Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
*The tech industry sells itself as improving our lives. So why does it seem to always do the opposite?* EXCERPT: Adapted from *A People's History of Silicon Valley: How the Tech Industry Exploits Workers, Erodes Privacy and Undermines Democracy*, by Keith A. Spencer, on sale now from major booksellers. Eyewear Publishing, 2018. Excerpted with permission. The word `innovation' has become synonymous with Silicon Valley to the point of absurdity. Indeed, the tech industry's entrepreneurs and "thoughtfluencers" throw it around as casually as a dodgeball in a middle-school P.E. class; what it really means is perpetually unclear and purposefully hazy. It is vague enough to be suitable in nearly any situation where a new product, service or "thing" is advertised as superior to the old -- never mind if the so-called "old" thing has some distinct advantages, or if the new thing's superiority is solely that it makes more money than the old thing, or if there are other old things that are actually superior yet which won't make anyone rich. (Consider Apple removing the headphone jack from its new phones to be Exhibit A.) That summary may sound flippant, but it is a good explication of the path of the tech industry over the past two decades: Some venture capital-backed entrepreneurs jackhammer their way into a new industry, "tech"-ify it in some way, undermine the competition and declare their new way superior once the old is bankrupted. Thus, rather than confine themselves to operating systems and PC software like they did in the 1980s and 1990s, the tech industry has figured out that the real money lies in being a middleman. By that I mean serving as the in-between point for, say, web traffic to newspapers and magazines (like this one); or being the go-between for taxi services, coordinating drivers and passengers through apps. In both of these examples, the original product isn't that different from the pre-tech world: a taxi ride, in the latter case, a news article in the former. The difference is that a tech behemoth takes a cut of the transaction. And also in many cases, the labor—the people making and producing and doing the things the tech industry takes a slice from—is more precarious, less well-remunerated, and less safe than it was in the pre-tech era. Looking at it this way, the tech industry doesn't really seem innovative at all. Or rather, its sole innovation seems to be exploiting workers with more cruelty, and positioning itself in the middle of more transactions. Granted, there are certain services that have become more convenient because of apps and smartphones—but there is no reason that convenience must come at the high cost that it does, besides the tech industry's insatiable lust for profit. Here are but a few examples of how our livelihoods and our societies have been worsened by Silicon Valley as it sinks its talons into new industries. Taxis Public transit was never great in the United States, with the exception of a few big cities like New York, and thus private taxi services were around to supplement. Being a taxi driver was once a much-vaunted job, so much so that a taxi medallion was perceived of as a ticket to the middle class. Then came Uber and Lyft, who flooded the market for private transit and undercut the taxi industry by de-skilling the industry and paying their workers far, far less. Driving a taxi is no longer a middle class job; once-valuable taxi medallions have become burdens for some taxi drivers. The outlook for career taxi drivers is so dismal that an alarming number of taxi drivers have been committing suicide. Meanwhile, because of the precarious nature of Lyft and Uber jobs, those drivers are frequently not vetted or under-vetted—resulting in significant safety concerns for passengers. And unlike a taxi back in the old days, being a rideshare driver isn't a ticket to the middle-class at all: a recent study of such employees revealed that most contractors use these kinds of jobs not as their sole source of income, but as supplementary jobs to make ends meet. Richard D. Wolff, an economics professor at the New School in New York City, describes gig economy companies like Uber as "winning the competition" by taking shortcuts that "frequently endanger the public." Regulatory agencies for taxis were created in most countries, Wolff says, because taxi companies were historically unsafe. "Taxi companies are required now to have insurance, training for drivers, well-inspected cars, and other safeguards to protect the public. The cost of riding in a taxi reflects those safeguards," Wolff said, adding: ...there's always the incentive for somebody to come in and operate, once again, inadequately insured, inadequately maintained, inadequately vetted drivers—to come in with a cheaper cab service [that is] unregulated by the taxi commission. That's all that Uber and Lyft [are]... they undercut the old arrangement and offer cheaper and more competitive services by cutting corners. Home appliances Lightbulbs have existed for around 140 years, and home refrigerators for about 100. In that span, they haven't changed too much, besides getting more energy-efficient, mostly because they haven't really needed to: we need to keep food cold, and we need light. The appliances that do these things don't really need to do much else. Now, tech companies are putting wi-fi and Bluetooth chips in all kinds of things that didn't used to be Internet-connected. They call it the "smart home," and while the word is open-ended, the common thread with smart home devices is that they can generally be monitored via an app... https://www.salon.com/2019/05/12/silicon-valley-makes-everything-worse-four-industries-that-big-tech-has-ruined/
