The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 17

Tuesday 9 April 2019

Contents

Additional software problem detected in Boeing 737 Max flight control system, officials say
WashPost
Not Just Airplanes: Why The Government Often Lets Industry Regulate Itself
npr.org
Makers of self-driving cars should study Boeing crashes
The Straits Times
Major US airlines hit by delays after glitch at vendor
The Boston Globe
Simulated Engine Failure Led To Crash
Russ Niles
Eyes on the Road: Your Car Is Watching
NYTimes
Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line
????
Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists
WashPost
The Newest AI-Enabled Weapon: Deep-Faking Photos of the Earth?
Defense One
Backdoor vulnerability in open-source tool exposes thousands of apps to remote code execution
Cyberscoope
Security analyst finds fake cell carrier apps are tracking iPhone location and listening in on phone calls
9to5 Mac
UK to keep social networks in check with Internet safety regulator
CNET
Should cybersecurity be more chameleon, less rhino?
bbc.com
This is not how the secret service should examine a USB stick
TechCrunch
Report: Official forgot secret arms-deal file at airport
Times of Israel
Hospital says patient info exposed after phishing incident
Boston Globe
DHS tech manager admits stealing data on 150,000 internal investigations, nearly 250,000 workers
WashPost
Online credit-card skimmer
WarbyParker
The engineering of living organisms could soon start changing everything
The Economist
Social media are divisive
WSN/NBC poll
The future of news is conversation in small groups with trusted voices
Chikai Ohazama
Why It's So Easy for a Bounty Hunter to Find You
NYTimes
Identity Theft—Act Now to Protect Yourself
Kiplinger
Re: Are We Ready For An Implant That Can Change Our Moods?
Wol
Re: How a 50-year-old design came back
Wol
Re: New Climate Books Stress We Are Already Far Down The Road To A Different Earth
Wol
Amos Shapir
Re: Researchers Find Google Play Store Apps Were Actually Government Malware Amos Shapir)
????
Re: Huawei's code is a steaming pile...
Amos Shapir
Re: According to this bank, password managers are bad
Andrew Duane
Re: Is curing patients, a sustainable business model?
Toby Douglass
Chris Drewe
Info on RISKS (comp.risks)

Additional software problem detected in Boeing 737 Max flight control system, officials say (WashPost)

Monty Solomon <monty@roscom.com>
Thu, 4 Apr 2019 21:26:18 -0400
The findings of the preliminary report in last month's airline crash
increase the pressure on Boeing, which has announced the imminent rolling
out of a new software fix for its most popular passenger plane. The
grounding of the 737 Max 8 following similar crashes in Ethiopia and
Indonesia has been a massive blow to one […]

https://www.washingtonpost.com/world/africa/ethiopia-says-pilots-performed-boeings-recommendations-to-stop-doomed-aircraft-from-diving-urges-review-of-737-max-flight-control-system/2019/04/04/3a125942-4fec-11e9-bdb7-44f948cc0605_story.html


Not Just Airplanes: Why The Government Often Lets Industry Regulate Itself (npr.org)

Richard Stein <rmstein@ieee.org>
Fri, 5 Apr 2019 14:49:02 +0800
https://www.npr.org/2019/04/04/709431845/faa-is-not-alone-in-allowing-industry-to-self-regulate

"In fact, the acting director of the FAA told Congress it would take nearly
$2 billion and 10,000 new employees for the agency to end its reliance on
aircraft manufacturers to conduct their own certification tests."

Carbon-extraction (oil/gas), chemicals, railroads, medical devices, food,
surface vehicles, pharmaceuticals, aircraft, etc. are largely
self-certifying industries subject to minimal Federal inspection and
oversight: Uncle Sam finds proactive risk avoidance engagement to be too
expensive.

In the US, under a self-certification framework, financial and legal
penalties are apparently sufficient to deter unsafe product sales or from
capricious corporate operations that endanger public health and safety.

"Peter Van Doren, a senior fellow at the libertarian CATO Institute, argues
self-regulation has largely gone on unnoticed, because, with a few
exceptions, it has been a success. 'In effect, the delegation of all this to
experts and the lack of second-guessing about all this occurred because it
was working.'"

"Was working" is certainly correct in Boeing's case. Which self-regulating
US industry will be next to earn the "was working" label and who will bear
the lesson's burden?

It is certainly true that "there is only so much risk avoidance you can do"
per http://catless.ncl.ac.uk/Risks/18/19#subj7.1
For Boeing's 737 MAX, the risk avoidance practice was ineffective and failed.

In contrast, the EU applies "precautionary measures" for regulation. See
"Why Does the U.S. Tolerate So Much Risk?" in
https://www.nytimes.com/2019/03/15/opinion/federal-aviation-administration-boeing.html

"As European policymakers have grown more willing to regulate risks on
precautionary grounds, increasingly skeptical American policymakers have
called for higher levels of scientific certainty before imposing additional
regulatory controls on business," David Vogel, a political scientist at the
University of California, Berkeley, wrote in a 2012 book on the divide, "The
Politics of Precaution."


