The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 24

Tuesday 14 May 2019


Silicon Valley makes everything worse: Four industries that Big Tech has ruined
"Do we need 6G wireless already? 5G engineers debate"
ZDNet via GeneW
"Over 25,000 smart Linksys routers are leaking sensitive data"
Charlie Osborne
The Future Is Here, and It Features Hackers Getting Bombed
Foreign Policy
Ford to expand medical transport service
Detroit News
Australian $50 note typo: spelling mistake printed 46 million times
The Guardian
SHA-1 collision attacks are now actually practical and a looming danger
Catalin Cimpanu
TOCTOU Attacks Against BootGuard
PGN via sundry sources
Sharp increase in ransomware attacks on Swiss SMEs
GovCert via Peter Houppermans
AI Can Now Defend Itself Against Malicious Messages Hidden in Speech
Matthew Hutson
Singlish also can, for this AI call system
The Straits Times
Special issue: The global competition for AI dominance Bulletin of the Atomic Scientists: Vol 75, No 3
Who[m] to Sue When a Robot Loses Your Fortune
What Sony's robot dog teaches us about biometric data privacy
New e-voting support system by Microsoft
via Diego Latella
Boeing Knew About Safety-Alert Problem for a Year Before Telling FAA, Airlines
Unless you want your payment card data skimmed, avoid these commerce sites
Ars Technica
Hey, Alexa: Stop recording me
"RobbinHood" ransomware takes down Baltimore City government networks
Ars Technica
Buying a replacement iPhone battery? Be careful you don't get ripped off
Software update crashes police ankle monitors in the Netherlands
Catalin Cimpanu
Tenants win as settlement orders landlords give physical keys over smart locks
Re: The Fight for the Right to Drive
Dan Jacobson
Re: Drug names
Robert R. Fenichel
Info on RISKS (comp.risks)

Silicon Valley makes everything worse: Four industries that Big Tech has ruined (Salon)

the keyboard of geoff goodfellow <>
Mon, 13 May 2019 19:35:01 -0700
*The tech industry sells itself as improving our lives. So why does it seem
to always do the opposite?*

Adapted from *A People's History of Silicon Valley: How the Tech Industry
Exploits Workers, Erodes Privacy and Undermines Democracy*, by Keith A.
Spencer, on sale now from major booksellers.  Eyewear Publishing, 2018.
Excerpted with permission.

The word `innovation' has become synonymous with Silicon Valley to the point
of absurdity. Indeed, the tech industry's entrepreneurs and
"thoughtfluencers" throw it around as casually as a dodgeball in a
middle-school P.E. class; what it really means is perpetually unclear and
purposefully hazy. It is vague enough to be suitable in nearly any situation
where a new product, service or "thing" is advertised as superior to the old
-- never mind if the so-called "old" thing has some distinct advantages, or
if the new thing's superiority is solely that it makes more money than the
old thing, or if there are other old things that are actually superior yet
which won't make anyone rich. (Consider Apple removing the headphone jack
from its new phones to be Exhibit A.)

That summary may sound flippant, but it is a good explication of the path of
the tech industry over the past two decades: Some venture capital-backed
entrepreneurs jackhammer their way into a new industry, "tech"-ify it in
some way, undermine the competition and declare their new way superior once
the old is bankrupted.

Thus, rather than confine themselves to operating systems and PC software
like they did in the 1980s and 1990s, the tech industry has figured out
that the real money lies in being a middleman. By that I mean serving as
the in-between point for, say, web traffic to newspapers and magazines
(like this one); or being the go-between for taxi services, coordinating
drivers and passengers through apps. In both of these examples, the
original product isn't that different from the pre-tech world: a taxi ride,
in the latter case, a news article in the former. The difference is that a
tech behemoth takes a cut of the transaction. And also in many cases, the
labor—the people making and producing and doing the things the tech
industry takes a slice from—is more precarious, less well-remunerated,
and less safe than it was in the pre-tech era.

Looking at it this way, the tech industry doesn't really seem innovative at
all. Or rather, its sole innovation seems to be exploiting workers with more
cruelty, and positioning itself in the middle of more transactions.
Granted, there are certain services that have become more convenient because
of apps and smartphones—but there is no reason that convenience must come
at the high cost that it does, besides the tech industry's insatiable lust
for profit. Here are but a few examples of how our livelihoods and our
societies have been worsened by Silicon Valley as it sinks its talons into
new industries.


