The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 46

Monday 21 October 2019

Contents

Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report
Forbes
Melbourne cyber-conference organisers pressured speaker to edit 'biased' talk
Josh Taylor
Zuckerberg fears 'erosion of truth' but defends allowing politicians to lie in ads
WashPost
Citizen Data of 92 Million Brazilians Offered for Sale on Underground Forum
CPO Magazine
Fifth-generation broadband wireless threatens weather forecasting
Physics Today
Does your car have automated emergency braking? It's a big fail for pedestrians
Liam Tung
A Police Tesla Nearly Ran Out of Power During a Chase. It Wasn't the Car's Fault.
NYTimes
Mountain village begs tourists not to follow Google Maps and get stuck
CNN
There's an art to artificial intelligence
Forbes
Trying to use the police robot slows down emergency response
NBC
Troubles with Tesla's automated parking feature summon safety regulators
Reuters
Better reply even if told to be patient
Dan Jacobson
Tell HUD: Algorithms Shouldn't Be an Excuse to Discriminate
EFF
Japanese assault suspect 'tracked down pop star via eye reflection in selfie'
*The Guardian*
How my iPhone landed me with a £476 fine and made me a criminal
Financial Times
Inside New York's Partnership With Israeli iPhone Hacking Company
Cellebrite
FBI's Use of Foreign-Surveillance Tool Violated Americans' Privacy Rights
WSJ
How Photos of Your Kids Are Powering Surveillance Technology
NYT
What's Happening at the Center of the Surveillance Economy
Fortune
Power company happy talk
Dominion Energy
'This Did Not Go Well': Inside PG&E's Blackout Control Room
NYT
Why the PG&E Blackouts Spared California's Big Tech HQs
WiReD
Malware That Spits Cash Out of ATMs Has Spread Across the World
VICE
Student tracking, secret scores: How college admissions offices rank prospects before they apply
WashPost
Fortnite has been down for hours as millions of players stare at a black hole
The Verge
Want to disconnect from your phone? Automakers are making that tougher
ABC News
This just got real: US, UK agencies issue joint VPN security alert
TechBeacon
Blizzard restores Hong Kong player's winnings, reduces suspension after international uproar
WashPost
Fingerprint security? Not so much...
SendGrid
A Young Man Nearly Lost His Life to Vaping
NYTimes
Chinese app on Xi's ideology allows data access to 100 million users' phones, report says
WashPost
One Good Reason to Delist Chinese Companies
Bloomberg
Guess what loses its value faster than your car? Your smartphone.
Adrian Kingsley-Hughes
Mobile security: These health apps aren't good for your phone or your privacy
Danny Palmer
GitHub gets blocking half-backwards
Dan Jacobson
Vaping devices add to fire risks on planes and officials struggle to keep up.
WashPost
With Windows Virtual Desktop, the bad old days are coming back
Computerworld
Former Apple employees create Level Lock smart lock, backed by Walmart
CNBC
Feds bust massive child porn sharing site; hundreds of users arrested
Ars Technica
Re: The broken record: Why Barr's call against end-to-end encryption is nuts
Keith Medcalf
Re: 3D printing
Dam Jackson
Re: PGN comment
R. G. Newbury
Info on RISKS (comp.risks)

Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report (Forbes)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 8 Oct 2019 14:50:00 PDT
https://www.forbes.com/sites/zakdoffman/2019/09/24/new-cyberwarfare-report-unveils-russias-secret-weapon-against-us-2020-election/#678a2ea368f5


Melbourne cyber-conference organisers pressured speaker to edit 'biased' talk (Josh Taylor)

Richard Forno <rforno@infowarrior.org>
October 9, 2019 19:59:23 JST
  [Via Dave Farber]

After two speakers were banned, a third says organisers tried to edit his
presentation.

9 Oct 2019

https://www.theguardian.com/technology/2019/oct/09/melbourne-cyber-conference-organisers-pressured-speaker-to-edit-biased-talk

Organisers at a cyber conference in Melbourne dropped two speakers from the
line-up and asked a third to edit a speech on Australia's anti-encryption
legislation saying it was `biased'. Photograph: Dave Hunt/AAP Organisers
at the Australian Cyber Conference in Melbourne asked a speaker to edit his
speech on Australia's anti-encryption legislation, after they had dropped
two other speakers, who were delivering talks related to whistleblowing,
from the line-up at the last minute.

