The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 34

Thursday 25 July 2019

Contents

Senate Intelligence report on election integrity
NYTimes
Nuclear industry pushing for fewer inspections at plants
NBC
Tesla floats fully self-driving cars as soon as this year. Many are worried about what that will unleash.
WashPost
Airbus A350 software bug forces airlines to turn planes off and on every 149 hours
The Register
Home elevator deaths
WashPost
Numerous airport passengers hijacked by robots
JXM
Satellite Outage Serves as a Warning
WiReD
'Dumb' robot ants are alarmingly smart—and strong—working together
Geoff Goodfellow
The AI Metamorphosis
The Atlantic
Cylances AI-based AV easily spoofed
SkylightCyber
AI Could Escalate New Type Of Voice Phishing Cyber Attacks
CSHub
Uber glitch charges passengers 100 times the advertised price, resulting in crosstown fares in the thousands of dollars
WashPost
"Google says leaked assistant recordings are a violation of data security policies"
Asha Barbaschow
U.S. Companies Learn to Defend Themselves in Cyberspace
WSJ
Agora farewell
Rob Slade
NYC Subway Service Is Suspended on Several Lines, MTA Says
NYTimes
Brazil is at the forefront of a new type of router attack
ZDNet
My browser, the spy: How extensions slurped up browsing histories from 4M users
Ars Technica
Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94
Gizmodo
Microsoft Office 365: Banned in German schools over privacy fears
Cathrin Schaer
Sweden and UK's surveillance programs on trial at the European Court of Human Rights
Catalin Cimpanu
Bluetooth exploit can track and identify iOS, Microsoft mobile device users
ZDNet
Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board trying to access metadata
Comms Alliance
Permission-greedy apps delayed Android 6 upgrade so they could harvest more user data
ZDNet
Do drivers think you're a Ridezilla'? Better check your Uber rating.
WashPost
London Police Twitter feed was hacked; then Trump got in on the act
WashPost
Car locks itself, trapping toddler inside
DerWesten
Hackers breach FSB contractor, expose Tor deanonymization project and more
Catalin Cimpanu
Facebook's Libra currency spawns a wave of fakes, including on Facebook itself
WashPost
Facebook Stock: Facebook's Libra Surrenders to Authority
InvestorPlace
Tether's $5B error exposes cryptocurrency market fragility
WSJ
College student was late returning a textbook to Amazon, so the company took $3,800 from her father
Libercus
Notre-Dame came far closer to collapsing than people knew. This is how it was saved.
NYTimes
One in five US tech employees abuse pain relief drugs, reveals study
Eileen Brown
Here's The Story Behind That Photo Of A Waterfall Inside A Metro Car
Dcist
Stallone in Terminator 2? How one deepfake prankster is changing cinema history
Digital Trends
Cellphone WiFi auto-connect identifies vandals
Boston Globe
Risks of an untimely text
Boston Globe
Minister apologizes for text alert
Taipei Times
Re: Line just went Orwellian on Japanese users with its social, credit-scoring system
Brian Inglis
Re: Galileo sat-nav system experiences service outage
Gabe Goldberg
Re: How Fake News Could Lead to Real War
Dick Mills
Re: London commuters Wi-FiTube being tracked
Chris Drewe
Info on RISKS (comp.risks)

Senate Intelligence report on election integrity (NYTimes)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 25 Jul 2019 15:18:55 PDT
WASHINGTON DC: The Senate Intelligence Committee concluded [on 25 July 2019]
that election systems in all 50 states were targeted by Russia in 2016,
largely undetected by the states and federal officials at the time, but at
the demand of American intelligence agencies the committee was forced to
redact its findings so heavily that key lessons for the 2020 election are
blacked out.

While the report is not directly critical of either American intelligence
agencies or the states, it described what amounted to a cascading
intelligence failure, in which the scope of the Russian effort was
underestimated, warnings to the states were too muted, and state officials
either underreacted or in some cases, resisted federal efforts to offer
help.''

https://www.nytimes.com/2019/07/25/us/politics/russian-hack-of-elections-system-was-far-reaching-report-finds.html


Nuclear industry pushing for fewer inspections at plants (NBC)

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Jul 2019 15:15:39 -0400
Caputo, who previously worked for nuclear plant operator Exelon Corp, told
operators this week her aim was "risk-informed decision-making,"
concentrating regulatory oversight on high-risk problems.

"We shouldn't regulate to zero risk," said David Wright, a former South
Carolina public-utility commissioner appointed to the NRC board last year.

"The NRC mission is reasonable assurance of adequate protection—no more,
no less," Wright said.

https://www.nbcnews.com/politics/politics-news/nuclear-industry-pushing-fewer-inspections-plants-n983671

What could go wrong?


Tesla floats fully self-driving cars as soon as this year. Many are worried about what that will unleash. (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Jul 2019 20:28:05 -0400
The electric-car maker said it will do that without light detection and
ranging, or lidar, complex sensors that use laser lights to map the
environment—technology most autonomous vehicle makers consider necessary.
Even with lidar, many of those manufacturers have adopted a slow and
deliberate approach to self-driving vehicles, with limited testing on public
roads.

Tesla shows little sign of such caution. And because autonomous vehicles are
largely self-regulated—guided by industry standards but with no clearly
enforceable rules—no one can stop the automaker from moving ahead.