Makers of self-driving cars should study Boeing crashes (The Straits Times)

Richard Stein <rmstein@ieee.org>
Fri, 5 Apr 2019 10:34:08 +0800
Brooke Masters byline in
https://www.straitstimes.com/opinion/makers-of-self-driving-cars-should-study-boeing-crashes
and via https://www.ft.com/content/d2c905d8-5473-11e9-91f9-b6515a54c5b1 Both
behind paywalls.

"The two disasters...should serve as a warning in other areas where
technology is taking over part, though not all, of crucial tasks from human
experts."

As in-vehicle distractions multiply, drivers are challenged to maintain safe
operation. Self-driving cars are supposed to eliminate distractions by
relieving drivers of their operational role, save for command instructions
like "Take me to the nearest supermarket."

Masters suggests that human driving skills atrophy from neglect and
disuse. Self-driving vehicle technology deployments will accelerate
carbon-based driver skill erosion. Even supplemental, partial automation
such as the Tesla "autopilot" feature, contributes to driving skill erosion.

'The chief executive of Volvo Cars, Mr. Hakan Samuelsson, warned last week
that introducing such semi-automation can be "irresponsible" and cause
accidents when misplaced confidence leads to "over-reliance" by consumers.'

In contrast,
https://www.nytimes.com/2019/03/23/opinion/sunday/stick-shift-cars.html
argues that with a manual transmission, both of the driver's hands and feet
are actively occupied: no free digits for dialing, texting, audio tuning,
environment adjustment, or navigation system interfacing.

Vehicle manufacturers are phasing out manual transmission equipment options,
replacing them with computerized continuously variable mechanisms.

Long live the Four-on-the-Floor!


Major US airlines hit by delays after glitch at vendor

Monty Solomon <monty@roscom.com>
Thu, 4 Apr 2019 09:02:56 -0400
https://www.boston.com/travel/travel/2019/04/01/technical-outage-causing-flight-delays-for-airlines


Simulated Engine Failure Led To Crash (Russ Niles)

Gabe Goldberg <gabe@gabegold.com>
Thu, 4 Apr 2019 23:56:36 -0400
  [The risk? Testing a risk...]

The NTSB says a simulated engine failure on takeoff that turned into the
real thing led to the crash of a STOL Aircraft UC-1 Twin Seabee into a house
in Winter Haven, Florida, 23 Feb 2019. The crash killed instructor James
Wagner while student pilot Timothy Sheehey was slightly injured and a young
woman in the house was seriously hurt. Sheehey, a commercial pilot training
for a mult-engine seaplane rating, told NTSB investigators that before
takeoff, Wagner said he was going to reduce the power on one engine. When he
chopped the power, the engine quit, the prop feathered and the engine
couldn't be restarted.

The report said Wagner headed for an emergency landing spot but determined
he couldn't make it and turned left to land on a lake instead. He lost
control and the airplane ended up tail-up vertically in the house. The
impact knocked the woman in the house through an interior wall. The aircraft
is based on the original single-engine Seabee but equipped with two
wing-mounted Lycoming IO-360 engines.


Eyes on the Road: Your Car Is Watching

Monty Solomon <monty@roscom.com>
Thu, 4 Apr 2019 23:14:17 -0400
https://www.nytimes.com/2019/03/28/business/autonomous-cars-technology-privacy.html

As more technology creeps into the front seat to help drivers, so too will
systems that eavesdrop on and monitor them.


Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line

Monty Solomon <monty@roscom.com>
Wed, 3 Apr 2019 09:22:04 -0400
https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/


Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists (WashPost)

Richard Stein <rmstein@ieee.org>
Thu, 4 Apr 2019 16:38:39 +0800
https://www.washingtonpost.com/technology/2019/04/03/hospital-viruses-fake-cancerous-nodes-ct-scans-created-by-malware-trick-radiologists/

"Researchers in Israel created malware to draw attention to serious security
weaknesses in medical imaging equipment and networks."

Risks: Misdiagnosis from hacked image artifact interpretation.  Additional
diagnostic radiation procedures elevate cancer potential.  Unnecessary
surgical procedures initiated by "ghost" tumors.

X-ray film capture avoids digital image hacks, but operational logistics
(storage and supplychain) apparently deter radiology from a technological
rollback. If CT scans (and presumably MRI, PET, etc.)  images are vulnerable
to malware image hacks, shouldn't providers adopt mitigating strategies?


