The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 30

Friday 21 June 2019

Contents

Pilots fret over fire safety of Dreamliner planes, also used by El AL
The Times of Israel
Top AI researchers race to detect deepfake videos: “We are outgunned.''
Drew Harwell
Zuckerfake
Vice
Hackers behind dangerous oil and gas intrusions are probing US power grid
Ars Technica
Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters
NYTimes
Auto-renting bugs
Amos Shapir
Google: Our way or the Huawei!
Henry Baker
Android/iPhone fun—security, risks...
ToI and UK Mirror
New security warning issued for Google's 1.5B Gmail/Calendar Users
Forbes
How spammers use Google services
Kaspersky
This 'most dangerous' hacking group is now probing power grids
Steve Ranger
Masters ticket lottery scheme involved identity theft, millions of emails
WashPost
Facial Recognition: How Emotion Reading Software Will Change Driving
Fortune
DJI's New Drone for Kids Is a $500 Tank That Fires Lasers and Pellets
Bloomberg
Your Cadillac Can Now Drive Itself More Places
WiReD
Four Ways to Avoid Facial Recognition Online and in Public
Gabe Goldberg
Breaking ground, IBM Haifa team holds live robot debate fed by crowd arguments
The Times of Israel
Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it.
ZDNet
Autonomous vehicles don't need provisions and protocols?
Rob Slade
Info stealing Android apps can grab one time passwords to evade 2FA protections
ZDNet
Facebook Plans Global Financial System Based on Cryptocurrency
NYTimes
Libra
Rob Slade
Porn trolling mastermind Paul Hansmeier gets 14 years in prison.
Ars Technica
Mudslide warning system depends on proper boundary file
Dan Jacobson
Mom used phone tracking app after daughter missed curfew, found her pinned under car 7 hours later
FoxNews
In Stores, Secret Surveillance Tracks Your Every Move
NYTimes
Was your flight delay due to an IT outage? What a new report on airline IT tells us.
ZDNet
Patients frustrated over computer system outage at Abrazo Health Hospitals
AZFamily
Power outage at Greensboro apartments has unintended consequence, reveals alleged Medicaid scheme
Monty Solomon
Is Target still down? Chain says registers working now after outage.
USA Today
Spotify outage not related to today's update, company is working on a fix - TechCrunch
Monty Solomon
Instagram Outage Follows Disruption To PlayStation Network
Deadline
The PlayStation Network Is Back Up. Here's the Latest on the PSN Outage
Digital Trends
In the Wiggle of an Ear, a Surprising Insight into Bat Sonar
Scientific American
'RAMBleed' Rowhammer attack can now steal data, not just alter it
ZDNet
Ransomware halts production for days at major airplane parts manufacturer
Catalin Cimpanu
Study finds that a GPS outage would cost $1 billion per day
Ars Technica
Re: GPS Degraded Across Much of U.S
jared gottlieb
Did I Tweet that?
Rob Slade
Bull and backdoors
Rob Slade
Ross Anderson's non-visa
Rob Slade
Info on RISKS (comp.risks)

Pilots fret over fire safety of Dreamliner planes, also used by El AL (The Times of Israel)

Gabe Goldberg <gabe@gabegold.com>
Mon, 17 Jun 2019 15:21:16 -0400
Airline pilots have expressed concern over the safety of the Boeing 787
Dreamliner aircraft after an engine firefighting system was found to be
faulty. ...

However, the Federal Aviation Administration (FAA) is not grounding 787s
even though it says the switch presents a `risk to the flying public'.  ...

“If there was an engine fire on a transatlantic flight and the aircraft had
one of the defective fire switches, then we would have to fly with a burning
wing for up to three hours before we could safely land,'' a British airline
pilot, who was not identified, told the Observer. ...

The US aircraft manufacturing giant said less than 1 percent of the switches
have failed and that it is assisting airlines in dealing with the issue. ...

“Engine fires are a very unlikely event and there have been no observed
engine fires in the 787 fleet history,'' the spokesperson said.

https://www.timesofisrael.com/pilots-fear-for-fire-safety-of-dreamliner-planes-also-used-by-el-al-report/

Oh, OK then.


Top AI researchers race to detect deepfake videos: “We are outgunned.'' (Drew Harwell)

Richard Forno <rforno@infowarrior.org>
June 14, 2019 at 4:09:14 AM GMT+9
Drew Harwell, WashPost, 12 Jun 2019
https://www.washingtonpost.com/technology/2019/06/12/top-ai-researchers-race-detect-deepfake-videos-we-are-outgunned/

Top artificial-intelligence researchers across the country are racing to
defuse an extraordinary political weapon: computer-generated fake videos
that could undermine candidates and mislead voters during the 2020
presidential campaign.