*The Washington Post* spoke with a dozen transportation officials and
executives, including current and former safety regulators, auto industry
executives, safety advocacy group leaders and autonomous-vehicle
competitors. In interviews, they expressed worries that Tesla's plan to
unleash robo-cars on the road on an expedited timeline likely without
regulated vetting—could result in crashes, lawsuits and confusion. Plus,
they said, Tesla's promised `full self-driving' features fall short of
industry standards for a true autonomous vehicle because humans will still
need to be engaged at all times and ready to intervene in the
beginning. Some of the people interviewed requested anonymity because of the
sensitivity of the matter. ...

Tesla has raised eyebrows with its statements that autonomous driving can be
achieved through a slimmed-down system that sheds all but the most critical
equipment. Musk says he wants Tesla's system to use a combination of cameras
and radar sensors that triangulate a field of vision, similar to human
eyesight, forgoing lidar. It also forgoes a driver-monitoring camera to
improve safety in the cabin, instead relying on torque-sensing
steering-wheel monitors to detect whether the driver's hands are on the
wheel.

Tesla executives said at an April conference that the company is using its
radar and cameras to understand depth around its cars and real-world road
conditions, as well as its Shadow Mode, which allows it to test how
self-driving technologies perform without actually activating those features
-- something the company says lets it train and refine its networks without
needing to do the same testing as other companies.

“Lidar is lame,'' Musk said in April. Rivals are “all going to dump
lidar. That's my prediction. Mark my words.''

Meanwhile, traditional auto-industry executives have preached caution.

https://www.washingtonpost.com/technology/2019/07/17/tesla-floats-fully-self-driving-cars-soon-this-year-many-are-worried-about-what-that-will-unleash/


Airbus A350 software bug forces airlines to turn planes off and on every 149 hours (The Register)

Steve Golson <sgolson@trilobyte.com>
Thu, 25 Jul 2019 11:53:05 -0400
https://www.theregister.co.uk/2019/07/25/a350_power_cycle_software_bug_149_hours/

The airworthiness directive says in part:

Prompted by in-service events where a loss of communication occurred between
some avionics systems and avionics network, analysis has shown that this may
occur after 149 hours of continuous aeroplane power-up. Depending on the
affected aeroplane systems or equipment, different consequences have been
observed and reported by operators, from redundancy loss to complete loss on
a specific function hosted on common remote data concentrator and core
processing input/output modules.

This condition, if not corrected, could lead to partial or total loss of
some avionics systems or functions, possibly resulting in an unsafe
condition.

  I suspect they have a 32-bit counter that updates every 125 microseconds
  (8kHz).  Such a counter will overflow after 149 hours, 7 minutes, 51
  seconds.


Home elevator deaths (WashPost)

Lauren Weinstein <lauren@vortex.com>
Thu, 18 Jul 2019 14:42:28 -0700
https://www.washingtonpost.com/business/economy/home-elevator-deaths/2019/07/18/27b53434-968e-11e9-830a-21b9b36b64ad_story.html


Numerous airport passengers hijacked by robots

<jxm@calidris.net>
Tue, 16 Jul 2019 08:28:53 -0700
Here's a brief transport/automation problem that I encountered last week/

During the afternoon of 9 July 2019, the automated AirTrain shuttle service
at Newark airport went seriously awry.

AirTrain is an unmanned monorail service with a single line that links the
airport's three terminals with the parking and car rental facilities, as
well as the NJTransit/Amtrak station. Starting about 3.00pm, passengers were
instructed by AirTrain staff to evacuate the vehicles, to transfer back and
forth between certain trains, and to ignore the automated signs and
announcements. Some trains appeared to suddenly reverse direction and return
to their origin without visiting the terminals. Others arrived at one end of
the line already jammed with passengers who had expected to get to the other
end. There were numerous mismatches between the system's destination
indicators and the actual train movements.

For many dozens of people, what should have been a ten-minute transfer took
well over an hour, presumably with a corresponding number of missed
flights. There was no indication of any form of police activity or airport
security problems, that might have caused the mixup.

It would be interesting to find out if anyone actually got to the root
of this robotic hijacking incident.


Satellite Outage Serves as a Warning (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 20 Jul 2019 00:33:45 -0400
Europe's Galileo satellite navigation system largely regained service
Thursday [18 Jul 2019], after a mass outage began on 11 Jul.  The European
Global Navigation Satellite Systems Agency, known as GSA, said that
commercial users would start to see coverage returning, but that there might
be "fluctuations" in the system. What remains unclear is what exactly caused
the downtime—nd why it persisted for so long.

https://www.wired.com/story/galileo-satellite-outage-gps/
ices might also be making connections with the Russian (Glonass) and
Chinese (Beidou) networks.

https://www.bbc.com/news/science-environment-48985399


'Dumb' robot ants are alarmingly smart—and strong—working together

the keyboard of geoff goodfellow <geoff@iconia.com>
Tue, 16 Jul 2019 15:06:00 -1000
Everyone knows robot ants can't move a rubber tree plant. Oh shoot, they
can!

EXCERPT:

A team of Swiss researchers with bugs on the brain has created an army of
simple robotic "ants" capable of some impressive feats. The takeaway from
these 10 gram bots, which are inexpensive to make and surprisingly simple in
design? *Teamwork makes the dream work. *

As described in a new paper in the journal Nature, the ants can communicate
with each other, assign roles among themselves, and complete complex tasks
and overcome obstacles together. That means that while simple compared to
much more complex autonomous agents, these origami-inspired robots can solve
complex challenges, such navigating uneven surfaces or, yes, moving
comparatively huge objects.