The Newest AI-Enabled Weapon: Deep-Faking Photos of the Earth?

geoff goodfellow <geoff@iconia.com>
Wed, 3 Apr 2019 08:45:39 -1000
*Step 1: Use AI to make undetectable changes to outdoor photos. *
*Step 2: release them into the open-source world and enjoy the chaos.*

EXCERPT:

Worries about deep fakes machine-manipulated videos of celebrities and world
leaders purportedly saying or doing things that they really
didn't—are quaint compared to a new threat: doctored images
of the Earth itself.
<https://www.defenseone.com/technology/2017/08/ai-will-make-fake-news-video-and-fight-it-well/140075/>

China is the acknowledged leader in using an emerging technique called
generative adversarial networks to trick computers into seeing objects in
landscapes or in satellite images that aren't there, says Todd Myers,
automation lead and Chief Information Officer in the Office of the Director
of Technology at the National Geospatial-Intelligence Agency.

“The Chinese are well ahead of us. This is not classified info,'' Myers said
Thursday at the second annual Genius Machines
<https://www.defenseone.com/feature/genius-machines-ai-livestream/ summit,
hosted by *Defense One* and *Nextgov*. “The Chinese have already designed;
they're already doing it right now, using GANs—which are generative
adversarial networks—to manipulate scenes and pixels to create things for
nefarious reasons.''

For example, Myers said, an adversary might fool your computer-assisted
imagery analysts into reporting that a bridge crosses an important river at
a given point.

“So from a tactical perspective or mission planning, you train your forces
to go a certain route, toward a bridge, but it's not there. Then there's a
big surprise waiting for you,'' he said.

First described in 2014 https://arxiv.org/pdf/1406.2661.pdf GANs represent a
big evolution in the way neural networks learn to see and recognize objects
and even detect truth from fiction...  [...]

http://www.nextgov.com/emerging-tech/2019/04/newest-ai-enabled-weapon-deep-faking-photos-earth/155962/


Backdoor vulnerability in open-source tool exposes thousands of apps to remote code execution

geoff goodfellow <geoff@iconia.com>
April 6, 2019 at 00:57:40 EDT
Roughly 28 million users have downloaded a malicious version of a popular
open-source framework that masquerades as the real thing, but in fact gives
a hackers a back door into applications.

A compromised version of the website development tool bootstrap-sass was
published to the official RubyGems repository, a hub where programmers can
share their application code. The open source security firm Snyk alerted
developers to the issue Wednesday, advising users to update their systems
away from the infected framework (version 3.2.0.3).

“That doesn't mean there are something like 27 million apps out there using
this,'' said Chris Wysopal, chief technology officer at app security company
Veracode. “[But] when you're using open source packages to build your
applications, you're inheriting many of the vulnerabilities.  But
bootstrap-sass is a popular component used by enterprises and startups so
there's potentially thousands of applications affected by this.''

While the vulnerability is serious—hackers can exploit it for remote code
execution—the issue also highlights how pervasive such flaws can become
if they're not fixed quickly, according to application security experts. The
2017 data breach at Equifax was possible because the company did not act to
resolve a flaw in the open source Apache Struts framework...

https://www.cyberscoop.com/bootstrap-sass-infected-snyk-rubygems/


Security analyst finds fake cell carrier apps are tracking iPhone location and listening in on phone calls

geoff goodfellow <geoff@iconia.com>
April 9, 2019 at 01:11:01 EDT
EXCERPT:

In yet another abuse of the enterprise distribution program, security
analyst Lookout has identified apps (via Techcrunch) that were pretending to
be published by cell carriers in Italy and Turkmenistan. The apps were
available for iPhone users to download through Safari as they were signed by
an enterprise certificate. These apps used carrier branding and pretended to
offer utilities for the users' cell plans when in reality they would ask for
every permission they could to track location, collect contact, photos, and
more, and had the capability to listen in on users' phone conversations.

Apps using enterprise certificates are not available through the App Store,
but malicious criminals can target iOS users through Safari (perhaps with a
phishing attack-esque email) and get people to download the app over the
web, outside of the purview of the App Store review process.

Essentially, when an app is distributed with an enterprise certificate,
there is no accountability over what the app can do. When a developer
applies for an enterprise certificate, Apple makes it plain that apps should
only be delivered to employees of the enterprise and not used
elsewhere. However, as it stands, there is very little Apple can do to
enforce this beyond the policy of advisory language.

This year, we have seen countless abuses of the enterprise system, including
high-profile cases like operations at Facebook and Google. Apple revokes the
certificate when it becomes aware of individual cases, but it's clear the
company does not have the overall enterprise certificate program under
control. In a future software version of iOS, Apple may impose stricter
requirements to tighten the security screws on the enterprise program. The
company is yet to commit to any such plans however.

