Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Tom Krisher, SFChronicle.com (which as usual ignores the existence of the Science Fiction Chronicle), front page of the Chron's Business Report, 21 Mar 2020, PGN-ed
As we have noted in many cases (including Deepwater Horizon RISKS-29.49, the Boeing 737 Max, and many others), attempts to place blame are often frustrated by reality: blame may be widely distributed.
The cited article by Tom Krisher notes the National Transportation Safety Board (NTSB) report released on 19 Mar 2020 on the Tesla crash on 1 March 2019 in Delray Beach, Florida. The Tesla was under Autopilot driving at 69 mph when the Autopilot neither braked or otherwise attempted to avoid a tractor-trailer that crossed in its path.
The report noted that all of the following factors were relevant:
A statement for the NTSB chairman Robert Sumwalt noted this was the “third fatal vehicle crash we have investigated where a driver's overreliance on Tesla's Autopilot and the operational design of the Tesla's Autopilot have led to tragic consequences.”
Krisher notes that the Delray Beach crash was remarkably similar to one in Williston FL in 2016, which also killed the driver of a Tesla.
The car is becoming a sentry, a chaperone, and a snitch.
My parked car got gashed in a hit-and-run two weeks ago. I found a star witness: the car itself.
Like mine, your car might have cameras. At least one rearview camera has been required on new American cars since 2018. I drive a Tesla Model 3 that has eight lenses pointing in every direction, which it uses for backing up, parking and cruise control. A year ago, Tesla updated its software to also turn its cameras into a 360-degree video recorder. Even when the car is off.
<https://www.usatoday.com/story/money/cars/2018/05/02/backup-cameras/572079002/>
All those digital eyes captured my culprit — a swerving city bus — in remarkable detail. […]
Without Sentry Mode, I wouldn't have known what hit me. The city's response to my hit-and-run report was that it didn't even need my video file. Officials had evidence of their own: That bus had cameras running, too.
https://www.washingtonpost.com/technology/2020/02/27/tesla-sentry-mode/
When trust erosion and brand outrage clobbers a for-profit brand, either the marketplace settles the situation through corporate bankruptcy, or a remedy — a second chance, a mulligan—is applied to repair and restore business operations viability (aka profitability). NASA must reconcile a supplier dilemma with corporate ramifications that will significantly impact US space flight and strategic aerospace capabilities.
Boeing's software factory concealed issues that compromised the Starliner mission. NASA apparently did not detect pre-release system/software under-achievements or qualification shortcuts introduced to achieve scheduled milestones. Rigorous release qualification practices and subject matter expertise for the systems under test are mandatory prerequisites that both supplier and customer must possess. Unless expertise is mutually shared, one party may be unfairly exploited for profit or convenience.
Not certain what the Boeing/NASA RACI required (roles/responsibilities in terms of product engineering, test/measurement and review/sign-off), but someone should have pulled the 'showstopper' cord well before liftoff. That much is obvious from the Starliner mission record.
A key enabler to promote product life cycle defect escape suppression is esprit de corps. Within Boeing, this intangible appears to have been weakened. An organization needs participants that embody the “worst customer in the world, best friend a product can find” inside the walls of their factory to represent uncompromised customer interests.
Test engineers, especially, must embody this demeanor, and ethically abide to “do no harm” principles by reporting and escalating mission/life critical product deficiencies. These 'rara avises' enjoy breaking product. Finding and reporting what's broken, before release, fulfills a software editorial life cycle, a critical practice to achieve operational flight plan viability. A defect tracking platform that is policed jointly with the customer enables discussion and agreement on prioritized repairs. 'Release defect patrol' promotes informed consent.
The product life cycle, especially in aerospace, requires all participants (supplier/regulator/customer) to ethically and professionally practice without fear of reprisal. 'Tin ear' management that fails to weigh project triple constraints (cost, schedule, scope) with product safety and mission/objectives must be held accountable for negligent practice.