The robots <https://www.zdnet.com/blog/robotics/>, which are T-shaped and
called Tribots by researchers at the Ecole polytechnique federale de
Lausanne <https://www.epfl.ch/en/>, a Swiss research institute, have
infrared and proximity sensors for detection and communication. Made of
foldable thin materials, they're also easy to manufacture. The actuated
robots can jump and crawl to explore uneven surfaces.

"Their movements are modeled on those of Odontomachus ants," says Zhenishbek
Zhakypov, the first author of the Nature article. "These insects normally
crawl, but to escape a predator, they snap their powerful jaws together to
jump from leaf to leaf."...


The AI Metamorphosis (The Atlantic)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 15 Jul 2019 15:15:00 -1000
*AI will bring many wonders. It may also destabilize everything from nuclear
detente to human friendships. We need to think much harder about how to
adapt.*

EXCERPT:

Humanity is at the edge of a revolution driven by artificial intelligence.
It has the potential to be one of the most significant and far-reaching
revolutions in history, yet it has developed out of disparate efforts to
solve specific practical problems rather than a comprehensive plan.
Ironically, the ultimate effect of this case-by-case problem solving may be
the transformation of human reasoning and decision making.

This revolution is unstoppable. Attempts to halt it would cede the future to
that element of humanity more courageous in facing the implications of its
own inventiveness. Instead, we should accept that AI is bound to become
increasingly sophisticated and ubiquitous, and ask ourselves: How will its
evolution affect human perception, cognition, and interaction? What will be
its impact on our culture and, in the end, our history?

Such questions brought together the three authors of this article: a
historian and sometime policy maker; a former chief executive of a major
technology company; and the dean of a principal technology-oriented academic
institution. We have been meeting for three years to try to understand these
issues and their associated riddles. Each of us is convinced of our
inability, within the confines of our respective fields of expertise, to
fully analyze a future in which machines help guide their own evolution,
improving themselves to better solve the problems for which they were
designed. So as a starting point—and, we hope, a springboard for wider
discussion—we are engaged in framing a more detailed set of questions
about the significance of AI's development for human civilization...

https://www.theatlantic.com/magazine/archive/2019/08/henry-kissinger-the-metamorphosis-ai/592771/


Cylances AI-based AV easily spoofed (SkylightCyber)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 19 Jul 2019 9:53:16 PDT
Steven Cheung just read a fun article that has been slashdotted.
It's about how a team defeats Cylance, a popular machine-learning-based
antivirus software

https://www.vice.com/en_us/article/9kxp83/researchers-easily-trick-cylances-ai-based-antivirus-into-thinking-malware-is-goodware

here are more technical details:

https://skylightcyber.com/2019/07/18/cylance-i-kill-you/


AI Could Escalate New Type Of Voice Phishing Cyber Attacks (CSHub)

=?UTF-8?Q?Jos=C3=A9_Mar=C3=ADa_Mateos?= <chema@rinzewind.org>
Mon, 15 Jul 2019 12:40:55 -0400
https://www.cshub.com/attacks/articles/ai-could-escalate-new-type-of-voice-phishing-cyber-attacks

While many cyber security professionals have been looking at (and even
investing in) the potential benefits of utilizing artificial intelligence
(AI) technology within many different business functions, earlier this week,
the Israel National Cyber Directorate (INCD) issued a warning of a new type
of cyber-attack that leverages AI to impersonate senior enterprise
executives. The method instructs company employees to perform transactions
including money transfers and other malicious activity on the network.

There are recent reports of this type of cyber-attack received at the
operational center of the INCD. While business email compromise (BEC) types
of fraud oftentimes use social engineering methods for a more effective
attack, this new method escalates the attack type by using AI-based
software, which makes voice phishing calls to senior executives.  ---

(Via BreachExchange:
https://lists.riskbasedsecurity.com/listinfo/breachexchange)


Uber glitch charges passengers 100 times the advertised price, resulting in crosstown fares in the thousands of dollars (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Thu, 18 Jul 2019 18:19:02 -0400
“We understand that this has been frustrating,'' Uber said in response to
one of the riders' complaints.  “There was a known issue that caused your
authorization hold to be very high. Our team has already fixed this
issue. Thank you so much for your patience.''

https://www.washingtonpost.com/technology/2019/07/18/uber-glitch-charges-passengers-times-normal-price-resulting-crosstown-fares-thousands-dollars/


Gene Wirchenko <gene@shaw.ca>
Mon, 15 Jul 2019 09:50:22 -0700
Asha Barbaschow | 11 Jul 2019

https://www.zdnet.com/article/google-says-leaked-assistant-recordings-are-a-violation-of-data-security-policies/

The search giant has confirmed humans are listening in to 'Okay Google'
commands, but it says leaking the recordings are a violation of its data
security policies.

opening text:

Earlier this week, a report from Belgium-based VRT NWS revealed that Google
employees had been "systematically listening" to audio files recorded by
Google Home smart speakers and the Google Assistant smartphone app.

The report detailed how employees were listening to excerpts of recordings
that are captured when a user activates the device by the usual "Okay
Google" or "Hey Google" commands.

After obtaining copies of some recordings, VRT NWS reached out to the users
and had them verify their voice, or those of their children, talking to the
digital assistant.


U.S. Companies Learn to Defend Themselves in Cyberspace (WSJ)

Gabe Goldberg <gabe@gabegold.com>
Mon, 15 Jul 2019 17:21:15 -0400
 From a friend, his comments below.