Certificates are often stolen or sold on, so licenses to the enterprise
developer program that were once used legitimately are now being used
nefariously. In the case of the app highlighted by Lookout, it appears to be
linked to similar malware that existed on Android called `Exodus'...

https://9to5mac.com/2019/04/08/iphone-tracking-security-carrier-apps/
https://techcrunch.com/2019/04/08/iphone-spyware-certificate/


UK to keep social networks in check with Internet safety regulator (CNET)

geoff goodfellow <geoff@iconia.com>
April 8, 2019 at 1:14:01 AM EDT
Facebook, Twitter, YouTube and a whole bunch of smaller platforms will face
huge fines if they fail to live up to their "duty of care" to Internet
users.

EXCERPT:

The UK government is taking a hard line when it comes to online safety,
appointing what it claims is the world's first independent regulator to keep
social media companies in check.

Companies that fail to live up to requirements will face huge fines, with
senior directors who are proven to have been negligent of their
responsibilities being held personally liable. They may also find access to
their sites blocked.

The new measures, designed to make the Internet a safer place, were
announced jointly by the Home Office and Department of Culture, Media and
Sport. The introduction of the regulator is the central recommendation of
the highly anticipated government white paper, published early Monday
morning in the UK.

The regulator will be tasked with ensuring social media companies are
tackling a range of online problems, including:

* Inciting violence and spreading violent content (including terrorist content)
* Encouraging self-harm or suicide
* The spread of disinformation and fake news
* Cyber bullying
* Children accessing inappropriate material
* Child exploitation and abuse content

As well as applying to the major social networks, such as Facebook, YouTube
and Twitter, the requirements will also have to be met by file-hosting
sites, online forums, messaging services and search engines.

"For too long these companies have not done enough to protect users,
especially children and young people, from harmful content," said Prime
Minister Theresa May in a statement. "We have listened to campaigners and
parents, and are putting a legal duty of care on Internet companies to keep
people safe."...

https://www.cnet.com/news/uk-to-keep-social-networks-in-check-with-internet-safety-regulator/


Should cybersecurity be more chameleon, less rhino? (bbc.com)

Richard Stein <rmstein@ieee.org>
Tue, 9 Apr 2019 16:19:34 +0800
https://www.bbc.com/news/business-47724438

Crypto-splitting or Morphisec. "Morphisec—born out of research done at
Ben-Gurion University—has developed what it calls 'moving target
security'. It's a way of scrambling the names, locations and references of
each file and software application in a computer's memory to make it harder
for malware to get its teeth stuck in to your system."

Sounds like a kind of parallel random access machine, though the difference
is static resource references (files, hard/soft links, URLs, etc.) are
hashed, and randomized inside a virtual and possibly distributed address
space pool to prevent malware detection and then manipulating the
application or data for fun and profit.

Risk: The malware can learn to do the same thing as the morphisec stack.
Alternatively, reverse engineer the run-time stack with Ghidra. Perhaps
Mayhem can be trained for this purpose?


This is not how the secret service should examine a USB stick

Neil Youngman <neil.youngman@youngman.org.uk>
Tue, 9 Apr 2019 11:27:21 +0100
It seems that the secret service are not advised to avoid plugging
unknown/suspicious USB sticks into their laptops. The risks are all too
obvious.

https://techcrunch.com/2019/04/08/secret-service-mar-a-lago/


Report: Official forgot secret arms-deal file at airport (The Times of Israel)

Gabe Goldberg <gabe@gabegold.com>
Tue, 9 Apr 2019 10:44:38 -0400
https://www.timesofisrael.com/report-official-forgot-secret-arms-deal-file-at-airport/

Oops—better repeat Tradecraft 101.


Hospital says patient info exposed after phishing incident (Boston Globe)

Monty Solomon <monty@roscom.com>
Tue, 9 Apr 2019 05:47:39 -0400
https://www.boston.com/news/local-news/2019/04/08/hospital-says-patient-info-exposed-after-phishing-incident


DHS tech manager admits stealing data on 150,000 internal investigations, nearly 250,000 workers (WashPost)

Monty Solomon <monty@roscom.com>
Thu, 4 Apr 2019 21:33:01 -0400
A Virginia woman pleaded guilty to conspiring with a former DHS acting
inspector general.

https://www.washingtonpost.com/local/legal-issues/dhs-tech-manager-admits-stealing-data-on-150000-internal-investigations-nearly-250000-workers/2019/04/04/da053180-56eb-11e9-9136-f8e636f1f6df_story.html


Online credit-card skimmer (WarbyParker)

"Ralph Barone" <ralph.barone@shaw.ca>
Mon, 8 Apr 2019 20:33:27 -0700
This online optician has an interesting online way to measure your pupillary
distance online.  You just take a picture of yourself with a magstrip
equipped card beneath your nose, and their algorithms will compare the
distance between your pupils to the known width of the card (85.60 mm) and
tell you how far apart your pupils are.  However, you are also very likely
sending them a picture of the back of your credit card, with the embossed
numbers and expiration date clearly visible, as well as your signature and
CVV code for the card.  So what do you figure the risk/benefit ratio is for
that?