Transparency and review are necessary to remediate and repair Boeing's broken software factory. Aligning organizational objectives with mission deliverables, enforcing management accountability via disclosure and measurable achievement might yield fixed cost priorities. If the priorities are achieved in a timely fashion, a diminished aerospace brand might be salvaged.
https://www.politico.com/news/2020/03/07/airplanes-unsafe-cabin-fumes-123362
“Two years ago, the FAA warned in a safety alert that airlines and pilots should ensure their procedures and check-lists address what to do about odors and fumes on board and asked operators, manufacturers and regulators to boost efforts at prevention. But the FAA hasn't ordered manufacturers to actually change the way air on most planes gets funneled into the cabin, which pilots say can be fouled by engine oil intermixing with breathable air, due to the planes' design, combined with poor maintenance and faulty seals.”
Risk: Pilot blackout, breathing distress.
Charles K. Edwards and a former subordinate face a 16-count indictment in a scheme that prosecutors allege involved stolen government software and databases for resale.
A tiny backend bug at Let's Encrypt almost broke millions of websites. A five-day scramble ensured it didn't.
https://www.wired.com/story/lets-encrypt-internet-calamity-that-wasnt/
The crypto wars are back in full swing.
https://www.wired.com/story/earn-it-act-sneak-attack-on-encryption/
“Electric towels” were supposed to prevent the spread of contagious disease. What if they've been doing the opposite?
https://www.wired.com/story/wash-your-hands-but-beware-the-electric-hand-dryer/
https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/
Why America Will Suffer Greatly Under Covid-19:
the Broken Economics of Coronavirus
A perfect storm of flawed institutions
Black Cat
12 Mar 2020 6 min read
John Ohno is a co-author of this article.
A friend recently asked me: “what could be done better in America to stop coronavirus?” It was the kind of question that makes you pause for a good long while before answering—because it suggests that the person asking you has misunderstood you already. There is no single action that anyone could or would take to slow this down, because these are systematic problems.
This is going to be really bad. You should expect hospitals to get overwhelmed, which will turn nonlethal cases into lethal ones. You should expect international and national supply lines to be interrupted in some cases.
You should stockpile about a month's worth of non-perishable foods and medicine to treat the symptoms. Lentils, rice, vitamin supplements, Tylenol, and Pedialyte—these are the cheapest ways to do this. You should not be planning to avoid the disease—you should be planning as though you are going to get the disease. It may be a hungry and generally awful summer, but if you do not have complicating conditions, you will survive.
Here is why we will suffer terribly under this disease, even compared to other countries:
These are all political choices, not features of the virus. This virus will be worse here because it has been set up to be worse.
America does not have enough paid sick days, especially not for food service workers, and these people do not own their own homes or have other sources of basic subsistence—and so they will work when they are sick, because they have to. They cannot afford to be publicly-minded. They do not have the luxury of being nice.
And because they will work when they are sick, they will infect you. They will infect the food that you eat—stop eating out! Anywhere!—they will infect your packages, and so on. Even if you are oh-so-cautious, other people will not be. And they will be infected. More than that, people will work through their infections. And so more of these cases will become acute. Which will mean more long-term organ damage and more deaths.
Sick people will not get treatment, and so they will infect more people than they otherwise would have, and be more likely to die. Those that survive will in many cases be saddled with medical debt, weighing down any future economic recovery.
I really do not know what more to say about this. Even if you are wealthy and/or hate poor people, a bunch of people who are sick and can't afford treatment can get you sick—there are very clear reasons of self-interest for having a health-care system that takes care of everyone.
The American health system isn't.
This is worse than just the CDC avoiding testing people, to keep the official numbers low—though that is a great example of how bureaucratic incentives can kill. Most of the know outbreaks in the US seem to simply be places where local health authorities circumvented the CDC and did their own tests—it seems likely that there are many more outbreaks and many more cases in the US than it would appear on paper.
There are multiple federal-level bureaus and NGOs responsible for the country-wide picture, and they are not set-up to coordinate properly. There are 50 state-level bureaus, each of which will do different things, and none of them are allowed to close state borders without congressional approval. There are about 3000 county-level health boards, and they all have different standards and different funding mechanisms. In addition, there are city-level efforts, and efforts being taken by private institutions. None of these are in any way coordinated.
Automation hasn't made production or distribution or service more resilient, because it's been put toward further centralization—rather than requiring a large proportion of blue-collar workers to stop work in order to stop production, a smaller proportion of a smaller number of white-collar workers control the machinery by which work is distributed to the blue-collar workers. That machinery is fragile enough that without monitoring it, it will become dysfunctional. It is possible that the flow of consumer goods into stores might be disrupted temporarily, making it hard to obtain some goods needed for daily life.