And they have a message: We're not ready.

The researchers have designed automatic systems that can analyze videos for
the telltale indicators of a fake, assessing light, shadows, blinking
patterns—and, in one potentially groundbreaking method, even how a
candidate's real-world facial movements—such as the angle
they tilt their head when they smile—relate to one another.

But for all that progress, the researchers say they remain vastly
overwhelmed by a technology they fear could herald a damaging new wave of
disinformation campaigns, much in the same way fake news stories and
deceptive Facebook groups were deployed to influence public opinion during
the 2016 election.

Powerful new AI software has effectively democratized the creation of
convincing deepfake videos, making it easier than ever to fabricate someone
appearing to say or do something they didn't really do, from harmless
satires and film tweaks to targeted harassment and deepfake porn.

And researchers fear it's only a matter of time before the videos
are deployed for maximum damage—to sow confusion, fuel doubt or undermine
an opponent, potentially on the eve of a White House vote.


Zuckerfake (Vice)

the keyboard of geoff goodfellow <geoff@iconia.com>
Thu, 13 Jun 2019 03:52:31 -0700
*A fake video of Mark Zuckerberg giving a sinister speech about the power
of Facebook has been posted to Instagram. The company previously said it
would not remove this type of video.*

EXCERPT:

Two artists and an advertising company created a deepfake of Facebook
founder Mark Zuckerberg saying things he never said, and uploaded it to
Instagram.

The video, created by artists Bill Posters and Daniel Howe in partnership
with advertising company Canny, shows Mark Zuckerberg sitting at a desk,
seemingly giving a sinister speech about Facebook's power. The video is
framed with broadcast chyrons that say “We're increasing transparency on
ads," to make it look like it's part of a news segment...

https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy


Hackers behind dangerous oil and gas intrusions are probing US power grid (Ars Technica)

Monty Solomon <monty@roscom.com>
Sun, 16 Jun 2019 01:02:20 -0400
https://arstechnica.com/information-technology/2019/06/hackers-behind-dangerous-oil-and-gas-intrusions-are-probing-us-power-grids/


Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters (NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 16 Jun 2019 00:30:40 -0400
https://www.nytimes.com/2019/06/13/world/asia/hong-kong-telegram-protests.html

An attack against the messaging app Telegram and the arrest of a user show how the Hong Kong clash is unfolding digitally, with growing sophistication on both sides.


Auto-renting bugs

Amos Shapir <amos083@gmail.com>
Fri, 14 Jun 2019 09:10:22 +0300
The city of Tel Aviv operates an in-city car renting service named Autotel
<www.autotel.co.il> controlled by a smartphone application.  Users download
the application and register a credit card; then they can locate a car
nearby and reserve it for up to 15 minutes.  When reaching the car, the
application is used to unlock the car (the keys are inside); and then to
lock it at the end of the trip.

The following tweet by a poster identified as "Nur Lan", has been making
the rounds lately (my translation): "I reserved a car in the application,
and after a long walk discovered that the car is not parked where it was
supposed to be on the map.  While looking around, I noticed that the
application indicates that the car is in motion for the past few minutes.
So I pressed "end trip"; a minute later I got a call from Autotel: "We do
not know how it had happened, but someone else took the car on your
reservation, and now he called in to complain that the engine had turned
off in the middle of the trip"

The tweet continues "There are two reasons this is a case of glorious
misconduct: The first bug, which enables one user to collect another user's
reservation, is mainly stupid.  The second bug, which enables shutting down
the engine remotely, is negligence which might be lethal.  There should be
no way to shut down an engine remotely, certainly not by a user's
application".

"I received a compensation of 20 shekels [about $5.50] for the taxi trip. I
hope that the other driver's compensation had made his near-death
experience more profitable".

There were reports lately of similar occurrences being possible on some
smart car models, but these at least required hacking the car's system
first!


Google: Our way or the Huawei!

Henry Baker <hbaker1@pipeline.com>
Wed, 12 Jun 2019 08:27:56 -0700
“Google's recent discussions with the US government actually argue that the
Huawei ban is bad for national security.  Google is reportedly asking for an
exemption from the export ban.''

I asked Google Translate what to make of this Googledegook, and
she provided several possibilities:

“Nice little Android monopoly you have there, Google; it would be a
shame if anything happened to it.''

“"NSA on Huawei's new OS plans: we're forked!''

https://arstechnica.com/gadgets/2019/06/report-google-argues-the-huawei-ban-would-hurt-its-android-monopoly/

Keep your friends close, and your enemies closer—Report: Google argues
the Huawei ban would hurt its Android monopoly Export ban would create a
competitor to US operating systems, argues Google.

