifier* screen that showed a car's-eye view of the
road: hazards picked out in orange and red, safe zones in cool blue.

For Ehsan, who studies the way humans interact with AI at the Georgia
Institute of Technology in Atlanta, the intended message was clear: “Don't
get freaked out—this is why the car is doing what it's doing.''  But
something about the alien-looking street scene highlighted the strangeness
of the experience rather than reassuring. It got Ehsan thinking: what if the
self-driving car could really explain itself?

The success of deep learning
<https://www.technologyreview.com/g/deep-learning/> is due to tinkering:
the best neural networks are tweaked and adapted to make better ones, and
practical results have outpaced theoretical understanding. As a result, the
details of how a trained model works are typically unknown. We have come to
think of them as black boxes
<https://www.technologyreview.com/s/613440/ai-researchers-want-to-study-ai-the-same-way-social-scientists-study-humans/>
.

A lot of the time we're okay with that when it comes to things like playing
Go or translating text or picking the next Netflix show to binge on. But if
AI is to be used to help make decisions in law enforcement, medical
diagnosis, and driverless cars, then we need to understand how it reaches
those decisions—and know when they are wrong.

People need the power to disagree with or reject an automated decision, says
Iris Howley <http://www.cs.williams.edu/~iris/>, a computer scientist at
Williams College in Williamstown, Massachusetts. Without this, people will
push back against the technology.  “You can see this playing out right now
with the public response to facial recognition systems,'' she says.

Ehsan is part of a small but growing group of researchers trying to make AIs
better at explaining themselves, to help us look inside the black box.  The
aim of so-called interpretable or explainable AI (XAI) is to help people
understand what features in the data a neural network is actually learning
-- and thus whether the resulting model is accurate and unbiased.  [...]

https://www.techtelegraph.co.uk/why-asking-an-ai-to-explain-itself-can-make-things-worse/
https://www.technologyreview.com/s/615110/why-asking-an-ai-to-explain-itself-can-make-things-worse/


AI License Plate Readers Are Cheaper: Drive Carefully (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 1 Feb 2020 00:43:26 -0500
https://www.wired.com/story/ai-license-plate-readers-cheaper-drive-carefully/


No more Punxsutawney Phil: It's long overdue for an AI groundhog instead, PETA says. (The Washington Post)

Richard Stein <rmstein@ieee.org>
Thu, 30 Jan 2020 09:08:25 -0800
https://www.washingtonpost.com/nation/2020/01/29/groundhog-peta-punxsutawney/

PETA has a point: Groundhogs hibernate during Winter; that's what ectotherms
do.

But Phil's celebrity status commands performance: he must also visit school
children during the Winter, pose for magazine covers (Rat Mag, Rodent of The
Year). He's part of a mandatory PR campaign that sustains Punxsutawney, PA
tourism foot traffic.

But simulate Punxsutawney Phil with artificial intelligence to determine if
Winter will extend by another 6 week? AI is overkill for this purpose.

Why not employ a Magic 8-ball or a coin-toss to prognosticate an extended
winter? Granted, these choices lack glamor; they are not newsworthy, but
they are likely as accurate as the appearance (or not) of Phil's shadow.


Android Users Beware: this dangerous menace is already hiding on 43 million phones (Forbes)

the keyboard of geoff goodfellow <geoff@iconia.com>
Wed, 29 Jan 2020 13:06:10 -1000
“This shows how hard it is for users to stay safe'', the CEO of mobile
security firm Upstream warns. The company is about to publish a report into
the Android threat landscape. The data is staggering.  The company has
unearthed 98,000 malicious apps, which have infected 43 million devices. The
worst five apps, Dimitris Maniatis tells me, have been downloaded 700
million times, “this shows the scale of the issue.''
<https://www.secure-d.io/mobileadfraud2019report/>

*And that risk is accelerating. That number of malicious apps is up 50% in
the last year, and shows every sign of spiraling out of control.*

This can now be viewed as an endemic problem with mobile apps downloaded
from Google's Play Store—despite Google Protect and the App Defense
Alliance, Some 50% of the bad apps exposed by Upstream *were or are*, in the
official Play Store. Countless stories have been written about the hundreds
of malicious apps with hundreds of millions of installs. The key question is
what is the scale of the issue?
<https://www.forbes.com/sites/zakdoffman/2019/11/10/google-confirms-play-store-security-threat-heres-the-fixbut-does-it-make-you-safer/#7557b2514337>.