The idea of a deadly disease that can spread not only through face-to-face contact but through the semi-automated alternatives we have redirected most of our commerce towards (mail order with packages sorted by people who certainly won't be taking sick days, & takeout delivered by the same) is uniquely suited to screwing up an economy in which both visible and hidden labor is largely performed by a growing precariat [?] whose contract with capital is based on the presumption of a happy path in which no catastrophes are permitted.
Since the great recession, many firms have reoriented to operate at much higher ratios of debt to income. This, plus the just-in-time supply chains that have become common in the last few decades, makes these firms extremely fragile—they have no buffer. Thus, a big disruption to a bunch of firms at once can make many of them be unable to service their debts or even go out of business, which disrupts supply chains further, which can cause more of these companies to become insolvent. This is all much more of a problem for smaller firms than it is for larger, richer, firms with more resources and more confidence from lenders: the eventual recovery will be one in which the big firms have had their smaller competitors eliminated.
Essentially all the infrastructure has been built on the assumption that none of the other infrastructures would break down. Which has ironies, because it shows that the economy bares more isomorphs to the Stalinist one than anyone is really comfortable admitting—everything is fine until circumstances change, and then people start dying, because neither allows much room for bottom-up flows of information or distributed responses. There's this assumption that the mass of blue-collar service workers will always be sufficiently available (at less-than-minimum-wage prices) to do whatever needs to be done, and a pandemic that hits the only people doing the traveling and touching the packages is going to really screw that up. So very much of our densely populated and highly interconnected world is based around the supposed invincibility of modern medicine: the vaccine, antibiotics, and so on. When that fails, so much else does, too. In a sense, there is a preview of a general strike, with this coronavirus. Evictions, rents, and mortgage payments have all been frozen in certain places. During the peak of this, people will either avoid going to work out of fear, or be sick enough to stay home. There are certain obvious similarities, and someone more schooled in the theory of this tactic might be able to point out how to exploit the coronavirus collapse.
“FDA Commissioner Stephen Hahn said in a statement that the decision was based on State Department travel advisories, Centers for Disease Control and Prevention travel recommendations and restrictions imposed on foreign visitors by certain countries. He added the agency will ‘maintain oversight over international manufacturers and imported products using alternative tools and methods.’”
This FDA webpage https://datadashboard.fda.gov/ora/cd/inspections.htm shows the total number of inspections (foreign + domestic) ‘taking a nosedive’ starting in 2019.
For business under deregulation, caveat emptor flourishes. For consumers, learn to ask tough questions about your physicians' suppliers BEFORE electing to purchase.
Zoom is a work-from-home privacy disaster waiting to happen
Just because you're working from home doesn't mean your boss isn't still keeping tabs on your every mouse click. In recent days, thanks in part to the social-distancing measures made necessary by the coronavirus outbreak, converts to the work-from-home life are being forced to contend with the widely used videoconferencing service Zoom. There's just one problem: It's not exactly privacy-friendly.
Long the bane of remote workers, Zoom is equipped with numerous settings that even many of its longtime users may not know about. Take, for example, the “attendee attention tracking” feature. According to Zoom, if enabled, this feature allows hosts of conference calls—i.e., your boss—to monitor participants' computers.
https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/
I run Zoom on iPad while multi-tasking on computer, phone, whatever. I have camera disabled from app AND have mechanical cover over it, and I mute myself to not broadcast keyboard noise. I love Zoom—much prefer it to other conferencing tools I've used—and, of course, my conferences are related to volunteering so there's no “boss” involved.
A scam call centre that targeted thousands of British victims has been raided by the Indian police, following a BBC investigation.
https://www.bbc.com/news/technology-51740214
Another one bites the dust. Leaving only … how many? … remaining.
Advanced camera systems are raising fears of data collection, false alarms and newborn privacy: “We have the technology to do this kind of constant surveillance and hyper-monitoring, [but] it's driving parents insane.”
Baby-monitor companies are pushing artificial-intelligence technology into the family nursery, promising that surveillance software designed to record infants' faces, sounds and movements can save them from injury or death.