Ron Amadeo - Jun 7, 2019 8:15 pm UTC

The Trump administration would probably describe its Huawei export ban as a
move that improves national security by keeping China's pet telecom company
out of the US market.  According to a report from The Financial Times,
Google's recent discussions with the US government actually argue that the
Huawei ban is bad for national security.  Google is reportedly asking for an
exemption from the export ban.

The argument, reportedly, is that Huawei is currently dependent on Google
for its Android smartphone software, and that dependence is a good thing for
the US.  The Financial Times quotes "one person with knowledge of the
conversations" as saying, "Google has been arguing that by stopping it from
dealing with Huawei, the US risks creating two kinds of Android operating
system: the genuine version and a hybrid one.  The hybrid one is likely to
have more bugs in it than the Google one, and so could put Huawei phones
more at risk of being hacked, not least by China.

Today, non-Google Play versions of Android exist in China, but it's rare
that any of them are significantly different from a Google version of
Android beyond the pre-loaded app selection.  Chinese manufacturers are
still global smartphone distributors, so they all build Google-approved
Android OSes for the non-Chinese market.  What usually happens is that a
single OS goes through the Google testing process, then it gets split into
two versions.  Internationally, it gets the Google Apps; in China, it gets a
China-centric app selection.

So while these Chinese Android OSes are still technically Android forks,
because they don't ship with Google Play, they are not that different from
Google-approved Android.  Google's control over the Android ecosystem --
even when devices don't use the Google apps—means there is still some
level of security and updatability going into these devices.  Google's first
argument in that Financial Times report is that more secure devices are
better for national security.

The second argument in the above quote is that a ban would `create two kinds
of Android' and hurt Google's monopoly over Android.  If you're a smartphone
manufacturer looking for a smartphone OS, Android is the only game in town.
The latest worldwide OS market share numbers from the IDC show an 86.6/13.3
percent share between Android and iOS, respectively, with "Other" clocking
in at 0.0 percent market share.  Taken as a whole, the US has a smartphone
OS monopoly.

For companies that aren't Apple, it's Android or nothing, and Google
controls Android, both the direction of the OS itself and the OS's app
ecosystem.  Weaning Huawei off its Google dependence would
theoretically lead the company to create some kind of viable,
China-powered, China-controlled Android operating system that would
then be distributed to the rest of the world.  Android is open source,
so there's nothing stopping anyone from doing this now, but part of
Google's control strategy is to create tools and updates that are so
good that no one wants to compete with them.  Cutting Huawei off from
those updates would force that company to create a competitor.

Banning Huawei from dealing with US companies is definitely a
double-edged sword.  Huawei would have a tough time building
smartphones or an app ecosystem without the help of US-originated
technology and app developers, but US hardware and software companies
would lose access to the second largest smartphone maker in the world.

Really, the two outcomes here, if the export ban holds up, are that
either (1) Huawei can't handle the export ban and shuts down, like ZTE
did, or (2) Huawei weathers the storm and rises as a rebuilt, fully US
independent smartphone company.  Google's argument is basically along
the lines of that old saying, “Keep your friends close and your
enemies closer.''

Ron Amadeo

Ron is the Reviews Editor at Ars Technica, where he specializes in
Android OS and Google products.  He is always on the hunt for a new
gadget and loves to rip things apart to see how they work.

Email ron@arstechnica.com // Twitter @RonAmadeo

https://www.pocket-lint.com/phones/news/huawei/148345-huawei-hongmeng-os-faster-than-android-oppo-vivo

Huawei's alternative OS said to be faster than Android, attracting the
attention of other vendors

Chris Hall | 12 June 2019


Android/iPhone fun—security, risks...(ToI and UK Mirror)

Gabe Goldberg <gabe@gabegold.com>
Mon, 17 Jun 2019 17:10:53 -0400
Israeli tech company says it can break into all iPhones ever made, some
Androids | The Times of Israel

https://www.timesofisrael.com/israeli-tech-company-says-it-can-break-into-all-iphones-ever-made-some-androids/

Android warning: Dangerous malware discovered pre-installed on THESE
smartphones

https://www.mirror.co.uk/tech/dangerous-malware-discovered-pre-installed-16529887


New security warning issued for Google's 1.5B Gmail/Calendar Users (Forbes)

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:21:17 -0400
Google's Gmail email service is used by upwards of 1.5 billion
people. The Google Calendar app, meanwhile, has been downloaded more
than a billion times from the Play Store. Security researchers have
this week warned that threat actors are exploiting the popularity of
both in order to target users with a credential-stealing attack.
Here's what you need to know.

https://www.forbes.com/sites/daveywinder/2019/06/11/new-security-warning-issued-for-googles-1-5-billion-gmail-and-calendar-users/#3d17ba95565e


How spammers use Google services (Kaspersky)

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:22:08 -0400
Kaspersky, 10 Jun 2019

As you know, Google is not just a search tool, but multiple services used by
billions of people every day: Gmail, Calendar, Google Drive, Google Photos,
Google Translate, the list goes on. And they are all integrated with each
other. Calendar is linked to Gmail, Gmail to Google Drive, Google Drive to
Google Photos, and so on.