"One chief information-security officer at a major bank told us that, in
five years, his bank will largely be immune to cyberattacks because it is
upgrading from legacy systems that are insecure by default to cutting-edge
systems that are secure by design."
https://www.wsj.com/articles/u-s-companies-learn-to-defend-themselves-in-cyberspace-11562941994

Um, right. Wish I knew which bank that was so we could short its stock.

(Not that IBM Z is *necessarily* more secure, but if they really think
`cutting-edge systems' are `secure by design', well ...)


Agora farewell

Rob Slade <rmslade@shaw.ca>
Sat, 20 Jul 2019 09:39:29 -0800
Security does not have a community.  It has several siloed, sliced, and
separated communities.  Security has always taken "security by obscurity"
too readily to heart, and despite the fact that we know SBO doesn't work;
and even works against us; we still insist on dividing ourselves into
smaller and smaller sub-sets.  Intelligence doesn't talk to law enforcement
which doesn't talk to academia which doesn't talk to business which doesn't
talk to military which doesn't talk to industry which doesn't talk to
government which doesn't talk to research.  In all my decades in the field,
I've only ever found two venues that attracted, encouraged, and almost
forced the interaction (and often long-term relationships) of all these
disparate groups (and more).

If you've never been to the Agora meetings, you're too late.  I attended the
last one yesterday.  For the past twenty-five years, those in the know
would, every quarter, make every effort to spend Friday morning together.
That was it: Friday morning.  Three hours long, never more than three main
presentations.  There were also announcements, job postings, occasional
queries, and, every August 15th, storytime.  (That's an Agora joke.  I don't
expect you to get it.  If you tell it to someone and they laugh, they've
been to Agora recently.)

Agora didn't just happen, of course.  It was created and diligently (and
creatively and competently) managed by Kirk Bailey, later ably assisted by
Ann Nagel and Daniel Schwalbe.  Also assisted by various students and a
whole host of attendees and even companies, but that list would a) make this
piece far too long and b) I'd definitely forget someone.  Those of us who
attended owe them all a debt of gratitude.

Kirk's ability to attract speakers was legendary.  We heard presentations at
Agora I've never heard anywhere else, and some I never thought to hear.  I
recall a drive back after one Agora, when we we discussing a rather
lackluster piece, and I was suddenly struck by the fact that, even if this
meeting hadn't been sterling, the worst Agora meeting I'd ever attended was
better than the best conference I'd ever attended.

But the presentations were only half of what made Agora special.  The other
half was the people you met.  People from three-letter agencies.  People
from high up in important corporations.  People who were just there out of
interest.  People with political and social positions at extravagantly wild
variance to your own.  I remember, when I was first researching the
implications, for security, of the potential capabilities of quantum
computers, I got very excited over the possibilities for improving emergency
management in the midst of a disaster.  At Agora I met a Navy captain who
got equally excited over similar possibilities for battle command.

A number of us from the SIG drove down for the meetings, despite the three
hour trip if nothing went wrong.  Highway construction, bridge collapses
(that's another Agora joke), local traffic, and border guards could easily
double that.  But we happily faced eleven hours of travel time for three
hours of Agora and, if we were lucky, a couple of hours of "networking" and
possibly lunch.

We envied the people from the local area, but they weren't the only ones who
came.  Lots of people regularly came considerable distances.  Before
governments lost their travel budgets there were pretty much constant
attendees from DC and Ottawa.  People came from other continents.  (Some of
the DC crowd were pretty high up in DHS.  If I could stay for one of the
post-Agora lunches, the DHS guys always tried to grab me for their table.
They wanted to know the latest border horror story, and I always had one for
them.  They regularly fell on the floor laughing about it.)  (Recounting
those would also make this piece far too long.)

You will note that I haven't said where we met.  That's another, well, not
so much Agora joke as Agora tribute.  Agora was governed by a sort of
variant set of Chatham House Rules.  What was said at Agora stayed at Agora.
As an attendee, you never quoted any of the presentations, or any of the
people you talked to at the breaks.  For years this was simply understood by
all involved.  After one notable failure, a more formal NDA was created, but
that was late in the game.

Agora was the security world's worst kept secret.  Nobody blabbed about what
was said at Agora, or who went.  But, despite the fact that Agora had no
legal existence, no bank account, no Website, and no offices, almost
everyone who ever attended became an instant devotee, and, often,
evangelist.  Within a few years of it's creation, attendance was hitting
600.  During the Great Recession, the slashing of budgets and demands that
security people stick to their desks dropped attendance to the 150 region,
but, for the past few years it's been back in the 400 range.

There was never any charge for membership in, or attendance at, Agora.
There was a cost, certainly.  Much of that was "sweat equity" on the part of
Kirk and a number of others.  There were also other direct costs, generally
borne by whoever would pay for (or donate) a venue, or mailing costs, or
refreshments, or (latterly) the "Agora spam gun."  In the end, Agora became
a victim of it's own success: it just became too hard to find people or
institutions willing to donate, provide, pay for, or give priority to rooms
big enough for the group to meet.

Agora is gone, but leaves a legacy.  That legacy is the model.  We need a
space.  Or, more probably, spaces.  We need other other venues, sites,
and/or communities where the various communities can meet.  Together.  We
need others to take up the Agora torch, and create places, physical or
virtual, where anyone who is committed to (or even just strongly interested
in) security, of whatever type, can meet together and, safely, exchange
ideas.  We need spaces where the formal can meet the anarchic, where the
business can meet the exploratory, where the old can meet the young and pass
along wisdom (and occasional silliness).  Hopefully, Agora's death will have
been a spawning or a sporing out, and not just a mere termination.