But medical, parenting and privacy experts say the safety claims made for such Internet-connected systems aren't supported by science and merely prey on the fears of young parents to sell dubious technology. No federal agency has provided evidence to back them up.
https://www.washingtonpost.com/technology/2020/02/25/ai-baby-monitors/
A new browser privacy study by Professor Doug Leith, the Computer Science department chair at Trinity College is worth reading carefully. Leith instruments the Mac versions of six popular browsers (Chrome, Firefox, Safari, Edge, Yandex and Brave) to see what happens when they phone home. All six make non-obvious connections to various backend servers, with Brave connecting the least and Edge and Yandex (a Russian language browser) the most. How they connect and what information they transmit is worth understanding, particularly if you are paranoid about your privacy and want to know the details.
https://blog.strom.com/wp/?p=7616
Doctors could be liable if they use an AI to make treatment decisions—or if they don't use it.
https://www.statnews.com/2020/03/09/can-you-sue-artificial-intelligence-algorithm-for-malpractice/
“Regardless, AI vendors, many of which are start-ups, could be accruing liability of an unknown scale.”
“Big payouts or high-profile lawsuits could obliterate the emerging health AI sector, which is still a cottage industry.”
The end of Windows 7 support has hit health care extra hard, leaving several machines vulnerable.
https://www.wired.com/story/most-medical-imaging-devices-run-outdated-operating-systems/
Hardly news, but useful reminder. Next time I'm faced with some big med machine I'll ask to see its update log.
February Windows 10 patches were a mess. Is Microsoft ever going to get its Win10 patches act together
A Botnet Is Taken Down in an Operation by Microsoft, Not the Government
https://www.nytimes.com/2020/03/10/us/politics/microsoft-botnets-malware.html
It was another ho-hum day when I did
https://www.google.com/search?q=Ardisia+japonica+edible?
> People also ask
> Can you eat Marlberry?
> Is it OK to eat mulberries off the tree?
Clicking on the first said they were only for the birds. While clicking on the last said “Luckily, they're totally edible,”
Ah, no wonder, one is talking about marlberries, the other mulberries! So fuzzy matching has its dangers!
Ardisia = tropical evergreen subshrubs (some climbers) to trees of Asia and Australasia to Americas [syn: {Ardisia}, {genus Ardisia}]
Released today, the bipartisan Cyberspace Solarium Commission makes more than 75 recommendations that range from common-sense to befuddling.
https://www.wired.com/story/opinion-giant-report-lays-anvil-on-us-cyber-policy
Summary: poor guy used an app to track his bicycle rides, then got charged with a burglary because his commute (and therefore his digital ID) took him past this lady's house at what was apparently the wrong time.
Risks: getting an ominous—but opaque and ambiguous—notification from one of the world's largest, most powerful companies for…doing what exactly?
The Silicon Valley firm alters maps under political pressure and the inscrutable whims of tech executives
https://www.washingtonpost.com/technology/2020/02/14/google-maps-political-borders/
The risk? War…
“This is how we discovered that Google Maps had two locations listed for our home. One was right, one was wrong. This seemed like a pretty minor problem in the scheme of things, and it was. For a while, I even thought it was kind of wonderful. We could be anonymous! Even Google didn't know where we lived! […] But over time, as Google Maps got embedded in more and more apps, the problem worsened. Google Maps is used by Uber, Instacart, Lyft, Door Dash and even something called the Zombie Outbreak Simulator.”
Risk: Sole-source location and route data supplier.
The Rand McNally Road Atlas (https://store.randmcnally.com/2020-rand-mcnally-road-atlases.html) can't be beat for backup. Now available with protective vinyl cover!
Yes, there's an actual No TikTok on Government Devices Ac
TikTok is one of the fastest growing social content sharing apps in the country, but it's also owned by a Chinese company. The U.S.'s security concerns are slamming up against legislators and government workers' dreams of becoming “TikTok Famous.”
https://www.lifewire.com/theres-an-actual-no-tiktok-government-devices-act-4799632
https://www.cbo.gov/publication/56198
The pending legislation would impose fines on businesses that do not satisfy CISA (Cyber Infrastructure Security Agency) hygiene criteria.