It's all very handy—register once and away you go. And there's no need to
mess around moving files and data between services; Google does everything
for you. The downside is that online fraudsters have learned to exploit the
convenience of Google services to send spam or worse.

https://usa.kaspersky.com/blog/spam-through-google-services/17799/


"This 'most dangerous' hacking group is now probing power grids" (Steve Ranger)

Gene Wirchenko <gene@shaw.ca>
Tue, 18 Jun 2019 11:11:01 -0700
Steve Ranger, Cyberwar and the Future of Cybersecurity, 14 Jun 2019

https://www.zdnet.com/article/this-most-dangerous-hacking-group-is-now-probing-power-grids/
This 'most dangerous' hacking group is now probing power grids Hackers that
tried to interfere with the safety systems of an industrial plant are now
looking at power utilities too.

opening text:

A hacking group described at the 'most dangerous threat' to industrial
systems has taken a close interest in power grids in the US and elsewhere,
according to a security company.


Masters ticket lottery scheme involved identity theft, millions of emails (WashPost)

Monty Solomon <monty@roscom.com>
Tue, 18 Jun 2019 16:02:55 -0400
https://www.washingtonpost.com/sports/2019/06/18/texas-family-gamed-masters-ticket-lottery-using-identity-theft-millions-emails/


Facial Recognition: How Emotion Reading Software Will Change Driving (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Wed, 12 Jun 2019 15:10:49 -0400
This will mean that automakers may come to build vehicles that may adjust
comfort factors like heat, lighting, and entertainment based on visual cues
from their individual occupants—features that could be especially
appealing as more autonomous cars hit the roads.

“It's really important technology not only have IQ, but lots of EQ too,''
said el Kaliouby, speaking on Tuesday morning at Fortune's CEO Initiative in
New York.

She added that building empathy into machines is especially important given
that humans use words for only 7% of their communications. The other 93%, el
Kaliouby says, consists of vocal intonations, expression, and body language.

http://fortune.com/2019/06/11/facial-recognition-cars/

Car tweaking entertainment, heat, lighting (?!) is about as appealing as a
visit from one of the bad Terminators.


DJI's New Drone for Kids Is a $500 Tank That Fires Lasers and Pellets (Bloomberg)

the keyboard of geoff goodfellow <geoff@iconia.com>
Thu, 13 Jun 2019 03:51:26 -0700
*The king of quadcopters is betting on a build-your-own set to get
students excited about robotics.*

EXCERPT:

DJI, the world's largest drone maker, has come down to Earth.

On June 11, the company most closely associated with quadcopters plans to
unveil a toaster-size robotic tank called the RoboMaster S1. Made of
plastic and metal, it has four wheels, a rectangular base, and a gun turret
that can swivel and fire lasers or tiny plastic pellets. Unlike DJI's
flying drones, which do everything from taking pretty pictures to
fertilizing fields, the RoboMaster is part teaching tool and part battle
bot. The odd contraption ships as a kit that people must assemble, learning
about robotics and software along the way.

“By doing the assembly process, you get to understand what each part is
used for and what the principles are behind it''. says Shuo Yang, one of the
lead engineers. “We want it to look like an interesting toy that then
teaches basic programming and mechanical knowledge.''  Once built, the
RoboMaster S1 can be used to blast away at other S1s during some good,
old-fashioned at-home family combat...

https://www.bloomberg.com/news/articles/2019-06-12/dji-s-robomaster-s1-drone-tank-fires-lasers-and-pellets


Your Cadillac Can Now Drive Itself More Places (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 17 Jun 2019 23:05:42 -0400
Cadillac Super Cruise, the luxury automaker's hands-off driver assistance
system, will by the end of the year work on more than 200,000 miles of
highway in the US and Canada, 35 percent more territory than it covered when
it launched in 2017. The bulk of the new miles come from divided highways --
the sort of road where Tesla's Autopilot system has suffered two
high-profile deadly crashes, and where Cadillac's engineers are confident
their system can do better.

Super Cruise drivers—the system is available only on the CT6 sedan, and
is moving to the CT5 sedan next year—have to trek to their dealer to get
the software upgrade to take advantage of the newly added parts of the
map. The process is free, and takes about an hour. After that, Cadillac will
send out the updated maps via over-the-air software updates starting this
summer and into the fall.

https://www.wired.com/story/your-cadillac-can-now-drive-itself-more-places/

Yum—tasty updates over-the-air. What could go wrong?