Guardian Australia has learned that Ted Ringrose, partner with legal advice
firm Ringrose Siganto was told to edit his speech, and conference organisers
had sent him an edited version of his slide pack on his talk stating that
the original version was “biased''.

He said they took issue with a comparison between Australia's encryption
laws and China's, despite the fact that his talk points out that while
Australia's look worse on the surface, in reality it is “just about as
bad''.  n Ringrose said he pushed back at the attempted censorship and the
conference organisers agreed to let him present his talk as planned.

This is in contrast to the decisions made regarding speeches by US
whistleblower Thomas Drake and University of Melbourne researcher Dr
Suelette Dreyfus.

On Tuesday it was reported former national security agency executive turned
whistleblower Drake, along with Dreyfus, were kicked off the conference
agenda in what Drake described as an “Orwellian'' move by the conference
partner, the Australian Cyber Security Centre (ACSC).

The move was criticised as “super weird'' by a key speaker at the event,
Bruce Schneier, as Drake and Dreyfus set up a website detailing their
now-banned speeches.

At the second day of the conference attended by 3,500 people in Melbourne on
Thursday, Security technologist Schneier said it was a “super weird story''
for Drake and Dreyfus to be banned from speaking at the event, because the
speeches themselves were not particularly controversial.

“[Drake] was going to talk about basically surveillance. It's the sort of
talk I would do—government corporate surveillance and everybody is spying
on all of us—nothing we don't know,'' he said. “[Dreyfus] was going to
talk on work she did for the EU on building whistleblower platforms to
reduce corruption in third world countries - kind of mundane.''

Schneier blamed someone within Australia's peak cyber security agency for
being concerned about the content of the talks.

“My guess is someone at the ACSC saw the word `whistleblower' and because
that word is sensitive here, kind of freaked,'' he said.

Schneier read out the URL for the website set up overnight hosting the
abstracts of the two talks, as well as the slides from Drake's proposed
speech, and drew cheers from the crowd when he said they were “morally
obligated'' to go read them.

“The other lesson is if you make noise and ban something you'll get more
press than if you just ignored it.''

Alex Woerndle, deputy chair of the Australian Information Security
Association (AISA), which organised the conference, said questions about the
two speakers being removed should be directed to ACSC but said: “AISA
supports and encourages diversity of views however it's important to note we
work with a number of partners, including government, and as such need to
manage a variety of views to deliver an event catered for all our
stakeholders.''

ACSC did not initially respond to requests for comment on Tuesday. Guardian
Australia directly approached officials at the agency's booth at the
conference on Wednesday, and was later told that no comment would be
provided on the matter.

The conference also banned media from attending a session where an official
from Home Affairs explained the development of the government's 2020 cyber
security strategy. Non-media attendees said the talk contained nothing that
wasn't already public knowledge.

It comes at a time of public debate in Australia on whistleblowing laws and
press freedom, following Australian federal police raids on News Corp
journalist Annika Smethurst and the ABC over stories politically damaging
for the government.

Former spy Witness K decided to plead guilty to breaching secrecy laws by
revealing Australia's spying on Timor-Leste while his lawyer, Bernard
Collaery, is fighting charges.


Zuckerberg fears 'erosion of truth' but defends allowing politicians to lie in ads (WashPost)

the keyboard of geoff goodfellow <geoff@iconia.com>
Thu, 17 Oct 2019 15:31:12 -1000
Facebook chief Executive Mark Zuckerberg said in an interview he worries
"about an erosion of truth" online but defended the policy that allows
politicians to peddle ads containing misrepresentations and lies on his
social network, a stance that has sparked an outcry during the 2020
presidential campaign.

"People worry, and I worry deeply, too, about an erosion of truth,"
Zuckerberg told The Washington Post ahead of a speech Thursday at Georgetown
University. "At the same time, I don't think people want to live in a world
where you can only say things that tech companies decide are 100 percent
true. And I think that those tensions are something we have to live
with."...

https://www.sfgate.com/news/article/Zuckerberg-fears-erosion-of-truth-but-defends-14542091.php
https://www.washingtonpost.com/technology/2019/10/17/facebook-ceo-mark-zuckerberg-says-interview-he-fears-erosion-truth-defends-allowing-politicians-lie-ads/
https://www.washingtonpost.com/podcasts/post-reports/facebooks-mark-zuckerberg-struggles-to-balance-truth-and-free-speech/


Citizen Data of 92 Million Brazilians Offered for Sale on Underground Forum (CPO Magazine)

José María Mateos <chema@rinzewind.org>
Mon, 14 Oct 2019 20:58:46 -0400
https://www.cpomagazine.com/cyber-security/citizen-data-of-92-million-brazilians-offered-for-sale-on-underground-forum/

This massive trove of citizen data is a mystery at present. There have been
no public announcements of data breaches recently that would correspond to
this information.