[On the part about standards being too early or late, early in my career, I worked with CP/M on 8-bit micros. The version that was most widely used was 2.2. 3.0 came out later, but too late. How many ever used it? It had some nice features that should have been in 2.2 but were not. However, it was late in the life of CP/M, and it was unlikely programs would be rewritten to take advantage of the features.] https://www.zdnet.com/article/do-we-need-6g-wireless-already-5g-engineers-debate/ The race to 6G has already begun, according to a certain head of state. This while 5G firms in China may be helping other countries to race ahead. What if a "6G" isn't such a good idea? By Scott Fulton III | April 25, 2019 -- 12:57 GMT (05:57 PDT) | Topic: 5G 5G will be popularized via telecom carriers and the marketing of wire-cutting services, but the biggest impact and returns will come from connecting the Internet of things, edge computing and analytics infrastructure with minimal latency. selected text: It was a minefield that attendees of the first day of sessions at Brooklyn 5G Summit 2019 on Wednesday maneuvered through: The topic of whether the world's governmental policy makers have blown 5G wireless all out of proportion. Representatives of the world's three principal telecommunications equipment suppliers—Huawei, Ericsson, and Nokia -- took the stage at NYU's Tandon School of Engineering, along with other stakeholders in the 5G global standard. At issue: Have the expectations of both policy makers and wireless customers been raised so high that the development of "6G Wireless"—until now merely a placeholder for future discussion—actually begins now? "Let's be fair. Presidents of countries are saying, 'My country's going to be the first to deploy.' The UK prime minister at the time, [David] Cameron, said the UK is going to be the first country in Europe to deploy 5G. (He's now an ex-prime minister, but that's for a different reason.) My point is, standardization takes time. It takes several years to write a generation of standards. When we set about this process in 2015, there were many, many operators saying, 'We don't need this right now. Please slow down the standardization process! We don't need 5G, because LTE's doing fine.' And yet when we started the three- or four-year program of writing these standards, during that process, there was this massive acceleration, and the political push that said, 'We want these standards right now! Why are you so slow, 3GPP? You need to speed up!' "My point is," Scrase wrapped up, "standards historically are either too early or too late. It's very difficult to have standards that are perfectly on-time. It's even more difficult when the timeline keeps shifting forwards and backwards."
Charlie Osborne for Zero Day | 14 May 2019 A security flaw grants remote access to router information. https://www.zdnet.com/article/over-2500-smart-linksys-routers-may-leak-owners-sensitive-data/ Over 25,000 Linksys Smart Wi-Fi routers are believed to be vulnerable to remote exploit by attackers, leading to the leak of sensitive information. [Note that this article is about Linksys routers. The word "Huawei" does not occur in the text. Nonetheless, if you check the article, you will see a Huawei picture. Is this a simple mistake or propaganda? (Huawei has been attacked by the USA, and I have not seen much evidence.) The risks of the Web.]
https://foreignpolicy.com/2019/05/06/the-future-is-here-and-it-features-hackers-getting-bombed/ A pinpoint accuracy, drone-delivered incentive and deterrent against hacking Israeli infrastructure. Only a matter of time before an equivalent commercial capability can be purchased using virtual currency. Risks: Target selection error, munition guidance compromise.
https://www.detroitnews.com/story/business/autos/ford/2019/05/07/ford-expand-medical-transport-service/1128517001/ "Despite a critical and growing need across our country, most patients are unable to find reliable transportation and drivers who understand their needs. GoRide Health can fill that gap." Well I'll be darned...silicon-driven wheels that "understands their [patients] needs." Good spin for self-driving wheel promotion. Risk: Without a carbon-backup driver, patient safety and evacuation assist during an accident.
https://www.theguardian.com/australia-news/2019/may/09/australian-50-note-typo-spelling-mistake-printed-46-million-times
Catalin Cimpanu for Zero Day | 13 May 2019 Research duo showcases first-ever SHA-1 chosen-prefix collision attack. https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/ opening text: Attacks on the SHA-1 hashing algorithm just got a lot more dangerous last week with the discovery of the first-ever "chosen-prefix collision attack," a more practical version of the SHA-1 collision attack first carried out by Google two years ago. What this means is that SHA-1 collision attacks can now be carried out with custom inputs, and they're not just accidental mishaps anymore, allowing attackers to target certain files to duplicate and forge.