Four Ways to Avoid Facial Recognition Online and in Public

Gabe Goldberg <gabe@gabegold.com>
Tue, 11 Jun 2019 16:06:51 -0400
1. Disabling Facial Recognition on Facebook

2. Use FaceShield When Uploading Photos

3. Use Hair and Makeup to Fool Facial Recognition

4. Use Clothing to Distract Facial Recognition

https://www.makeuseof.com/tag/avoid-facial-recognition/

Pretty funny. Wait, not entirely...


Breaking ground, IBM Haifa team holds live robot debate fed by crowd arguments (The Times of Israel)

Gabe Goldberg <gabe@gabegold.com>
Tue, 18 Jun 2019 17:00:26 -0400
The tech, when commercialized, could help companies and governments collect
opinions, make more informed decisions.

https://www.timesofisrael.com/breaking-ground-ibm-haifa-team-holds-live-robot-debate-fed-by-crowd-arguments/

...or deliberately/inadvertently biased decisions, or decisions that common
sense would rule out. And, most likely, decisions that can't be explained.


Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it. (ZDNet)

Gene Wirchenko <gene@shaw.ca>
Wed, 12 Jun 2019 09:52:58 -0700
Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it
This may be the most absurd, convoluted Apple repair story you've ever heard.
Chris Matyszczyk for Technically Incorrect | June 12, 2019
https://www.zdnet.com/article/apple-spent-10000-repairing-his-macbook-pro-there-was-nothing-wrong-with-it/

selected text:

Don't turn your screen brightness off. The Pro may go dark for a very long
time.

"So after losing about two weeks of my time, >$10,000 in Apple warranty
repairs (two logic boards, new cables, and a complete replacement of a
>$7,000 computer), troubleshooting input from several Apple Geniuses, level
1 and 2 tech support from Apple Corporate, diagnostic tests at the Apple
Store, and diagnostic tests twice at Apple's repair facility in Texas; what
was the root issue?"  says Benz, knowing how to hang a cliff hanger.

He seems, you see, to be made of determined innards. He went to yet another
Apple Genius and this one proved to be true to his moniker.  Or, perhaps, he
just stopped and thought a little longer than his fellow experts.

You see, he diagnosed there was nothing wrong with Benz's MacBook Pro. The
issue, if you want to call it that, was that the screen brightness was
turned all the way off.


Autonomous vehicles don't need provisions and protocols?

Rob Slade <rmslade@shaw.ca>
Fri, 14 Jun 2019 11:36:49 -0700
I'm at a conference on "Smart Cities."  Lots of verbiage on IoT, etc.  Last
speaker of the day is pontificating on all kinds of security and technology
buzzwords.  And, at one point, he says that cities have to work on protocols
for the provision of "autonomous vehicles."

Excuse me?

I mean, there are all kinds of transport and transit systems, and some of
them involve a lot of technology, and a number of them will need provisions
and protocols.  But ...

What part of "autonomous" do you not understand?  Autonomous means that it
works by itself.  It doesn't need your provision.  It doesn't need your
protocols.  It is designed, as far as possible, to work by itself.  That
means your protocols are basically irrelevant.

OK, you can design some regulatory protocols if you wish.  But you are one
city.  Even if you are New York, you are a small part of the vehicle
market.  The manufacturers are going to build what they think will sell.
Worldwide.  If you want to create a regulatory protocol, fine.  Just don't
expect anyone to care, if it gets in the way of functions or sales.


"Info stealing Android apps can grab one time passwords to evade 2FA protections" (ZDNet)

Gene Wirchenko <gene@shaw.ca>
Tue, 18 Jun 2019 11:32:01 -0700
https://www.zdnet.com/article/info-stealing-android-apps-can-now-access-passwords-to-avoid-2fa-protections/

Info stealing Android apps can grab one time passwords to evade 2FA protections
Google restricted SMS controls. Hackers found a way around it.
Charlie Osborne for Zero Day | 18 Jun 2019


Facebook Plans Global Financial System Based on Cryptocurrency (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Tue, 18 Jun 2019 11:07:26 -0400
https://www.nytimes.com/2019/06/18/technology/facebook-cryptocurrency-libra.html

News that sounds like a joke. WHAT could go wrong...


Libra

Rob Slade <rmslade@shaw.ca>
Tue, 18 Jun 2019 12:00:36 -0700
Facebook wants to start a cryptocurrency, and become your bank.  Yes, that
Facebook, the one that has proven to be so untrustworthy with all the data
entrusted to it so far.  Now you want to give it details on all your banking
transactions and purchases?  Besides, with most current cryptocurrency
implementations, don't you get to "unmask" all the transactions if you own
the whole blockchain?  And who is going to own the whole Libra blockchain?