Research by BleepingComputer indicates that the data is legitimate, however,
and may have been stolen from the Department of Federal Revenue of Brazil
and consist of information on employed taxpayers in the country. Brazil's
population is estimated to be about 210 million, so this would mean that
nearly half of the residents of the country have been exposed. The 92
million entries in the database would also match census estimates that put
the working population of the country at about 93 million people.

The database contains full names, dates of birth, home province, driver's
license and taxpayer ID numbers. Some records contain additional details
such as business registration information, phone numbers, license plate
numbers, familial relations and dates of death.

BleepingComputer confirmed that the information available through the
hacking forums was in an SQL database of about 16 GB in size, and that
accurate information about known individuals could be looked up.


Fifth-generation broadband wireless threatens weather forecasting (Physics Today)

George Sherwood <sherwood@testcover.com>
Thu, 10 Oct 2019 14:06:17 -0400
Excerpts from https://doi.org/10.1063/PT.3.4267 by Alex Lopatka

The fight is on over 5G. Telecommunication companies and the US government
promote the latest mobile broadband because it will provide faster
data-transfer rates. Faster, more reliable digital communication is needed
for the newest technologies—autonomous vehicles, Internet-of-things
devices, and smart energy grids. But meteorologists, US science agencies,
and other countries worry that strong 5G signals, may interfere with
satellites that are crucial to weather forecasting.

Widespread 5G deployment will depend on building a new infrastructure of
antennas that operate in high-frequency radio bands. Telecom companies and
US regulators support 24 GHz for 5G networks because of its greater
bandwidth and because the 1--6 GHz radio spectrum is already crowded
with 4G, digital TV, radar, and other applications. (The 24 GHz band spans
24.25--24.45 GHz and 24.75--25.25 GHz.)

Spectrum is a finite resource, and the Federal Communications Commission
(FCC), which coordinates the commercial use of spectrum in the US, is
racing to allocate as much higher-frequency spectrum as possible for 5G
technology. The FCC “5G FAST'' plan is bringing more spectrum to market,
updating infrastructure policy, and modernizing regulations. Other bands
are being considered, including 28, 37, 39, and 47 GHz.

In October at the United Nations International Telecommunication Union
Radiocommunication Sector (ITU-R) conference, member countries will discuss
and vote on how to regulate the 5G signal in the 24 GHz band. The US is
poised to push for a higher maximum 5G signal power than what European
countries favor. Lower signal power would decrease the range of the 5G
signal.

“The precipitating issue here is the potential for what's called
out-of-band interference,'' says Jordan Gerth of the University of
Wisconsin Madison. Water-vapor molecules emit electromagnetic radiation at
23.8 GHz, and instruments such as the Advanced Technology Microwave Sounder
aboard NOAA's Joint Polar Satellite System infer atmospheric
air-temperature and moisture data from the 23.6--24.0 GHz emission band. The
measurements are used to calibrate numerical weather-prediction models,
such as NOAA's Global Forecast System.

A 5G signal could leak across the 250 MHz gap between the water-vapor
emission band and the 24 GHz 5G band, which could make it nearly impossible
for microwave instruments to differentiate between water vapor and
emissions from 5G smartphones. Microwave instruments have no other
frequencies they can use to sense water vapor. Filtering for noise from a
5G network would be difficult says Joel Johnson of the Ohio State
University. “If there's thousands of these little transmitters all over the
place, then it's very hard to correct for them.''

Neil Jacobs, a NOAA assistant secretary of commerce, explained that using
the 24 GHz band for 5G with the signal strength proposed by the FCC, 20
decibel watts per 200 MHz, would decrease the data collected from microwave
instruments by 77%.

Jacobs said that such data loss would return the US weather prediction
capability to “somewhere around 1980.'' Citing an unpublished NOAA study,
he further testified that a lower signal strength of 40 or 50 dBW per 200
MHz “would result in roughly zero data loss.'' That range, one-hundredth to
one-thousandth of the FCC's proposed limit, was determined with guidance
from the ITU-R and industry.