Now You See It... TOCTOU Attacks Against BootGuard "malicious and unsigned code is executed successfully, something that Boot Guard was designed to prevent." https://conference.hitb.org/hitbsecconf2019ams/materials/D1T1%20-%20Toctou%20Attacks Against Secure Boot - Trammell Hudson https://bugzilla.tianocore.org/show_bug.cgi?id=1614 https://github.com/tianocore/edk2-staging/blob/BootGuardTocTouVulnerabilityMitigation/Readme.md
I suspect this is not a uniquely Swiss situation, but the size of the nation makes for a better signal-to-noise ratio: it takes fewer attacks for it to pop up on the radar. Attacking SMEs is a fairly standard approach - they're the weak underbelly of commerce as their size typically makes for less process driven security, and they serve as a possible entry point to bigger fish as part of a supply chain. Swiss government agencies GovCERT and MELANI already have analysis online: https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
Matthew Hutson, *Nature*, 10 May 2019 via ACM TechNews, Monday, May 13, 2019 University of Illinois at Urbana-Champaign researchers have developed a technique to protect artificial intelligence (AI) against deception by adversarial examples, like audio clips. The researchers created an algorithm that transcribes a full audio clip, as well as an independent segment of it; the program flagged a clip as potentially compromised if transcription of that segment did not closely correspond to the transcription of the complete audio file. Testing revealed that the algorithm always spotted meddling in several attack scenarios, even when the attacker was aware of the countermeasures. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1fc39x21c22bx068806&
https://www.straitstimes.com/singapore/singlish-also-can-for-this-ai-call-system When traveling internationally, one is likely to encounter English spoken with unique accents and semantic features. One example being Singapore's Singlish. One overheard Singlish sentence at Changi Airport: "Everything so blur" means "I am confused." The government is developing, and will eventually deploy, a speech recognition system that performs speech-to-text (STT) translation to assist Singapore's civil defense force dispatchers. Singapore's four official languages are: Mandarin, Tamil, Malay, and English. Adding Singlish into the interpretative voice space, given 4 predecessor languages, enlarges the STT test space. While unlikely to encounter an emergency call that simultaneously combines words and semantics from 5 distinct languages (save for a lively UN debate), one might want to test the STT platform with certain concurrently mixed language tuples to assess translation outcome. Public interest can be served by determining and disclosing how well an STT platform responds during a cacophonous call for emergency assistance. An AUCROC assessment—area under curve/radar operating characteristic -- can provide a telling measure of concurrent, multi-lingual STT effectiveness in terms of false positive/negative determinations. Note: Thanks to Chris Elsaesser for pointing out the importance of AUCROC measures to characterize and quantify AI platform discrimination capabilities and limits.
https://ip.topicbox.com/groups/ip/Tbfe9f494f555d523-M2e1a2d75fe3cde319f025550
https://www.bloomberg.com/news/articles/2019-05-06/who-to-sue-when-a-robot-loses-your-fortune "The legal battle is a sign of what's in store as AI is incorporated into all facets of life, from self-driving cars to virtual assistants. When the technology misfires, where the blame lies is open to interpretation." Risk: Overtrust (see http://catless.ncl.ac.uk/Risks/30/94#subj3.1 in an AI-driven, equity trading platform to out-perform market indices. UNIX message of the day: "The way to make a small fortune in the commodities market is to start with a large fortune."
The state's Biometric Information Privacy Act prevents Sony from selling it there. https://www.cnet.com/news/what-sonys-robot-dog-teaches-us-about-biometric-data-privacy/
https://blogs.microsoft.com/on-the-issues/2019/05/06/protecting-democratic-elections-through-secure-verifiable-voting/ ElectionGuard can be used to build systems with five major benefits that will protect the vote against tampering by anyone, and improve the voting process for citizens and officials: Verifiable: Allowing voters and third-party organizations to verify election results. Secure: Built with advanced encryption techniques developed by Microsoft Research. Auditable: Supporting risk-limiting audits that help assure the accuracy of elections. Open source: Free and flexible with the ability to be used with off-the-shelf hardware. Make voting better: Supporting standard accessibility tools and improving the voting experience. [...] The ElectionGuard SDK will be available through GitHub beginning this summer. We encourage the election technology community to begin building offerings based on this technology and expect early prototypes using ElectionGuard will be ready for piloting during the 2020 elections in the United States, with significant deployments for subsequent election cycles. Over time we will seek to update and improve the SDK to support additional voting scenarios such as mail-in ballots and ranked choice voting. Microsoft will not charge for using ElectionGuard and will not profit from partnering with election technology suppliers that incorporate it into their products.
https://www.wsj.com/articles/boeing-knew-about-safety-alert-problem-for-a-year-before-telling-faa-airlines-11557087129
https://arstechnica.com/information-technology/2019/05/more-than-100-commerce-sites-infected-with-code-that-steals-payment-card-data/
When Alexa runs your home, Amazon tracks you in more ways than you might want. https://www.washingtonpost.com/technology/2019/05/06/alexa-has-been-eavesdropping-you-this-whole-time/
https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/
Adrian Kingsley-Hughes for Hardware 2.0 | 10 May 2019 Buying a replacement iPhone battery? Be careful you don't get ripped off Just because you're told that the replacement iPhone battery you're buying is new doesn't mean that it is. It could be old and worn out. https://www.zdnet.com/article/buying-a-replacement-iphone-battery-be-careful-you-dont-get-ripped-off/ selected text: For example, eBay is awash with iPhone battery testers that allow the recharge cycle count to be cleared or set to a low level (and tools that can read the recharge cycles, such as Coconut Battery, cannot tell that this figure has been reset). Other than duping people, I'm having a hard time coming up with a legitimate use for this feature, especially since you have to physically remove the battery from the iPhone to do it.