Then there is the spin on this.  Facebook is "doing good" with Libra,
because almost two billion people don't have bank account, and with Libra,
they can!  (Only, if they don't have bank accounts now, how on earth are
they going to put money into Libra, or get it out?)

And, given that estimates for Bitcoin operation (let alone mining)
approximates the power and carbon footprint of a medium-sized country, what
is going to happen to global warming with Facebook pushing Libra to all of
it's mindless zombie hordes?

OK, Libra is going to be a "stablecoin," and therefore mining isn't an
issue, but how extensively has it been tested before you release it for
trial by every hacker in the world?  OK, yes, the major credit cards are on
board (is SET coming back?), but is it really ready for prime time?


Monty Solomon <monty@roscom.com>
Sun, 16 Jun 2019 01:04:05 -0400
Subject: Porn trolling mastermind Paul Hansmeier gets 14 years in prison.
  (Ars Technica)

https://arstechnica.com/tech-policy/2019/06/porn-trolling-mastermind-paul-hansmeier-gets-14-years-in-prison/


Mudslide warning system depends on proper boundary file

Dan Jacobson <jidanni@jidanni.org>
Sat, 15 Jun 2019 08:07:12 +0800
No matter how good a mudslide warning system is, if a government boundary
file places cell towers in the wrong district, phones in district B will get
warnings intended for district A, and phones in district A won't get any
warnings at all.


Mom used phone tracking app after daughter missed curfew, found her pinned under car 7 hours later (FoxNews)

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:14:44 -0400
http://www.fox13news.com/news/mom-used-phone-tracking-app-after-daughter-missed-curfew-found-her-pinned-under-car-7-hours-later


In Stores, Secret Surveillance Tracks Your Every Move (NYTimes)

geoff goodfellow <geoff@iconia.com>
Sun, 16 Jun 2019 01:54:02 -0700
*As you shop, `beacons' are watching you, using hidden technology in your
phone.*

EXCERPT:

Imagine you are shopping in your favorite grocery store. As you approach the
dairy aisle, you are sent a push notification in your phone: 10% off your
favorite yogurt! Click here to redeem your coupon.  You considered buying
yogurt on your last trip to the store, but you decided against it. How did
your phone know?

Your smartphone was tracking you. The grocery store got your location data
and paid a shadowy group of marketers to use that information to target you
with ads. Recent reports have noted how companies use data gathered from
cell towers, ambient Wi-Fi, and GPS. But the location data industry has a
much more precise, and unobtrusive, tool: Bluetooth beacons.

These beacons are small, inobtrusive electronic devices that are hidden
throughout the grocery store; an app on your phone that communicates with
them informed the company not only that you had entered the building, but
that you had lingered for two minutes in front of the low-fat Chobanis.

Most location services use cell towers and GPS, but these technologies have
limitations. Cell towers have wide coverage, but low location accuracy: An
advertiser can think you are in Walgreens, but you're actually in McDonald's
next door. GPS, by contrast, can be accurate to a radius of around five
meters (16 feet), but it does not work well indoors.

Bluetooth beacons, however, can track your location accurately from a range
of inches to about 50 meters. They use little energy, and they work well
indoors. That has made them popular among companies that want precise
tracking inside a store....

https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireless-tracking-privacy.html

  [Also noted by Gabe Goldberg.  PGN]


Was your flight delay due to an IT outage? What a new report on airline IT tells us. (ZDNet)

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:18:27 -0400
... From 2015 through 2017, most airline IT outages were serious
enough to disrupt flights, according to a government agency, but the
full impact of the industry's IT problems is hard to calculate.

https://www.zdnet.com/article/was-your-flight-delay-due-to-an-it-outage-what-a-new-report-on-airline-it-tells-us/


Patients frustrated over computer system outage at Abrazo Health Hospitals. (AZFamily)

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:16:23 -0400
https://www.azfamily.com/news/patients-frustrated-over-computer-system-outage-at-abrazo-health-hospitals/article_099c9d74-8f23-11e9-8030-2b5b391b080a.html


Power outage at Greensboro apartments has unintended consequence, reveals alleged Medicaid scheme

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:17:30 -0400
https://www.greensboro.com/power-outage-at-greensboro-apartments-has-unintended-consequence-reveals-alleged/article_5f215b6e-3713-567d-908a-7873cfea3a6b.html


Is Target still down? Chain says registers working now after outage. (USA Today)

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:10:14 -0400
https://www.usatoday.com/story/money/2019/06/15/target-registers-down-shoppers-reporting-outage-saturday/1465476001/