Does your car have automated emergency braking? It's a big fail for pedestrians (Liam Tung)

Gene Wirchenko <gene@shaw.ca>
Mon, 07 Oct 2019 10:43:17 -0700
Liam Tung | October 7, 2019
Drivers should not rely on automatic braking tech, and pedestrians
must be wary of drivers.
https://www.zdnet.com/article/does-your-car-have-automated-emergency-braking-its-a-big-fail-for-pedestrians/

selected text:

A new study by the American Automobile Association (AAA) shows that
automated emergency braking cannot be trusted when it comes to preventing
running over a person crossing the street.

Tests carried out at just 20mph (32kph) showed that the braking system only
avoided running over an adult-sized dummy 40% of the time.  However,
somewhat encouragingly, during an additional 35% of the time, the vehicle
automatically lowered its speed by 4.4mph, but nonetheless still crashed
into the dummy.

The results were much worse when testing the systems for children crossing
the road. Using a child-sized dummy, vehicles only avoid running over the
child 11% of the time, but in an additional 25% of cases slowed down by
5.9mph.  AAA comments that "evaluated pedestrian detection systems were
ineffective during nighttime conditions".

The results for Tesla, which is pushing the boundaries of autonomous
driving, don't look good either. Automatic braking cutting speed by an
average of 2.8mph in three test runs and did not slow down at all in two
runs.  However, in five test runs with the vehicles traveling around a right
curve, all of them ran over the pedestrian.  "When a pedestrian target was
located immediately after a right curve, all test vehicles failed to apply
any degree of automatic braking," the AAA writes.

All the vehicles' automatic braking systems were useless at avoiding
crashing into a child who darts out into the road from between two parked
cars.  The key message from the AAA is that drivers cannot and should not
rely on automatic braking systems until they're proven to work consistently
in all situations and conditions.


A Police Tesla Nearly Ran Out of Power During a Chase. It Wasn't the Car's Fault. (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 8 Oct 2019 11:20:36 -0400
Gas or electric, all cars need to be refueled in some way, the police in
Fremont, Calif., said.
https://www.nytimes.com/2019/10/03/us/tesla-police-car-chase.html


Mountain village begs tourists not to follow Google Maps and get stuck (CNN)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 15 Oct 2019 10:08:09 -0600
Julia Buckley, CNN • 15 Oct 2019

  (CNN) ” Unspoilt beaches at the foot of steep cliffs, romantic winding
  roads, and plenty of mountain wilderness—Italy's Mediterranean island
  of Sardinia has it all.  But some tourists are finding the combination a
  little too difficult to take.

  Authorities in Baunei, in Sardinia's eastern province of Ogliastra, have
  launched an appeal to visitors, telling them not to rely on Google Maps to
  get around the area.

  Tourists are routinely following their GPS down lanes that are unsuitable
  for cars and onto off-road tracks in a bid to make their way to "hidden"
  beaches, needing to be rescued by the local fire brigade when they get
  stuck.

  The move follows 144 emergency call-outs for both cars and hikers in the
  province over the past two years.

  The emergency services are effectively funded by the local
  community. Tourists do not have to pay for their rescue.


There's an art to artificial intelligence (Forbes)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sun, 13 Oct 2019 07:20:46 -1000
As hard as it is to believe, artificial intelligence (AI) was rarely
mentioned in the discussions related to digital transformation that began
almost a decade ago. Now, no mention of transformation would make sense
without how AI is making it all possible.

The intertwining of digital transformation and AI is the subject of an
upcoming book by Marco Iansiti and Karim Lakhani, both Harvard University
professors. In their new book, *Competing in the Age of AI*, they look at
successful digitally savvy enterprises across the globe, and how they do
things differently.  <https://amzn.to/2otTLLl>,

Success in today's digital economy comes from cloud, data science, and
nurturing a well-networked ecosystem of partners and contributors.  “The
new breed of digital firm is all about innovation in the business model,
experimenting and recombining various aspects of value creation and value
capture,'' according to Iansiti and Lakhani. Previously, value creation was
usually achieved through simple transactional processes with customers in
traditional organizations. In the digital world, things are more
multi-dimensional.