NYC Subway Service Is Suspended on Several Lines, MTA Says (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 20 Jul 2019 21:44:25 -0400
https://www.nytimes.com/2019/07/19/nyregion/subway-service-suspended-mta.html

The Metropolitan Transportation Authority attributed the disruption to a
`network communications' issue


Brazil is at the forefront of a new type of router attack (ZDNet)

Monty Solomon <monty@roscom.com>
Wed, 17 Jul 2019 11:41:45 -0400
Avast: More than 180,000 routers in Brazil had their DNS settings changed in
Q1 2019.

For nearly a year, Brazilian users have been targeted with a new type of
router attack that has not been seen anywhere else in the world.

The attacks are nearly invisible to end users and can have disastrous
consequences, having the ability to lead to direct financial losses for
hacked users.

What's currently happening to routers in Brazil should be a warning sign for
users and ISPs from all over the world, who should take precautions to
secure devices before the attacks observed in South American country spread
to them as well. ...

https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/


My browser, the spy: How extensions slurped up browsing histories from 4M users (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Thu, 18 Jul 2019 17:54:35 -0400
https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/


Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94. (Gizmodo)

Monty Solomon <monty@roscom.com>
Sun, 21 Jul 2019 00:07:05 -0400
https://gizmodo.com/amazon-prime-day-glitch-let-people-buy-13-000-camera-g-1836487919


Microsoft Office 365: Banned in German schools over privacy fears (Cathrin Schaer)

Gene Wirchenko <gene@shaw.ca>
Mon, 15 Jul 2019 09:55:33 -0700
Cathrin Schaer, ZDNet, 12 Jul 2019
State of Hesse says student and teacher information could be "exposed" to US
spy agencies.

https://www.zdnet.com/article/microsoft-office-365-banned-in-german-schools-over-privacy-fears/

opening text:

Schools in the central German state of Hesse have been have been told it's
now illegal to use Microsoft Office 365.

The state's data-protection commissioner has ruled that using the popular
cloud platform's standard configuration exposes personal information about
students and teachers "to possible access by US officials".  That might
sound like just another instance of European concerns about data privacy or
worries about the current US administration's foreign policy.  But in fact
the ruling by the Hesse Office for Data Protection and Information Freedom
is the result of several years of domestic debate about whether German
schools and other state institutions should be using Microsoft software at
all.

Besides the details that German users provide when they're working with the
platform, Microsoft Office 365 also transmits telemetry data back to the US.

Last year, investigators in the Netherlands discovered that that data could
include anything from standard software diagnostics to user content from
inside applications, such as sentences from documents and email subject
lines. All of which contravenes the EU's General Data Protection Regulation,
or GDPR, the Dutch said.


Sweden and UK's surveillance programs on trial at the European Court of Human Rights (Catalin Cimpanu)

Gene Wirchenko <gene@shaw.ca>
Mon, 15 Jul 2019 09:58:00 -0700
Catalin Cimpanu for Zero Day | 12 Jul 2019

Last chance for Europe's top human rights court to rule against dragnet
surveillance programs.
https://www.zdnet.com/article/sweden-and-uks-surveillance-programs-on-trial-at-the-european-court-of-human-rights/

opening text:

This week, the highest body of the European Court of Human Rights heard
arguments against the mass surveillance programs of two countries, Sweden
and the United Kingdom.


Bluetooth exploit can track and identify iOS, Microsoft mobile device users (ZDNet)

Gabe Goldberg <gabe@gabegold.com>
Thu, 18 Jul 2019 17:53:31 -0400
A flaw in the Bluetooth communication protocol may expose modern device
users to tracking and could leak their ID, researchers claim.

The vulnerability can be used to spy on users despite native OS protections
that are in place and impacts Bluetooth devices on Windows 10, iOS, and
macOS machines. This includes iPhones, iPads, Apple Watch models, MacBooks,
and Microsoft tablets & laptops.  Security 101 How to protect your privacy
from hackers, spies, and the government

How to protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or
maintaining what is now a precious commodity: Your privacy.

On Wednesday, researchers from Boston University David Starobinski and
Johannes Becker presented the results of their research at the 19th Privacy
Enhancing Technologies Symposium, taking place in Stockholm, Sweden.

According to the research paper, Tracking Anonymized Bluetooth Devices
(.PDF), many Bluetooth devices will use MAC addresses when advertising their
presence to prevent long-term tracking, but the team found that it is
possible to circumvent the randomization of these addresses to permanently
monitor a specific device.

https://www.zdnet.com/article/bluetooth-vulnerability-can-be-exploited-to-track-and-id-iphone-smartwatch-microsoft-tablet-users/


Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board trying to access metadata (Comms Alliance)

Gene Wirchenko <gene@shaw.ca>
Wed, 17 Jul 2019 10:44:43 -0700
Chris Duckett | 17 Jul 2019
The Communications Alliance has listed 27 other agencies that have tried to
access metadata following the introduction of Australia's data retention
regime.
https://www.zdnet.com/article/clean-energy-regulator-wa-mines-department-and-vet-surgeons-board-trying-to-access-metadata-comms-alliance/

opening text:

Agencies trying to access metadata when not specifically listed as an
enforcement agency for the purposes of Australia's data retention regime has
been labelled as a "serious and persistent phenomenon" by the Communications
Alliance industry group.