Catalin Cimpanu for Zero Day | 10 May 2019 Borked update prevents ankle monitors from sending data back to police control rooms. https://www.zdnet.com/article/software-update-crashes-police-ankle-monitors-in-the-netherlands/ selected text: A borked software update has crashed hundreds of ankle monitoring devices used by Dutch police, Dutch government officials said today. The issue was fixed later in the day, on Thursday; however, the Dutch Ministry of Justice and Security had to step in and preemptively arrest and jail some of its most high-risk suspects. [I find this bit darkly amusing. "You're under arrest for our ankle monitoring system crashing."?]
https://www.cnet.com/news/tenants-win-rights-to-physical-keys-over-smart-locks-from-landlords/ The physical key has prevailed over the smart lock for a group of tenants with privacy concerns. In a settlement released Tuesday, a judge ordered landlords of an apartment building in New York to provide physical keys to any tenants who don't want to use the Latch smart locks installed on the building last September. The settlement is a first, as there's no legal precedent or legislation deciding how landlords can use smart home technology. Since the technology is relatively new, lawmakers haven't had time to catch up with smart home devices, and this case in New York is one of the few legal challenges to appear in court. It won't set a legal precedent because it's a settlement, but it represents a win for tenants who had issues with smart locks and landlords installing them against their will. "This is a huge victory for these tenants and tenants throughout New York City. These types of systems, which landlords have used to surveil, track and intimidate tenants, have been used frequently in New York City," Michael Kozek, the attorney representing the tenants in Manhattan, said in a statement. "These tenants refused to accept the system, and the negative impact it had on their lives. Hopefully they will be an inspiration for other tenants to fight back."
RS> companies might require you to ... watch commercial messages displayed on the vehicles windows." They already do, but it is on the outside, not the inside, and it make it tough to look out, almost impossible on rainy days etc. https://www.brisbanetimes.com.au/national/queensland/major-security-risk-call-for-advertising-wraps-to-be-removed-from-buses-20161221-gtfvz3.html
There's another level to the drug-name issue raised by Craig Burton. Each brand-name drug you receive has three different names, not just two. [*] First, there is the chemical _structural name_, constructed according to strict, non-contentious international conventions. Given, for example, the structural name (S)-1- [N 2-(1-carboxy-3- phenylpropyl)-L-lysyl]-L-proline dihydrate, anyone with basic chemical training could draw a diagram of the molecule.. This example, like the one given by Burton, exemplifies the ponderous nature of structural names, so WHO has a means of assigning pronounceable _generic names_. Generic names draw upon a growing suffix vocabulary ("vir" for antivirals, "pine" for dihydropyridine calcium-channel blockers, "olol" for beta-blockers, "pril" for ACE inhibitors, and so on) and then WHO tries to coordinate generic names (for example, benazepril, captopril, enalapril, fosinopril, lisinopril, moexipril, perindopril, quinapril, ramipril, trandolapril are all ACE inhibitors) to minimize confusion. Some older drugs have different generic names in different parts of the world (adrenaline/epinephrine, meperidine/pethidine, acetaminophen/paracetamol), but new examples of that sort are not appearing, thanks to WHO. It doesn't stop there. The structural name that I gave above is that of lisinopril. In North America, lisinopril is available as generic lisinopril, as Prinivil(R), and as Zestril(R). The assignment of _brand names_ is regulated nationally (in the US by the FDA). There is a committee at FDA that passes on proposed names, trying to head off aural confusion. Sometimes they turn out to have got it wrong: Omeprazole was originally (1996) allowed to use the brand name Losec(R), but there were persistent reports of mixups with the much-older brand name Lasix(R) (furosemide), so approval for "Losec" was withdrawn, and Astra Zeneca had to reissue omeprazole under another name (Prilosec(R)). I have been out of FDA since before machine interpretation of speech became important, but I'd be surprised to hear that the brand-name committee at FDA is not now worrying about computer errors as well as human errors. [* Old Possum's Book of Practical Cats: The naming of cats is a difficult matter, for a cat must have three different names. PGN]
Please report problems with the web pages to the maintainer