“ISPs that do not comply with subpoenas could be subject to civil and criminal penalties; therefore, the government might collect additional fines under the legislation.”
Let's see…~122M Internet domains registered in the U.S. currently (https://www.registrarowl.com/report_domains_by_country.php). Suppose a US $1000 penalty per violation? Might wipe out the U.S. budget deficit eventually.
“Whisper, the secret-sharing app that called itself the safest place on the Internet, left years of users' most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed. The data exposure, discovered by independent researchers and shown to The Washington Post, allowed anyone to access all of the location data and other information tied to anonymous whispers posted to the popular social app, which has claimed hundreds of millions of users. The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.”
It apparently took until The Washington Post contacted them for this to go offline, but that could just be a matter of parallel events as specialists had already given them a heads up. However, being contacted by the PRESS that you're busy leaking secrets strikes me as a near worst case scenario for such a company.
[Re: The Intelligence Coup of the Century (RISKS-31.58)]
Greg Miller, The Washington Post, 6 Mar 2020
As the U.S. spied on the world, the CIA and NSA bickered
U.S. spy agencies were on the verge of an espionage breakthrough, closing in on the clandestine purchase of a Swiss company that could give American intelligence the ability to crack much of the world's encrypted communications.
But the deal fell apart, done in by one of many behind-the-scenes battles between the CIA and the National Security Agency detailed in classified documents tracing one of the most remarkable intelligence operations in American history. […]
> I'm not saying that losing your GPS-based navigation is trivial, but any
> ocean-going vessel and its crew should already be equipped to at least have
> a reasonable chance of avoiding a navigation-related catastrophe.
Gotta wonder what's “reasonable” for a supertanker size of three WWII aircraft carriers, with a crew of six.
The paper record goes into a ballot box, so they can count the paper ballots to check the software count. You can't let people take home a record of how they voted, since that enables vote buying.*
Other than the buzzword factor, I'm trying to figure out what advantage this very complex scheme has over an off the shelf system where voters hand mark paper ballots and drop them in a ballot box. You can get computerized ballot boxes that count the ballots as they're dropped in the box if for some reason you believe it would be a problem to wait for the result while people hand-count them. That's what we use here in N.Y.
* – We leave as an exercise for the reader whether it's really a good idea to do all absentee voting as Oregon does.
The main risk is that instead of using AI just to flag special cases, to be decided by a human being later, decision makers would incorporate such AI systems into the process and (as usually happens) rely on them blindly. It's the old “Our computer says this must be so!”—except that now, it's an intelligent computer…
Subsequent reports said that the student had a Chinese phone roaming from his Chinese carrier, and the phone probably didn't have the location hardware that US phones do.
It's most likely that the ‘smarter' watch types that track the year, insert 29 Feb on years divisible by 4 (which in the simplest form, requires just looking at the lower 2 bits of the year number). These are going to fail on 1 Mar 2100 (and 2200, 2300)! [Just another reminder. This shows up in RISKS more often than every now and then. PGN]
> [3] have the kind that needs to be set back a day because (unlike the
> smarter types that track the year or receive information from external
> sources) it went directly from February 28 to March 1;
nope:
I've been part of the NTP Hackers team for ~25 years and for the last 10+ of those I have exclusively used Garmin Forerunner watches which have enough intelligence to do this right, as well as using the GPS network to keep the local time near-perfect.
> and [4] hadn't realized it yet?
That did use to happen in the old days, with the Casio watches we used to record split times, yes. :-)
Last Saturday night (for most practical purposes) I checked my digital watch (which listens to WWVB for accurate time/date information) at what was still eight minutes after midnight at my house. The watch had, at midnight, checked in and apparently got a good signal. But it had already “leaped” forward, so it said 1:08 and had the date (which was correct) as 8 Mar. But of course the time was not legally supposed to go forward until 2:00 AM by my local time (CST, becoming CDT).
I am wondering if that is a defect in the watch's firmware, or did WWVB send out an incorrect time signal? I have trusted WWV, with or without the B, for almost seven decades now, and I think I would rather blame the watch manufacturer than NIST. (Which I will probably be still calling NBS for as long as I am listening!)
Please report problems with the web pages to the maintainer