Writing in a submission to the Parliamentary Joint Committee on Intelligence
and Security (PJCIS) review of the mandatory data retention regime, Comms
Alliance said it was a "problem that continues to grow in magnitude".


Permission-greedy apps delayed Android 6 upgrade so they could harvest more user data (ZDNet)

Gene Wirchenko <gene@shaw.ca>
Wed, 17 Jul 2019 10:35:58 -0700
Catalin Cimpanu for Zero Day | 16 Jul 2019
App devs delayed upgrading apps, but lost in the long run due to more
negative reviews and less Play Store visibility.

https://www.zdnet.com/article/permission-greedy-apps-delayed-android-6-upgrade-so-they-could-harvest-more-user-data/

selected text:

Android app developers intentionally delayed updating their applications to
work on top of Android 6.0, so they could continue to have access to an
older permission-requesting mechanism that granted them easy access to large
quantities of user data, research published by the University of Maryland
last month has revealed.

And, ironically, the research team also found that app makers who delayed
upgrading their apps to the newer Android 6.0 in order to keep access to a
simpler system for harvesting user data received more negative ratings.

These negative ratings eventually affected the apps' visibility on the Play
Store, where positively-reviewed apps are placed higher in search results
and recommendations.


Do drivers think you're a Ridezilla'? Better check your Uber rating. (WashPost)

Monty Solomon <monty@roscom.com>
Sun, 21 Jul 2019 00:34:43 -0400
For some rideshare users, a little number can be heavy baggage.

https://www.washingtonpost.com/lifestyle/do-drivers-think-youre-a-ridezilla-better-check-your-uber-rating/2019/07/18/8b441588-a291-11e9-b732-41a79c2551bf_story.html


London Police Twitter feed was hacked; then Trump got in on the act (WashPost)

Monty Solomon <monty@roscom.com>
Sun, 21 Jul 2019 00:47:32 -0400
https://www.washingtonpost.com/world/2019/07/20/london-police-twitter-feed-was-hacked-then-trump-got-act/


Car locks itself, trapping toddler inside (DerWesten)

Thomas Koenig <tkoenig@netcologne.de>
Sun, 21 Jul 2019 17:27:38 +0200
A mother got out of her car at a supermarket parking lot when suddenly, the
central lock activated and locked the car.  The key was still inside the
car, as was her young son.

She immediately called emergency services, who arrived a short time later,
broke a window and were able to free the toddler from the car, which had
alredy heated up considerably.

https://www.derwesten.de/panorama/aldi-frau-steigt-aus-auto-aus-und-waehlt-sofort-den-notruf-id226542237.html


Hackers breach FSB contractor, expose Tor deanonymization project and more (Catalin Cimpanu)

Gene Wirchenko <gene@shaw.ca>
Mon, 22 Jul 2019 10:39:38 -0700
Catalin Cimpanu, ZDNet, 20 Jul 2019

https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/

SyTech, the hacked company, was working on research projects for the FSB,
Russia's intelligence service.

Hackers have breached SyTech, a contractor for FSB, Russia's national
intelligence service, from where they stole information about internal
projects the company was working on behalf of the agency—including one
for deanonymizing Tor traffic.  [...]


Facebook's Libra currency spawns a wave of fakes, including on Facebook itself (WashPost)

Monty Solomon <monty@roscom.com>
Mon, 22 Jul 2019 22:16:18 -0400
The fakes could undermine Facebook's efforts to inspire confidence and
satisfy the regulators now scrutinizing the global currency.

https://www.washingtonpost.com/technology/2019/07/22/facebooks-libra-currency-spawns-wave-fakes-including-facebook-itself/


Facebook Stock: Facebook's Libra Surrenders to Authority (InvestorPlace)

Gabe Goldberg <gabe@gabegold.com>
Tue, 16 Jul 2019 23:34:02 -0400
https://investorplace.com/2019/07/facebooks-libra-surrenders-to-authority/


Tether's $5B error exposes cryptocurrency market fragility (WSJ)

Monty Solomon <monty@roscom.com>
Wed, 17 Jul 2019 11:20:14 -0400
Sudden flood of digital coins spooked market and drove down price of bitcoin
by about 12%

https://www.wsj.com/articles/tethers-5-billion-error-exposes-crypto-markets-fragility-11563280121


College student was late returning a textbook to Amazon, so the company took $3,800 from her father (Libercus)

Gabe Goldberg <gabe@gabegold.com>
Sun, 14 Jul 2019 01:06:06 -0400
http://pge.libercus.net//.pf/showstory/201907110011/3

Well, yeah. Likely debit was automatic but hassle getting it undone is
systemic problem/failure.

When AI runs everything it'll all be perfect. Nevermind Hal 9000, Skynet, or
Colossus: The Forbin Project.


Notre-Dame came far closer to collapsing than people knew. This is how it was saved. (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Jul 2019 15:18:00 -0400
*The New York Times*

The fire warning system at Notre-Dame took dozens of experts six years to
put together, and in the end involved thousands of pages of diagrams, maps,
spreadsheets and contracts, according to archival documents found in a
suburban Paris library by The Times.

The result was a system so arcane that when it was called upon to do the one
thing that mattered—warn—fire! and say where—it produced instead a
nearly indecipherable message.  It made a calamity almost inevitable, fire
experts consulted by *The Times* said.

https://www.nytimes.com/interactive/2019/07/16/world/europe/notre-dame.html

Stunning visuals, tragic outcome.