Public transit was never great in the United States, with the exception of a
few big cities like New York, and thus private taxi services were around to
supplement. Being a taxi driver was once a much-vaunted job, so much so that
a taxi medallion was perceived of as a ticket to the middle class.

Then came Uber and Lyft, who flooded the market for private transit and
undercut the taxi industry by de-skilling the industry and paying their
workers far, far less. Driving a taxi is no longer a middle class job;
once-valuable taxi medallions have become burdens for some taxi drivers.
The outlook for career taxi drivers is so dismal that an alarming number of
taxi drivers have been committing suicide.

Meanwhile, because of the precarious nature of Lyft and Uber jobs, those
drivers are frequently not vetted or under-vetted—resulting in
significant safety concerns for passengers. And unlike a taxi back in the
old days, being a rideshare driver isn't a ticket to the middle-class at
all: a recent study of such employees revealed that most contractors use
these kinds of jobs not as their sole source of income, but as supplementary
jobs to make ends meet.

Richard D. Wolff, an economics professor at the New School in New York
City, describes gig economy companies like Uber as "winning the
competition" by taking shortcuts that "frequently endanger the public."
Regulatory agencies for taxis were created in most countries, Wolff says,
because taxi companies were historically unsafe. "Taxi companies are
required now to have insurance, training for drivers, well-inspected cars,
and other safeguards to protect the public. The cost of riding in a taxi
reflects those safeguards," Wolff said, adding:

  ...there's always the incentive for somebody to come in and operate, once
  again, inadequately insured, inadequately maintained, inadequately vetted
  drivers—to come in with a cheaper cab service [that is] unregulated by
  the taxi commission. That's all that Uber and Lyft [are]... they undercut
  the old arrangement and offer cheaper and more competitive services by
  cutting corners.

Home appliances

Lightbulbs have existed for around 140 years, and home refrigerators for
about 100. In that span, they haven't changed too much, besides getting more
energy-efficient, mostly because they haven't really needed to: we need to
keep food cold, and we need light. The appliances that do these things don't
really need to do much else.

Now, tech companies are putting wi-fi and Bluetooth chips in all kinds of
things that didn't used to be Internet-connected. They call it the "smart
home," and while the word is open-ended, the common thread with smart home
devices is that they can generally be monitored via an app...

"Do we need 6G wireless already? 5G engineers debate"

Gene Wirchenko <>
Tue, 14 May 2019 10:12:10 -0700
  [On the part about standards being too early or late, early in my career,
  I worked with CP/M on 8-bit micros.  The version that was most widely used
  was 2.2.  3.0 came out later, but too late.  How many ever used it?  It
  had some nice features that should have been in 2.2 but were not.
  However, it was late in the life of CP/M, and it was unlikely programs
  would be rewritten to take advantage of the features.]

The race to 6G has already begun, according to a certain head of state. This
while 5G firms in China may be helping other countries to race ahead. What
if a "6G" isn't such a good idea?  By Scott Fulton III | April 25, 2019 --
12:57 GMT (05:57 PDT) | Topic: 5G 5G will be popularized via telecom
carriers and the marketing of wire-cutting services, but the biggest impact
and returns will come from connecting the Internet of things, edge computing
and analytics infrastructure with minimal latency.

selected text:

It was a minefield that attendees of the first day of sessions at Brooklyn
5G Summit 2019 on Wednesday maneuvered through: The topic of whether the
world's governmental policy makers have blown 5G wireless all out of
proportion. Representatives of the world's three principal
telecommunications equipment suppliers—Huawei, Ericsson, and Nokia --
took the stage at NYU's Tandon School of Engineering, along with other
stakeholders in the 5G global standard.

At issue: Have the expectations of both policy makers and wireless customers
been raised so high that the development of "6G Wireless"—until now
merely a placeholder for future discussion—actually begins now?

"Let's be fair. Presidents of countries are saying, 'My country's going to
be the first to deploy.'  The UK prime minister at the time, [David]
Cameron, said the UK is going to be the first country in Europe to deploy
5G. (He's now an ex-prime minister, but that's for a different reason.)  My
point is, standardization takes time. It takes several years to write a
generation of standards. When we set about this process in 2015, there were
many, many operators saying, 'We don't need this right now. Please slow down
the standardization process!  We don't need 5G, because LTE's doing fine.'
And yet when we started the three- or four-year program of writing these
standards, during that process, there was this massive acceleration, and the
political push that said, 'We want these standards right now!  Why are you
so slow, 3GPP? You need to speed up!'

"My point is," Scrase wrapped up, "standards historically are either too
early or too late. It's very difficult to have standards that are perfectly
on-time. It's even more difficult when the timeline keeps shifting forwards
and backwards."