<https://ca.warbyparker.com/pd/instructions


The engineering of living organisms could soon start changing everything (The Economist)

Richard Stein <rmstein@ieee.org>
Mon, 8 Apr 2019 19:58:57 +0800
https://www.economist.com/technology-quarterly/2019/04/04/the-engineering-of-living-organisms-could-soon-start-changing-everything

The syn-bio field offers substantial promise for healthcare: effective
cancer treatments, less expensive pharmaceuticals, etc. Carbon-neutral fuel
sources (biofuels from bacteria) was an early investment target.  The
biofuel startups nose-dived on oil price decline.

"That made investors very cautious about synthetic biology. But the field
attracted a bit of support from some governments, such as those of Britain
and Singapore. In America the Pentagon's far-out-ideas department, DARPA,
which had taken an early interest, created a new office of biology in
2013. Two years later it launched a programme that paid for leading
laboratories in the field to put together pathways which could produce 1,000
molecules never created biologically before."

Easy to imagine "The Andromeda Strain" arising from a syn-bio experiment
gone wrong courtesy of a "repressilator" specification error or a synthesis
programming error or malware assault.


Social media are divisive

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 5 Apr 2019 12:13:12 PDT
Social-media services such as Facebook and Twitter do more to divide
Americans than bring them together, according to a solid majority of
respondents in a WSJ/NBC poll:

https://www.wsj.com/articles/americans-agree-social-media-is-divisive-but-we-keep-using-it-11554456600


The future of news is conversation in small groups with trusted voices (Chikai Ohazama)

Dewayne Hendricks <dewayne@warpspeed.com>
April 9, 2019 at 07:53:19 EDT
Techcrunch, Apr 7 2019
<https://techcrunch.com/2019/04/07/stuck-at-the-sushi-boat-bar-of-news/

When I first came out to California, one of my favorite places to go for
sushi was in downtown Mountain View. They had these little boats that would
float around the bar, each carrying some sushi on a small plate. You just
sat down and started picking out the ones you liked, and began eating --
very efficient and also a little bit of fun.

I feel like my news consumption these days is like those sushi boats. I sit
down and the news just streams by and I pick out the articles I like and
read them. Very efficient and also a little bit of fun. But I've been stuck
at the sushi boat bar of news for far too long, watching the same imitation
crab rolls go by. I need a better way to consume better information.

As you probably guessed, that “sushi boat bar of news'' is Facebook,
Twitter and the like. The algorithmic nature of news feeds tends to target
the lowest common denominator, and it can often pander to people's baser
instincts. That being said, it does have its place, and provides a glimpse
into what is capturing the general public's attention—but it can't be the
whole meal, and that is what it has become. It's like people who eat
McDonald's for breakfast, lunch and dinner. It's tasty, addictive, but very
unhealthy in the long term.

So what can you do about it, how can you make a change?

Email newsletters have been making a resurgence in popularity, but they are
hard to manage and sort through. Christopher Mims of The Wall Street Journal
tweeted about this problem:

* If everyone has an email newsletter and someone gets the brilliant idea to
  consolidate them in one place where they can easily be followed or
  unfollowed wouldn't that realize the dream of an open standards-based,
  surveillance-free alternative to Facebook?

And then Steven Sinofsky had a witty response:

And let us name it is RSS.

Indeed, another `old' technology like email that people have been
gravitating toward as an alternative to get their daily news. Wired has
proclaimed that “It's time for an RSS revival'' and it has resonated with
well-respected thought leaders like Brad Feld. But RSS has had a tumultuous
past, mainly used by professionals who need to keep up with their respective
industries, not by the average consumer.

If email newsletters or RSS were to become the replacement, it would need a
new approach or framework, not just a rehashing of past products. But that
is only half the problem. In this day and age, we have become accustomed to
having our friends and other people around when we read the news. Even if
you don't make any comments yourself, news exists in a public conversation
and people's reactions, whether they be from your friends or celebrities,
are often part of the news itself.

Now these public conversations can be very toxic and are the very reason
people are fleeing and looking for alternatives, but I don't think people
want to turn the dial to zero and go back to the days of reading the
newspaper by yourself over breakfast. I think people still want others
around—they just want it to be safe and free from trolls.

When the web first started taking off, information propagated via the web
and hyperlinks, and that world was dominated by Google web search. As
Facebook and Twitter grew into prominence, information started to propagate
via social networks. And now people are starting to get more and more of
their information via messaging, which is looking to be the next step in the
progression. You can already see this transition happening in places like
India with WhatsApp, where it is becoming a major source of misinformation.
And there are interesting experiments out there like Naveen Selvadurai's
README on Telegram, where he posts articles into a Telegram group.