One in five US tech employees abuse pain relief drugs, reveals study (Eileen Brown)

Gene Wirchenko <gene@shaw.ca>
Wed, 17 Jul 2019 10:27:33 -0700
Eileen Brown for Social Business, ZDNet, 15 Jul 2019

https://www.zdnet.com/article/one-in-five-us-tech-employees-abuse-pain-relief-drugs-reveals-study/

There is nothing wrong with bonding over a beer or two after work, but when
it becomes too much, it is important to spot the warning signs of substance
abuse and addiction, according to a new study.


Here's The Story Behind That Photo Of A Waterfall Inside A Metro Car (Dcist)

Gabe Goldberg <gabe@gabegold.com>
Tue, 16 Jul 2019 17:32:31 -0400
“It appears that the water entered the car through the fresh air intake of
the HVAC system which is mounted on the roof of 7000-series vehicles; In
normal or heavy rainfall, any water is diverted through ducts and exits the
car through drains. At Virginia Square, the sudden deluge of water falling
directly into the fresh air intake was more than the car could divert,
resulting in water entering the cabin.''

In response to safety concerns, she noted that wiring is enclosed in secure
boxes or run on the underside of the car, and each car “undergoes
rigorous `water tightness testing'.''

https://dcist.com/story/19/07/16/heres-the-story-behind-that-photo-of-a-waterfall-inside-a-metro-car/

Done right, it seems. This really was epic/biblical rainstorm.


Stallone in Terminator 2? How one deepfake prankster is changing cinema history (Digital Trends)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 15 Jul 2019 15:14:00 -1000
EXCERPT:

In some parallel universe, there's a version of *Casino Royale* with Hugh
Jackman playing everyone's favorite suave British agent, James Bond. And one
in which Matthew McConaughey took the Leo role in *Titanic*. And DiCaprio
and Brad Pitt co-starred in *Brokeback Mountain*. And *Saved by the Bell*'s
Tiffani Thiessen played Rachel in *Friends*.

The entertainment industry isn't exactly short on `what if?' scenarios in
which actors came close to, but were ultimately passed over, playing iconic
roles. For more than 99% of movie history, fans have been able to do little
more than squirrel away this trivia for use in pop quizzes. That is until
the arrival of deepfakes
<https://www.digitaltrends.com/cool-tech/samsung-ai-deepfake-videos/>.
Springing to life in the past couple of years, deepfakes use artificial
intelligence technology to combine and superimpose new images and videos
onto existing source footage using machine learning. That could mean
anything from face swaps to mapping one person's body onto someone else's
movements.
<https://www.digitaltrends.com/cool-tech/uc-berkeley-deepfake-ai-dance/>
The results can be jaw-droppingly realistic, which is why many people
rightfully worry about its potential to be used for malicious hoaxes
<https://www.digitaltrends.com/cool-tech/ai-spots-writing-by-ai/>.

One tech enthusiast and movie buff thinks different, though. Operating under
the YouTube username *Ctrl Shift Face*,
<https://www.youtube.com/channel/UCKpH0CKltc73e4wh0_pgL3g> this high-tech
Hollywood fan has used deepfake technology to create some astonishing
remixes of iconic movie scenes—complete with all new actors.  Ever wanted
to see *The Shining* starring Jim Carrey instead of Jack Nicholson?  Sly
Stallone in *Terminator 2: Judgement Day*? Heck, he's even broken w ith the
movie theme by dropping David Bowie into Rick Astley's infamous
song-turned-meme *Never Gonna Give You Up*.

“The Bowie one is my favorite,'' its creator told Digital Trends.  “I
wanted to Rickroll people and blow them away at the same time. Bowie fitted
the role of Rick Astley, and had interesting facial features for a
deepfake.'' [...]
https://www.digitaltrends.com/cool-tech/ctrl-shift-face-deepfake-changing-hollywood-history/


Cellphone WiFi auto-connect identifies vandals (The Boston Globe)

David Tarabar <dtarabar@acm.org>
Tue, 16 Jul 2019 08:40:33 -0400
Four Maryland teenagers sneaked onto their school's property the night
before graduation last year and covered it in racist, homophobic and
anti-Semitic graffiti.

They wore masks, but they were caught because their cellphones automatically
connected to the school WiFi network—using their student IDs.

https://www.bostonglobe.com/news/nation/2019/07/10/helped-identify-teens-who-drew-racist-anti-semitic-graffiti-maryland-school/S0hQ1PwZNyXrzT43olZ2ZO/story.html


Risks of an untimely text (Boston Globe)

David Tarabar <dtarabar@acm.org>
Tue, 16 Jul 2019 16:15:00 -0400
A couple in Rhode Island was being investigated for marriage fraud—that
they entered into a sham marriage to get permanent resident status for the
husband.  When the wife was being interviewed, she produced her cellphone to
show texts from her husband.  A text message arrived: We had the best sex
ever.  Unfortunately the text was not from the husband.  A federal trial is
in progress.

https://www.bostonglobe.com/metro/2019/07/16/had-best-sexy-ever-steamy-text-helps-spark-marriage-fraud-case/QlRNLVhGzFcfzO1lNXFwLM/story.html


Minister apologizes for text alert (Taipei Times)

Dan Jacobson <jidanni@jidanni.org>
Mon, 15 Jul 2019 15:26:20 +0800
http://www.taipeitimes.com/News/taiwan/archives/2019/07/11/2003718476

"The alert was originally set up to be sent to residents within 300m of the
borough, but the unit of distance was later changed to kilometers."

Way to go, clodsburg.