"Over 25,000 smart Linksys routers are leaking sensitive data" (Charlie Osborne)

Gene Wirchenko <>
Tue, 14 May 2019 10:29:04 -0700
Charlie Osborne for Zero Day | 14 May 2019
A security flaw grants remote access to router information.

Over 25,000 Linksys Smart Wi-Fi routers are believed to be vulnerable to
remote exploit by attackers, leading to the leak of sensitive information.

  [Note that this article is about Linksys routers.  The word "Huawei" does
  not occur in the text.  Nonetheless, if you check the article, you will
  see a Huawei picture.  Is this a simple mistake or propaganda?  (Huawei
  has been attacked by the USA, and I have not seen much evidence.)  The
  risks of the Web.]

The Future Is Here, and It Features Hackers Getting Bombed (Foreign Policy)

Richard Stein <>
Wed, 8 May 2019 12:05:02 +0800

A pinpoint accuracy, drone-delivered incentive and deterrent against hacking
Israeli infrastructure.

Only a matter of time before an equivalent commercial capability can be
purchased using virtual currency.

Risks: Target selection error, munition guidance compromise.

Ford to expand medical transport service (Detroit News)

Richard Stein <>
Wed, 8 May 2019 12:24:39 +0800

"Despite a critical and growing need across our country, most patients are
unable to find reliable transportation and drivers who understand their
needs. GoRide Health can fill that gap."

Well I'll be darned...silicon-driven wheels that "understands their
[patients] needs." Good spin for self-driving wheel promotion.

Risk: Without a carbon-backup driver, patient safety and evacuation assist
during an accident.

Australian $50 note typo: spelling mistake printed 46 million times (The Guardian)

Monty Solomon <>
Thu, 9 May 2019 08:54:49 -0400

SHA-1 collision attacks are now actually practical and a looming danger (Catalin Cimpanu)

Gene Wirchenko <>
Mon, 13 May 2019 08:45:38 -0700
Catalin Cimpanu for Zero Day | 13 May 2019
Research duo showcases first-ever SHA-1 chosen-prefix collision attack.

opening text:

Attacks on the SHA-1 hashing algorithm just got a lot more dangerous last
week with the discovery of the first-ever "chosen-prefix collision attack,"
a more practical version of the SHA-1 collision attack first carried out by
Google two years ago.

What this means is that SHA-1 collision attacks can now be carried out with
custom inputs, and they're not just accidental mishaps anymore, allowing
attackers to target certain files to duplicate and forge.

TOCTOU Attacks Against BootGuard

"Peter G. Neumann" <>
Mon, 13 May 2019 21:37:04 PDT
Now You See It...  TOCTOU Attacks Against BootGuard

"malicious and unsigned code is executed successfully, something that Boot
Guard was designed to prevent." Against Secure Boot - Trammell Hudson

Sharp increase in ransomware attacks on Swiss SMEs

Thu, 9 May 2019 21:50:55 +0200
I suspect this is not a uniquely Swiss situation, but the size of the nation
makes for a better signal-to-noise ratio: it takes fewer attacks for it to
pop up on the radar.

Attacking SMEs is a fairly standard approach - they're the weak underbelly
of commerce as their size typically makes for less process driven security,
and they serve as a possible entry point to bigger fish as part of a supply

Swiss government agencies GovCERT and MELANI already have analysis online:

AI Can Now Defend Itself Against Malicious Messages Hidden in Speech (Matthew Hutson)

ACM TechNews <>
Mon, 13 May 2019 12:08:45 -0400
Matthew Hutson, *Nature*, 10 May 2019 via ACM TechNews, Monday, May 13, 2019

University of Illinois at Urbana-Champaign researchers have developed a
technique to protect artificial intelligence (AI) against deception by
adversarial examples, like audio clips. The researchers created an algorithm
that transcribes a full audio clip, as well as an independent segment of it;
the program flagged a clip as potentially compromised if transcription of
that segment did not closely correspond to the transcription of the complete
audio file. Testing revealed that the algorithm always spotted meddling in
several attack scenarios, even when the attacker was aware of the

Singlish also can, for this AI call system (The Straits Times)

Richard Stein <>
Sat, 11 May 2019 10:36:10 +0800

When traveling internationally, one is likely to encounter English spoken
with unique accents and semantic features. One example being Singapore's
Singlish. One overheard Singlish sentence at Changi Airport: "Everything so
blur" means "I am confused."