Spotify outage not related to today's update, company is working on a fix. (TechCrunch)

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:15:25 -0400
https://techcrunch.com/2019/06/13/spotify-outage-not-related-to-todays-update-company-is-working-on-a-fix/


Instagram Outage Follows Disruption To PlayStation Network (Deadline)

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:13:40 -0400
https://deadline.com/2019/06/instagram-outage-follows-disruption-to-playstation-network-1202632448/


The PlayStation Network Is Back Up. Here's the Latest on the PSN Outage (Digital Trends)

Monty Solomon <monty@roscom.com>
Sat, 15 Jun 2019 20:16:45 -0400
https://www.digitaltrends.com/gaming/playstation-network-psn-down-outage-updates/


In the Wiggle of an Ear, a Surprising Insight into Bat Sonar (Scientific American)

Richard Stein <rmstein@ieee.org>
Mon, 17 Jun 2019 16:43:01 -0700
https://www.scientificamerican.com/article/in-the-wiggle-of-an-ear-a-surprising-insight-into-bat-sonar/

"...the two researchers developed an artificial horseshoe bat ear out of
silicon, with devices called 'fast actuators' that move different parts of
the ear in the same way bats do. These movements also added Doppler shifts
to incoming sounds."

Bats apply Doppler shift detection from echolocation stimulus to locate
meals, navigate, and dodge flying or static obstacles.

The research suggests that delivery drones might someday be equipped with
artificial bat ears to assist drone navigation of the sky. The sky is
"complicated and unpredictable": trees, telephone poles, aircraft, birds,
bugs—all kinds of obstacles that can interfere with drone delivery.

Delivery zones with buried power lines, and sparse foliage or tree cover
might only require GPS navigation to complete their route. But a heavy
population center or a suburban landscape with telephone poles, or
tree-lined streets might require echolocation and GPS to reach their
destination.

Correlating GPS and echolocation signals to reach fixed coordinates presents
a complicated, challenging problem.

Cruise missiles (CMs) can achieve payload delivery using nap-of-the-earth
navigation and RADAR, though CMs are unlikely concerned with telephone
poles, foliage, road signs, bill boards, etc.

Risk: Ultrasonic sensor overload, sensor image correlation failure.


'RAMBleed' Rowhammer attack can now steal data, not just alter it (ZDNet)

Gene Wirchenko <gene@shaw.ca>
Wed, 12 Jun 2019 09:43:20 -0700
https://www.zdnet.com/article/rambleed-rowhammer-attack-can-now-steal-data-not-just-alter-it/
'RAMBleed' Rowhammer attack can now steal data, not just alter it
Academics detail new Rowhammer attack named RAMBleed.
By Catalin Cimpanu for Zero Day | June 11, 2019—17:00 GMT (10:00 PDT) |

opening text:

A team of academics from the US, Austria, and Australia, has published new
research today detailing yet another variation of the Rowhammer attack.

The novelty in this new Rowhammer variety—which the research team has
named RAMBleed—is that it can be used to steal information from a
targeted device, as opposed to altering existing data or to elevate an
attacker's privileges, like all previous Rowhammer attacks, have done in the
past.


"Ransomware halts production for days at major airplane parts manufacturer" (Catalin Cimpanu)

Gene Wirchenko <gene@shaw.ca>
Fri, 14 Jun 2019 10:05:38 -0700
 Catalin Cimpanu for Zero Day | June 12, 2019

https://www.zdnet.com/article/ransomware-halts-production-for-days-at-major-airplane-parts-manufacturer/
Ransomware halts production for days at major airplane parts manufacturer
Nearly 1,000 employees sent home for the entire week, on paid leave.

opening text:

ASCO, one of the world's largest suppliers of airplane parts, has ceased
production in factories across four countries due to a ransomware infection
reported at its plant in Zaventem, Belgium.


Study finds that a GPS outage would cost $1 billion per day (Ars Technica)

Monty Solomon <monty@roscom.com>
Sun, 16 Jun 2019 01:51:40 -0400
https://arstechnica.com/science/2019/06/study-finds-that-a-gps-outage-would-cost-1-billion-per-day/


Re: GPS Degraded Across Much of U.S (RISKS-31.29)

jared gottlieb <jared@netspace.net.au>
Sun, 16 Jun 2019 19:06:52 -0600
This event seems to be a software bug in a system processing GPS data. A
bulletin from one manufacturer discussing one model of a commercial aviation
GPS receiver,
(https://www.duncanaviation.aero/files/intellegence/GPS_CustomerComm_FINAL.pdf