Re: Line just went Orwellian on Japanese users with its social, credit-scoring system (Jacobson, RISKS-31.33)

Brian Inglis <Brian.Inglis@systematicsw.ab.ca>
Sun, 21 Jul 2019 23:24:10 -0600
>> Still, it's unnerving that tech companies seem to think that social
>> credit ratings are the next big thing for now. Hopefully, this is a
>> trend that will not catch on.
>
> Stack Exchange was first.
> Some might say not the same thing...
> But users quickly learn to dot their i's and cross their t's...

Some might say the same about BBS message boards (1978 CBBS), moderated
Usenet netnews groups (UUCP 1979), and discussion lists (Listserv@Bitnic
1984), like this one, which preceded SE (2009) by decades.  Who didn't pay
attention when dmr@bell-labs.com posted to comp.lang.c?

https://en.wikipedia.org/wiki/Usenet#cite_ref-54

"As long as there are folks who think a command line is better than a mouse,
the original text-only social network will live on" in "Reports of Usenet's
Death Are Greatly Exaggerated", August 1, 2008, TechCrunch.
https://en.wikipedia.org/wiki/Usenet#cite_note-54

The major appeal then and now is filtering and limiting the spam, garbage,
verbiage, and incivility that permeates other [anti-?]"social networks".


Re: Galileo sat-nav system experiences service outage (BBC News in RISKS-31.33)

Gabe Goldberg <gabe@gabegold.com>
Sun, 14 Jul 2019 21:15:20 -0400
Europe's satellite-navigation system, Galileo, has suffered a major outage.

The network has been offline since Friday due to what has been described as
a "technical incident related to its ground infrastructure".

The problem means all receivers, such as the latest smartphone models, will
not be picking up any useable timing or positional information.

These devices will be relying instead on the data coming from the American
Global Positioning System (GPS).

Depending on the sat-nav chip they have installed, cell phones and other
devices might also be making connections with the Russian (Glonass) and
Chinese (Beidou) networks.

https://www.bbc.com/news/science-environment-48985399


Re: How Fake News Could Lead to Real War (RISKS-31,33)

Dick Mills <dickandlibbymills@gmail.com>
Tue, 16 Jul 2019 08:34:35 -0400
"Imagine what it might be like to be in the grip of a conspiracy theory,
when you've spent your whole professional life being one of those policy
mandarins who could smell a conspiracy theory a mile away?..."

The root problem here is lack of trust in authorities.  It goes much deeper
than just technology.   For my whole life, such trust has been eroding
among the public.   The interesting thing about that story is that the shoe
is finally on the other foot, an authority is losing trust.

I say good. Maybe they may take steps to become trustworthy themselves.


Re: London commuters Wi-FiTube being tracked

Chris Drewe <e767pmk@yahoo.co.uk>
Tue, 16 Jul 2019 21:45:35 +0100
  [TfL is the authority that runs the London Underground]

https://www.dailymail.co.uk/news/article-7223711/Experts-warn-London-commuters-turn-phones-Wi-Fi-Tube-stop-tracked.html

Security experts warn London commuters to turn off their phones' Wi-Fi on
the Tube to stop being tracked as TfL starts harvesting signal data today

* *Operator will monitor travel patterns with beacon that detects Wi-Fi
capability * * *Phones, laptops or tablets do not have to join the
station's network to be tracked * * *Only way to ensure that you are not
tracked is to disable your Wi-Fi completely  *

Sebastian Murphy-bates For Mailonline, 8 July 2019

This morning the Tube network introduced monitoring of signals to harvest
date from commuters in the capital. Transport for London says it is
collecting details of where, when and how customers use the service. Even
phones that are not connected to TfL's Wi-Fi will be vulnerable to tracking

dmg media <https://www.dmgmedia.co.uk/>

I went to a talk a year or two ago given by one of the Undergound's planning
staff on remodeling Bank station in the heart of the City of London business
district (so-named because the Bank of England building is just across the
street, not because it's on the bank of the River Thames as I had
incorrectly assumed when I was a kid).  This is a major below-ground station
underneath a large road intersection, where multiple lines cross at several
levels, so it's quite a labyrinth.

For busy, complicated subway/rapid transit systems like London's, obviously
train capacity is a major planning challenge, but just as important is
handling the volume of passengers through the stations as they use
corridors, ticket barriers, elevators, stairs, escalators, etc. between
trains or trains and streets.  Historically, measuring passenger flows was
done by groups of stewards located at strategic points around a station;
some would hand out numbered cards to passengers as they entered the station
or got off trains, while others would collect the cards as passengers left
the station or got on trains.  This was OK in a basic way, but was
labour-intensive and rather intrusive at busy times, and only a small sample
of passengers could be covered.

Of course nowadays most people carry cellphone or wi-fi wireless devices and
the Underground has repeaters to keep them working below ground, so the
obvious step is to use these to log passenger movements, as it's totally
unobtrusive and allows detailed real-time tracking of almost every
passenger.  The lady who gave the talk stressed that there's no attempt to
make contact with or identify any of the devices, and presumably details of
individual devices are not retained after analysing their movements --
pointless anyway unless GCHQ/MI5/FBI/CIA or whoever want to track random
people's journeys for the sake of it.  She added that the technique was
unexpectedly useful as passengers were found to be surprisingly imaginative
at figuring out routes around the station, including several ways that the
planners hadn't considered themselves.

Presumably the warning signs on stations mentioned in the newspaper are to
comply with latest data-protection regulations.

Please report problems with the web pages to the maintainer

Top