Upstream has collated the data from its Secure-D security platform, data
collected by 31 different network operators across 20 different countries,
data representing the devices 0f almost 700 million different users.

In its report <https://www.secure-d.io/mobileadfraud2019report/>, Upstream
explains the methods by which users are enticed to install malicious malware
and then grant a raft of permissions that goes way beyond what is required
for the app's claimed purpose. That malware then communicates with
its controllers, seeking instructions and content to operate. The apps are
designed to remain hidden, not arousing suspicion, avoiding an uninstall.

The primary issue with mobile malware is advertising or click fraud.
Trivial apps that pull unwanted ads onto devices to run in the background or
as a foreground nuisance. For advertisers, this results in millions of
dollars of fraudulent charges. For users, the issue is degraded performance,
drained batteries and huge data bills. There is also the issue that such
apps can lead to devices being infected with more dangerous malware. [...]

https://www.forbes.com/sites/zakdoffman/2020/01/29/android-users-beware-this-dangerous-menace-is-already-hiding-on-43-million-phones/


Why Google Backtracked on Its New Search Results Look (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 1 Feb 2020 19:52:51 -0500
The Internet giant, which some lawmakers and regulators say has grown too
powerful, tweaked the way it displayed ads on search results. It did not go
over well.

https://www.nytimes.com/2020/01/31/technology/google-search-results.html


Regis University's cyberattack was “a crisis of the highest order, But investigators couldn't trace its origin (Denver Post)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 28 Jan 2020 19:39:45 -0700
  [Follow-up to RISKS-31.39 (29 August 2019)]

Elizabeth Hernandez, *The Denver Post*, 28 Jan 2020

  Information-technology experts from across Colorado convened at Regis
  University on Tuesday to learn never-before-shared details about last
  year's crippling cyberattack—an experience the private Jesuit college's
  chief information officer called "a crisis of the highest order."

  A few new details revealed during the presentation:

  * Federal and third-party investigators were unable to determine a root
    cause of the attack, meaning it's unclear how the attack originated

  * The hacker—determined to be from outside the country—attacked
    Regis's backups first

  * When faced with the decision to rebuild the IT system or repair it,
    officials decided to rebuild and update

https://www.denverpost.com/2020/01/28/regis-university-cyberattack-ransomware/


An artist wheeled 99 smartphones around in a wagon to create fake traffic jams on Google Maps (Business Insider)

Monty Solomon <monty@roscom.com>
Mon, 3 Feb 2020 16:44:05 -0500
https://www.businessinsider.com/google-maps-traffic-jam-99-smartphones-wagon-2020-2

  [Also noted: "Performance artist generates virtual traffic jams in Google
  Maps by pulling a wagon full of smartphones"

   "99 second hand smartphones are transported in a handcart to generate
   virtual traffic jam in Google Maps.  Through this activity, it is
   possible to turn a green street red which has an impact in the physical
   world by navigating cars on another route to avoid being stuck in
   traffic. " [...]

  #googlemapshacks
  http://www.simonweckert.com/googlemapshacks.html  via
  https://twitter.com/StevenJCrowley/status/1223977380794064897
  PGN]


Very strange, still receiving security patches/updates for Windows 7 systems

Gabe Goldberg <gabe@gabegold.com>
Wed, 29 Jan 2020 15:57:14 -0500
One Windows 7 Ultimate system, one Windows Professional, have Windows
Security Essentials being updated daily. Was Microsoft kidding about no
updates after January 14? Or did I get the year wrong? (No, I didn't).
Plus, the Win 7 Ultimate system got Pop-Up of Doom on January 14. But
updates keep rolling along. No, I didn't jump through the hoops to purchase
extended support and I didn't get a gift card saying that someone bought it
for me.

It'll be interesting seeing what happens next Patch Tuesday, but still this
is already puzzling.


Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable (Security Ledger)

Shawn Merdinger <shawnmer@gmail.com>
Tue, 28 Jan 2020 19:38:30 -0500
https://securityledger.com/2020/01/seven-years-later-scores-of-eas-systems-sit-un-patched-vulnerable/


The Fractured Future of Browser Privacy (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 1 Feb 2020 00:24:11 -0500
https://www.wired.com/story/chrome-firefox-edge-browser-privacy/


NYTimes: How Chaos at Chain Pharmacies Is Putting Patients at Risk (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sat, 1 Feb 2020 16:32:03 -0500
https://www.nytimes.com/2020/01/31/health/pharmacists-medication-errors.html


IKEA Promises New Data Controls for Consumers (WSJ)

Monty Solomon <monty@roscom.com>
Mon, 3 Feb 2020 09:52:36 -0500
https://www.wsj.com/articles/ikea-promises-new-data-controls-for-consumers-11580383800


Facebook shows you how it stalks you. Here are the privacy settings to change. (WashPost)

Monty Solomon <monty@roscom.com>
Sat, 1 Feb 2020 11:28:10 -0500
The new 'Off-Facebook Activity' tool, available around the world Tuesday,
reminds us we're living in a reality TV program where we forget the cameras
are always on. Here are the privacy settings to change right now.

https://www.washingtonpost.com/technology/2020/01/28/off-facebook-activity-page/


Re: Boeing 737s can't land facing west (RISKS-31.54)

"R. G. Newbury" <newbury@mandamus.org>
Mon, 3 Feb 2020 22:29:39 -0500
As a first guess, I would suspect that somewhere in the code, there is a
conversion from polar to rectangular reference frames (or vice versa) and
X=r * cos(theta) with theta=270 give zero and either a 'NAN' or divide by
zero error crashes the program.

You would need that sort of calculation to find the rhumb and distance,
knowing the lat/long of the present and destination positions. 'X' is the
Difference of Latitude in miles (Y is the Departure).

Using GPS you know the present and destination positions, but the pilot
wants to know 'how far' and 'what direction'. The calculations will be done
using true and then, if desired, corrected to magnetic bearings.

  [John Stockton noted:
    Tangent of 270 degrees (and of 90 degrees) is numerically dangerous, each
    being, so to speak, +- infinity.
  Perhaps, to the accuracy of the arithmetic, those 7 runways are EXACTLY 270
  degrees true, and others are only *nearly* 270 degrees true.]

  [PGN noted that this should remind some of us old-timers of the joke about
  the plane that crashed because all the Poles in the Left Half (of the)
  Plane.  PGN]


Re: Should Automakers Be Responsible for Accidents?

"John Levine" <johnl@iecc.com>
4 Feb 2020 17:07:51 -0500
> Automaker enterprise liability would have useful incentives that driver
> liability law misses.
> https://www.cato.org/sites/cato.org/files/serials/files/regulation/2019/3/regulation-v42n1-1.pdf

I can hardly wait:

  "Sorry, sir, you've had three moving violations so we'll have to ask
  you to leave the showroom now."


Re: Election Security At The Chip Level (SemiEngineering via Goldberg, RISKS-31.54)

"John Levine" <johnl@iecc.com>
4 Feb 2020 17:15:43 -0500
The comments on this article are much better than the article.  They say
that voting electronically is a well known bad idea, so stop.

Elections have a unique security model: You need a reliable list of who
voted, you need a reliable list of who or what they voted for, and you need
to be confident there's no way to link those two lists.  Nothing else works
that way.

That's why even though voting machines may look like ATMs, an ATM is a
dreadful model to use since with ATMs, the bank has full knowledge of all of
the details of every transaction, e.g., when you were there, who you are,
what you did, how much money it dispensed, all linked together.

As has been pointed out too many times, paper ballots dropped into a box,
along with observers to ensure that only people on the voter list got to
vote, satisfy the model quite well.  If you want to have machines scan and
count the ballots, that's fine, but the paper ballots are the actual record.


Re: Election Security At The Chip Level (RISKS-31.54)

Gabe Goldberg <gabe@gabegold.com>
Tue, 4 Feb 2020 17:27:21 -0500
ATMs—maybe only one "advantage": they have your PICTURE, proving
identity, thanks to ubiquitous security camera. Of course, voter ID laws
head in that direction introducing another gaggle of problems while solving
a non-problem.

Please report problems with the web pages to the maintainer

Top