The government is developing, and will eventually deploy, a speech
recognition system that performs speech-to-text (STT) translation to assist
Singapore's civil defense force dispatchers. Singapore's four official
languages are: Mandarin, Tamil, Malay, and English.

Adding Singlish into the interpretative voice space, given 4 predecessor
languages, enlarges the STT test space. While unlikely to encounter an
emergency call that simultaneously combines words and semantics from 5
distinct languages (save for a lively UN debate), one might want to test the
STT platform with certain concurrently mixed language tuples to assess
translation outcome.

Public interest can be served by determining and disclosing how well an STT
platform responds during a cacophonous call for emergency assistance.

An AUCROC assessment—area under curve/radar operating characteristic --
can provide a telling measure of concurrent, multi-lingual STT effectiveness
in terms of false positive/negative determinations.

Note: Thanks to Chris Elsaesser for pointing out the importance of AUCROC
measures to characterize and quantify AI platform discrimination
capabilities and limits.

Special issue: The global competition for AI dominance (Bulletin of the Atomic Scientists: Vol 75, No 3)

Dave Farber <>
Mon, 13 May 2019 09:16:24 +0900

Who[m] to Sue When a Robot Loses Your Fortune (

Richard Stein <>
Sun, 12 May 2019 16:55:38 +0800

"The legal battle is a sign of what's in store as AI is incorporated into
all facets of life, from self-driving cars to virtual assistants.  When the
technology misfires, where the blame lies is open to interpretation."

Risk: Overtrust (see
in an AI-driven, equity trading platform to out-perform market indices.

UNIX message of the day: "The way to make a small fortune in the commodities
market is to start with a large fortune."

What Sony's robot dog teaches us about biometric data privacy (CNET)

Gabe Goldberg <>
Fri, 10 May 2019 22:41:00 -0400
The state's Biometric Information Privacy Act prevents Sony from selling it

New e-voting support system by Microsoft

Diego Latella <>
Mon, 13 May 2019 10:57:51 +0200

ElectionGuard can be used to build systems with five major benefits that
will protect the vote against tampering by anyone, and improve the voting
process for citizens and officials:

   Verifiable: Allowing voters and third-party organizations to verify
election results.
   Secure: Built with advanced encryption techniques developed by
Microsoft Research.
   Auditable: Supporting risk-limiting audits that help assure the
accuracy of elections.
   Open source: Free and flexible with the ability to be used with
off-the-shelf hardware.
   Make voting better: Supporting standard accessibility tools and
improving the voting experience.

The ElectionGuard SDK will be available through GitHub beginning this
summer.  We encourage the election technology community to begin building
offerings based on this technology and expect early prototypes using
ElectionGuard will be ready for piloting during the 2020 elections in the
United States, with significant deployments for subsequent election cycles.
Over time we will seek to update and improve the SDK to support additional
voting scenarios such as mail-in ballots and ranked choice voting.
Microsoft will not charge for using ElectionGuard and will not profit from
partnering with election technology suppliers that incorporate it into their

Boeing Knew About Safety-Alert Problem for a Year Before Telling FAA, Airlines (WSJ)

Monty Solomon <>
Thu, 9 May 2019 09:23:56 -0400

Unless you want your payment card data skimmed, avoid these commerce sites (Ars Technica)

Monty Solomon <>
Thu, 9 May 2019 09:40:46 -0400

Hey, Alexa: Stop recording me (WashPost)

Gabe Goldberg <>
Thu, 9 May 2019 19:45:12 -0400
When Alexa runs your home, Amazon tracks you in more ways than you might

"RobbinHood" ransomware takes down Baltimore City government networks (Ars Technica)

Monty Solomon <>
Thu, 9 May 2019 09:41:33 -0400

Buying a replacement iPhone battery? Be careful you don't get ripped off (ZDNet)

Gene Wirchenko <>
Fri, 10 May 2019 09:53:11 -0700
Adrian Kingsley-Hughes for Hardware 2.0 | 10 May 2019
Buying a replacement iPhone battery? Be careful you don't get ripped off
Just because you're told that the replacement iPhone battery you're buying
is new doesn't mean that it is. It could be old and worn out.

selected text:

For example, eBay is awash with iPhone battery testers that allow the
recharge cycle count to be cleared or set to a low level (and tools that can
read the recharge cycles, such as Coconut Battery, cannot tell that this
figure has been reset). Other than duping people, I'm having a hard time
coming up with a legitimate use for this feature, especially since you have
to physically remove the battery from the iPhone to do it.