But for the most part there hasn't been much evolution or progress on the
messaging side of the equation to adapt it to become more of an information
propagation medium. It's still mainly about casual conversation and has
little overlap with the “news feed'' use case. But given how things are
changing, now may be a good time to push the boundaries of what messaging
could become. I think people are seeking relief from the barrage of social
media, not knowing who to trust any more and wanting a better channel to the
truth.

I'm pretty confident that closing the circle to a closer, trusted group
would be welcome by most people. It doesn't necessarily mean just friends,
but it could include trusted experts or voices in the community that can
help shepherd people through the noise and distractions. [...]


Why It's So Easy for a Bounty Hunter to Find You (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 2 Apr 2019 23:08:35 -0400
Wireless companies sell your location data.  Federal regulators should stop
them.
https://www.nytimes.com/2019/04/02/opinion/fcc-wireless-regulation.html


Identity Theft—Act Now to Protect Yourself (Kiplinger)

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 7 Apr 2019 10:56:46 PDT
Identity thieves are more skilled at their nefarious craft than ever,
more sophisticated.

As new research on identity theft continues to roll in, it paints an
unsettling picture of how good crooks are getting at their craft. Although
the number of U.S. breaches fell in 2018, the number of records exposed
containing sensitive, personally identifiable information (such as Social
Security and financial-account numbers) spiked by 126% from the year before,
according to a report from the Identity Theft Resource Center.  “That tells
us thieves aren't committing less crime—they're just getting better at
it,'' says Eva Velasquez, president and CEO of the ITRC.

One of the largest breaches disclosed last year was at Marriott
International, which admitted in November that its Starwood guest
reservation database had been hacked starting in 2014. That exposed up to
383 million guest records (though the number of guests affected is likely
smaller because of multiple records). Many records contained data such as
passport numbers, addresses, dates of birth and, in some cases, customers'
payment-card information. Quora, an online question-and-answer platform,
also discovered a breach of account information including names, e-mail
addresses and passwords of up to 100 million users. Hackers may try to enter
stolen usernames and passwords into other sites—say, those of banks or
retailers—in hopes that some customers reuse their log-in details across
several accounts.  “The chances that some of those credentials will work on
one or more other websites are exceptionally high,'' says Velasquez.

Fortunately, none of those 2018 breaches involved Social Security numbers --
a key piece of information a thief can use to run away with someone else's
identity.  But the 2017 Equifax data breach exposed the names, Social
Security numbers, birth dates and other sensitive data of more than 145
million Americans. Those bits of info are permanent pieces of your identity,
and they may sit idle for years before a criminal puts them to work.

The overall number of fraud victims fell significantly last year from 2017,
thanks largely to a decline in fraud against existing credit and debit
cards, according to a Javelin Strategy & Research report. But in both 2017
and 2018, the number of victims who faced some liability for fraud more than
doubled from 2016, and so did the victims' out-of-pocket costs.  Incidents
of fraud in which criminals open new financial accounts in a victim's name
or take over existing non-card accounts, such as brokerage or retirement
accounts, were well above historical levels in 2017 and 2018 and “are much
more difficult, and frequently expensive, for victims to resolve,'' says
Javelin.

https://www.kiplinger.com/article/credit/T048-C000-S002-identity-theft-act-now-to-protect-yourself.html


Re: Are We Ready For An Implant That Can Change Our Moods? (npr.org, RISKS-31.16)

Wols Lists <antlists@youngman.org.uk>
Sun, 7 Apr 2019 08:10:30 +0100
On 06/04/19 22:46, RISKS List Owner wrote:
> Without a randomized control trial to validate device efficacy, a cranial
> implant faces significant obstacles to achieve regulatory approval, gain
> widespread acceptance, and become commercially viable.  Volunteers will be
> difficult to attract.

Such devices already have approval, and are part of the neurologist's
standard arsenal. And volunteers who feel they have nothing to lose are not
hard to attract.

Deep Brain Stimulation is a recognised treatment for Parkinsons Dyskinesia
-- indeed one of my friends has an implant—and can be very effective. It
has massively improved my friend's quality of life.

Using it like a mind-enhancing drug to trigger mood-swings, though—that's
a very different kettle of fish. I can't imagine that being approved other
than for people who suffer severe and sudden or uncontrollable depression -
life-threatening depression.


Re: How a 50-year-old design came back (Broadbeck, RISKS-31.16)

Wols Lists <antlists@youngman.org.uk>
Sun, 7 Apr 2019 08:30:20 +0100
> This is true of most fighter aircraft designed since the mid-70s, although
> it doesn't exactly have to do with shape complexity.

A perfect example of this (although not a fighter aircraft) is the Hawker
Harrier.