Our team has been actively working to determine a root cause. We found that
a software design error resulted in the system misinterpreting GPS time
updates due to a leap-second event, which typically occurs once every 2.5
years within the U.S. Government GPS satellite almanac update. Our
GPS-4000S-100 version software's timing calculations have reacted to this
leap second by not tracking satellites upon power-up and subsequently
failing.  The U.S. Government distributed a regularly scheduled almanac
update with this leap second on 0:00GMT, Sunday, June 9, 2019, and the
failures began to occur soon after. The next scheduled update by the
U.S. Government to the GPS constellation is set for next Sunday, June 16 at
00:00Z. At this time, we do not believe this update will have the time
information that triggers this error. We are testing additional impact of
this next almanac update. ...>>

Handling leap seconds is a software risk which has affected many systems
beyond GPS receivers (a few of which have appeared in comp.risks). GPS
receivers have had other time concerns, perhaps most recently the 6 April
2019 week number rollover if a receiver used the legacy 10bit value and
firmware updates were not available or applied.

What the almanac update issue was nor why it would be experienced using the
one update is not clear. There has not been a leap second for more than two
years and none is currently planned (IERS Bulletin C ...announcements of the
leap seconds…
https://datacenter.iers.org/data/latestVersion/16_BULLETIN_C16.txt

Testing of this receiver's software is extended by the 'power-up'
pre-condition mentioned in the bulletin; an aircraft manufacturer's notice
illustrates the complexity of this unit's initiation
https://support.cessna.com/custsupt/contacts/pubs/ourpdf.pdf?as_id=50304


Did I Tweet that?

Rob Slade <rmslade@shaw.ca>
Sat, 15 Jun 2019 10:22:39 -0700
A researcher has noted that Twitter reference URLs can be manipulated to
make it appear someone said/tweeted something when they actually didn't.

https://www.bleepingcomputer.com/news/security/twitter-urls-can-be-manipulated-to-spread-fake-news-and-scams/

So, I tweeted a warning:
https://www.twitter.com/rslade/status/1087839317534363648

Well, of course, actually, no I didn't.  If you look closely at the
resulting page, you'll see it isn't my account at all.  Twitter doesn't care
what account you put in the URL: it just cares about the tweet status ID.

Donald Trump is so concerned that he retweeted my warning:
https://www.twitter.com/realDonaldTrump/status/1087839317534363648

So did the Queen:
https://www.twitter.com/RoyalFamily/status/1087839317534363648


Bull and backdoors

Rob Slade <rmsladeshaw.ca>
Fri, 14 Jun 2019 09:34:06 -0700
We're binge-watching a TV show called "Bull."  (For years I've had to be
careful about watching movies and TV with a high tech or security theme,
since they make so many mistakes.  Apparently, having spent a couple of
decades teaching American law to Americans, I now have to avoid legal TV
shows and movies as well.)

In one episode (s3e4) they have a computer expert (someone who can program)
giving testimony.  He is to explain a "backdoor."

Now, as everyone here knows, a backdoor (aka trapdoor) is a technical means of
circumventing a technical control or safeguard, usually to do with access
control.  There are some legitimate uses for backdoors, generally in
development, but they are generally considered a "bad thing" in production.  The
"expert" explains that a backdoor is a means of evading a control, but it's a
(presumably technical, because he programmed it) means of evading a policy or
regulatory control.

This piece of dialogue is a really interesting mix of fact and serious
misunderstanding.  Yes, a backdoor is a means of evading a control.  But
the backdoor and the control are of different types.  Generally a technical
evasion cannot evade a policy or regulatory control (although it might obfuscate
the issue).  To someone who only partially understands the situation, it might
seem reasonable, but, in fact, in reality it makes no sense at all.

(Oh, come on.  I wrote a *dictionary*, and you expect me to put up with this?)

(Yes, I know.  This is why you don't want to watch technically themed
movies and TV shows with me.  Gloria has to put up with these kinds of
interruptions and explanations *a lot*.)


Ross Anderson's non-visa

Rob Slade <rmslade@shaw.ca>
Sat, 15 Jun 2019 10:57:26 -0700
Ross Anderson (yes, *that* Ross Anderson, the one who wrote "Security
Engineering," the best single volume for security and the one I recommend to
anyone taking the exam, and he even put it online for everyone) was to
receive an award at a ceremony in Washington, DC (richly deserved, whatever
it was).

And the U.S. wouldn't give him a visa to come get it.

(By the way, *anything* Anderson writes is worth reading.  Even if it's not
your immediate field.)

  [The visa situation is actually a bit more complicated, in that Ross did
  not need a visa if he had only been receiving the award—the desired
  trip had another purpose as well.  Nevertheless, the rejection seems
  utterly ridiculous.  PGN]

Please report problems with the web pages to the maintainer

Top