Software update crashes police ankle monitors in the Netherlands (Catalin Cimpanu)

Gene Wirchenko <>
Fri, 10 May 2019 09:59:32 -0700
Catalin Cimpanu for Zero Day | 10 May 2019
Borked update prevents ankle monitors from sending data back to police
  control rooms.

selected text:

A borked software update has crashed hundreds of ankle monitoring devices
used by Dutch police, Dutch government officials said today.

The issue was fixed later in the day, on Thursday; however, the Dutch
Ministry of Justice and Security had to step in and preemptively arrest and
jail some of its most high-risk suspects.

  [I find this bit darkly amusing.  "You're under arrest for our ankle
  monitoring system crashing."?]

Tenants win as settlement orders landlords give physical keys over smart locks (CNET)

=?UTF-8?Q?Jos=C3=A9_Mar=C3=ADa_Mateos?= <>
Fri, 10 May 2019 14:52:03 -0400

The physical key has prevailed over the smart lock for a group of tenants
with privacy concerns.

In a settlement released Tuesday, a judge ordered landlords of an apartment
building in New York to provide physical keys to any tenants who don't want
to use the Latch smart locks installed on the building last September.

The settlement is a first, as there's no legal precedent or legislation
deciding how landlords can use smart home technology. Since the technology
is relatively new, lawmakers haven't had time to catch up with smart home
devices, and this case in New York is one of the few legal challenges to
appear in court. It won't set a legal precedent because it's a settlement,
but it represents a win for tenants who had issues with smart locks and
landlords installing them against their will.

"This is a huge victory for these tenants and tenants throughout New York
City. These types of systems, which landlords have used to surveil, track
and intimidate tenants, have been used frequently in New York City," Michael
Kozek, the attorney representing the tenants in Manhattan, said in a
statement. "These tenants refused to accept the system, and the negative
impact it had on their lives. Hopefully they will be an inspiration for
other tenants to fight back."

Re: The Fight for the Right to Drive (The New Yorker via Stein)

Dan Jacobson <>
Fri, 10 May 2019 10:54:53 +0800
RS> companies might require you to ... watch commercial messages displayed
    on the vehicles windows."

They already do, but it is on the outside, not the inside, and it make it
tough to look out, almost impossible on rainy days etc.

Re: Drug names (RISKS-31.23)

"Robert R. Fenichel" <>
Thu, 9 May 2019 13:42:40 -0700
There's another level to the drug-name issue raised by Craig Burton.  Each
brand-name drug you receive has three different names, not just two.  [*]

First, there is the chemical _structural name_, constructed according to
strict, non-contentious international conventions.  Given, for example, the
structural name (S)-1- [N 2-(1-carboxy-3- phenylpropyl)-L-lysyl]-L-proline
dihydrate, anyone with basic chemical training could draw a diagram of the

This example, like the one given by Burton, exemplifies the ponderous nature
of structural names, so WHO has a means of assigning pronounceable _generic
names_.  Generic names draw upon a growing suffix vocabulary ("vir" for
antivirals, "pine" for dihydropyridine calcium-channel blockers, "olol" for
beta-blockers, "pril" for ACE inhibitors, and so on) and then WHO tries to
coordinate generic names (for example, benazepril, captopril, enalapril,
fosinopril, lisinopril, moexipril, perindopril, quinapril, ramipril,
trandolapril are all ACE inhibitors) to minimize confusion.  Some older
drugs have different generic names in different parts of the world
(adrenaline/epinephrine, meperidine/pethidine, acetaminophen/paracetamol),
but new examples of that sort are not appearing, thanks to WHO.

It doesn't stop there.  The structural name that I gave above is that of
lisinopril.  In North America, lisinopril is available as generic
lisinopril, as Prinivil(R), and as Zestril(R).  The assignment of _brand
names_ is regulated nationally (in the US by the FDA).  There is a committee
at FDA that passes on proposed names, trying to head off aural confusion.
Sometimes they turn out to have got it wrong: Omeprazole was originally
(1996) allowed to use the brand name Losec(R), but there were persistent
reports of mixups with the much-older brand name Lasix(R) (furosemide), so
approval for "Losec" was withdrawn, and Astra Zeneca had to reissue
omeprazole under another name (Prilosec(R)).

I have been out of FDA since before machine interpretation of speech became
important, but I'd be surprised to hear that the brand-name committee at FDA
is not now worrying about computer errors as well as human errors.

  [* Old Possum's Book of Practical Cats: The naming of cats is a difficult
     matter, for a cat must have three different names.  PGN]

Please report problems with the web pages to the maintainer