Look at pretty much any aircraft from the 50s and earlier. The wings all
slope upwards and outwards (dihedral) from the body. As the aircraft rolls,
this increases the lift from the dropping wing, and counteracts the roll.

Then look at the Harrier. Its wings slope DOWNward (anhedral), which means
if it starts rolling, the roll will accelerate. This is typically countered
by strong dihedral on the tail to give an aircraft minimum stability rather
than negative stability as this gives best performance.

But a very early example of this sort of thing is the Sopwith Camel, from
1917. While it involved the engine, not the wings, level flight required
firm left rudder. This killed a lot of novices who didn't realise that as
soon as the aircraft lifted off it would promptly try and dive to the right,
but in the hands of an ace they would nearly always turn right because even
if you wanted to turn left it was far faster to go three-quarters right.


Re: New Climate Books Stress We Are Already Far Down The Road To A Different Earth (TPR, RISKS-31.16)

Wols Lists <antlists@youngman.org.uk>
Sun, 7 Apr 2019 09:45:52 +0100
> So, when Wallace-Wells talks of economic impacts, he cites a study linking
> 3.7 degrees of warming to over $550 trillion of climate-related
> damage. Since $550 trillion is twice today's global wealth, the conclusion
> is that eventually rebuilding from the "n-th" superstorm will stop. We'll
> just abandon our cities or live within the ruin.

I've been told it's impossible, but I'm afraid of a new "Noah's Flood".  The
probable explanation of the original story is that, 10,000 years ago the
Rhine flowed into the Atlantic somewhere between Scotland and Norway,
Britain was part of Europe, and farming was new-fangled technology in the
fertile Indus plain between Europe and Asia. Then an ice dam in Canada
failed due to global warming.

A few short *months* later, the English Channel had appeared, the Rhine
Estuary had become the North Sea, and the Indus plain had become the Black
Sea. Farming spread rapidly because all the farmers had been evicted from
their Garden of Eden, and they took the story of the flood with them.

At the moment, a huge amount of Antarctic ice is held back by the—I think
-- Weddel ice sheet. It might not take much of rise in sea-level to make
that float such that it no longer holds back the glaciers, and a huge amount
of ice could slide in to the ocean.

The recent Japanese tsunami breached a defense designed to withstand a
10m surge. What would happen if the world suffered not a 10m surge, but
a 10m rise over a couple of months? London would be gone. New York would
be gone. Most international shipping would be gone—the ports would be
underwater. Much international communication would be gone—how much
critical infrastructure is located close to the coast?

We wouldn't have to worry about the international refugee crisis—most
people wouldn't be able to flee far. I expect civilisation would recover
from such a disaster pretty quickly, but part of the recovery would be
lethal epidemics that make the Black Death look a picnic—that took out
a third of Europe's population. If the world went down to 2 or 3
billion, those that were left could live very comfortably. And the world
would hopefully recover as our ability to mine fossil fuels will have
been severely curtailed.


Re: New Climate Books Stress We Are Already Far Down The Road To A Different Earth (TPR, RISKS-31.16)

Amos Shapir <amos083@gmail.com>
Mon, 8 Apr 2019 10:27:04 +0300
The trouble with such books is that when the most extreme scenario does not
happen (or is rather bad, but not outright catastrophic), there would be a
lot of deniers who'd use it to declare "Global Warming is a hoax, we can go
on polluting as usual".

  [That argument merely contributes to the hoax that "Global Warming is a
  hoax."  However, there is a difference between anticipating the future and
  chronicling the past—as in new findings on evolution, dinosaur
  extinctions, the effects of the monster meteor strike on the climate based
  on geological evidence, But those don't hinder the deniers.  PGN]


Re: Researchers Find Google Play Store Apps Were Actually Government Malware (Motherboard, RISKS-31.16)

Amos Shapir <amos083@gmail.com>
Mon, 8 Apr 2019 10:28:51 +0300
This gives new meaning to "hidden in plain site"...


Re: Huawei's code is a steaming pile... (Henry Baker, RISKS-31.16)

Amos Shapir <amos083@gmail.com>
Mon, 8 Apr 2019 10:54:46 +0300
The main fault of memcpy() and strcpy()-like functions is that they believe
their input; but that might be dangerous only if such input originates
externally and is not sanitized before use.

IMHO most of the thousands of calls mentioned process data internal to the
program, which is sure not to cause overflow or to have been injected with
malicious code, and in any case in under the programmer's control and cannot
be modified by external sources.  But in some cases, it might take very
sophisticated software analysis tools to identify the few truly risky calls.


Re: According to this bank, password managers are bad (Sheps, RISKS-31.16)

Andrew Duane <e91.waggin@gmail.com>
Mon, 8 Apr 2019 09:45:57 -0400
My company, a very high-tech established company, has a similar requirement
for passwords: incredibly complex rules and length requirements and an
absolutely mandated 6-month change period (else you get locked out of
everything). Repeated attempts to get our IT security group to understand
that multiple frequent change requirements are incompatible with developing
good secure passwords have failed. Luckily, they are silent on password
managers, which everyone here uses.


Re: Is curing patients, a sustainable business model? (RISKS-31.???)

Toby Douglass <risks@winterflaw.net>
Sun, 7 Apr 2019 21:30:40 +0300
> In a country which has some form of democracy, the public have the means
> to pressurise the Government to improve the health care system.

I may be wrong, but I do not see this occurring in the world now or in the
past for at least some decades.

In the UK, the NHS has been providing poor care, and has been a political
football, for as long as I can remember.  In the US, tax relief on employer
provided insurance, which I think a profoundly discouraging factor for
patient health care, began around the same time, originating if the chain of
events is fully followed to the wage freezes imposed by the State in the USA
in WW2.

I suspect they both persist for essentially the same reason.  It may be
extremely arrogant and egoistic to say this, and I may be utterly wrong, but
I think in general people do not understand the nature and necessity of
competition, and so when in situations where they receive an immediate
benefit for the removal of competition ("free" health care in the UK, tax
relief in the US) they prefer that benefit.

The population as a whole is unable then to pressure the Government to
improve the situation because they do not understand the situation, either
to know what to do instead, or to have reason to bear the cost of the loss
of the immediate benefit.  The Government in turn cannot change the
situation to improve competition, because people would lose their immediate
benefit, and they get unhappy about that.  Attempts by the State in the UK
to change the NHS have been political suicide.

Democracy, if it works by mass will, only works when that will has enough
knowledge and intelligence to act effectively.

> On the other hand, if a company has a monopoly on a particular drug or
> treatment, then they can charge "whatever the market will bear".  There is
> nowhere else for the sufferer to go.

Yes and yes.  Monopoly however is almost always enforced by the State.  In
the absence of patents, or excessively long patents, other companies rapidly
introduce similar products.

I see this as being an example of ordinary people being forced to endure.
Patents were originally intended to last only for four years.

> The best way to get good health care is to take people who are passionate
> about caring for others (fortunately there are many such people to be
> found) and give them the freedom to do what they love doing.

How does one choose these particular people?  how does one choose the
choosers?

Setting this side, to give them freedom, you must be giving them money.
Where does the money come from?

If it comes from the State, by taxation, then the State, by controlling the
money, controls the health care system.  That system will necessarily come
to prioritize the needs of State—all care primarily for the needs and
concerns of those who pay their salaries and control their job security.

Voters only very, very weakly control the State.  Taxation is mandatory, and
all they can do is every few years vote, which may switch between one party
and one other party.  Their influence over the practise of medicine,
transmitted through the State, is both minimal and although I may be wrong,
I think *also* mis-directed, given a lack of understanding of the necessity
of competition, and in some cases, such as the UK and US, the loss of
immediate benefit were competition to be introduced.

The State, where it controls funding, will inexorably, inevitably,
unavoidably, impose its own wishes upon the practise of medicine, and those
wishes will reflect, in proportion to their strength and importance to the
State, its own self-interest, politics often partisan, the self-interest of
large companies with lobbying power, and the interest, I think often
mis-directed, of the voting public.


Re: Is curing patients, a sustainable business model? (R-31,13-16)

Chris Drewe <e767pmk@yahoo.co.uk>
Mon, 08 Apr 2019 22:13:40 +0100
As a Brit who 'enjoys' the National Health Service ("the envy of the
world"), which I haven't needed to make much use of, I'm inclined to agree
with this view.  The good thing about the NHS is that we can be ill without
having to worry about paying medical bills.  The bad thing is that health
treatment is something that we have done to us, with little say in the
matter; the NHS can do a great job, but with the efficiency and
user-friendliness expected of a taxpayer-funded monopoly.  No matter how
rich or poor we are, or how serious our medical problem is, we have to wait
in line with everybody else for whatever service the NHS deigns to offer.
As well as endless arguments about funding, the big difficulty with a
free-on-demand service is the lack of a customer/supplier relationship as
exists in other fields.

Everybody needs something to eat and something to wear, but I've never heard
a good argument that food and clothing should be issued to the populace free
of charge by a government agency, and indeed groceries and garment sales are
among the most dynamic sectors of the retail environment.  In particular,
people who work in supermarkets are not superhuman but are generally helpful
and professional—they have to be, because they know that keeping their
jobs relies on customers wanting to buy stuff.  By contrast, in the
Stakhanovite world of non-commercial monopolies, everything depends on
goodwill.

[...] it can take a lot of time and effort to change government policy (this
has been called "the long route of accountability")—better to allow
people to have a choice of service providers.

Please report problems with the web pages to the maintainer

Top