Iansiti and Lakhani describe the common traits of enterprises taking the
lead with AI-powered digital capabilities:...

https://www.forbes.com/sites/joemckendrick/2019/10/10/theres-an-art-to-artificial-intelligence/


Trying to use the police robot slows down emergency response (NBC)

Eli the Bearded <*@eli.users.panix.com>
Thu, 10 Oct 2019 19:39:55 -0400 (EDT)
https://www.nbcnews.com/tech/tech-news/robocop-park-fight-how-expectations-about-robots-are-clashing-reality-n1059671

The city of Huntington Park, California, is evaluating a (some?)
gherkin-building-shaped "robocop". A woman witnessed an altercation and
decided to use the robot to summon actual police. Upon pushing the emergency
alert button she was told to "step out of the way" and otherwise ignored.

  The robot's alert button is not yet connected to the police department,
  said Cosme Lozano, chief of police of Huntington Park [...] The calls are
  instead directed to Knightscope, the company that creates and leases the
  robots.

Instead people are supposed to just call 911 themselves, a message the robot
eventually spoke aloud.

Not sure what good the robot is then except for security theatre.


Troubles with Tesla's automated parking feature summon safety regulators (Reuters)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 14:36:21 -0400
https://www.reuters.com/article/us-tesla-safety-nhtsa/troubles-with-teslas-automated-parking-summon-safety-regulators-idUSKBN1WH280


Better reply even if told to be patient

Dan Jacobson <jidanni@jidanni.org>
Fri, 11 Oct 2019 06:09:16 +0800
Interesting. Even if the tech representative says he has referred the
problem to higher levels, and I should be patient and wait for his reply...

But the system expects the customer to still reply, else...

"If you missed our previous reply, please check your Junk/Spam folders.  If
we do not hear back from you within 7 business days, your ticket will be
closed automatically.

Thank you, Logitech Support"

So the user had better reply each time, even if only "OK."


Tell HUD: Algorithms Shouldn't Be an Excuse to Discriminate (EFF)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 16:17:22 -0400
The U.S. Department of Housing and Urban Development (HUD) recently released
a proposed rule that will have grave consequences for the enforcement of
fair housing laws. Under the Fair Housing Act, individuals can bring claims
on the basis of a protected characteristic (like race, sex, or disability
status) when there is a facially-neutral policy or practice that results in
unjustified discriminatory effect, or disparate impact. The proposed rule
makes it much harder to bring a disparate impact claim under the Fair
Housing Act. Moreover, HUD's rule creates three affirmative defenses for
housing providers, banks, and insurance companies that use algorithmic
models to make housing decisions. As we've previously explained, these
algorithmic defenses demonstrate that HUD doesn't understand how machine
learning actually works.

https://www.eff.org/deeplinks/2019/10/tell-hud-algorithms-are-no-excuse-discrimination


Japanese assault suspect 'tracked down pop star via eye reflection in selfie' (*The Guardian*)

José María Mateos <chema@rinzewind.org>
Fri, 11 Oct 2019 19:11:53 -0400
https://www.theguardian.com/world/2019/oct/11/japanese-assault-suspect-tracked-down-pop-star-via-eye-reflection-in-selfie

  Police have charged a man in Tokyo with assaulting a pop star, saying he
  tracked her down through the reflection in her eyes on a selfie she
  posted, according to local media reports.

I haven't seen the selfie to check for myself, but at this point I'd
place this in the "plausible" section.

  [Also noted by Yvo Desmedt.  PGN]
This seems a new risk of selfies to me:


How my iPhone landed me with a £476 fine and made me a criminal (Financial Times)

José María Mateos <chema@rinzewind.org>
Fri, 11 Oct 2019 19:17:37 -0400
https://www.ft.com/content/e8a177d4-dfae-11e9-9743-db5a370481bc

The digital payments revolution was meant to make things better for the
consumer. No more banknotes falling out of your back pocket; no more waiting
days on end for cheques to clear; no more missing your train because the
tourist at the front of the queue doesn't know how to use the ticket
machine.

Or it was for me, anyway ” I'm fully signed up to the digital revolution,
you see. Not only do I rarely carry cash, but I hardly ever leave the house
with my wallet. I'm one of the estimated 8m Britons who use their
smartphones to make contactless payments.

But smart though my phone is, it is not infallible. And like many new
technologies, digital payments solve some problems, but they also create
new, unforeseen ones. A paper ticket might be inherently easier to lose than
a phone, but at least it doesn't just die on you whenever it feels like it.

It all started one October afternoon last year, when a bus inspector asked
to see my £1.50 ticket. I had tapped into the bus with my iPhone using Apple
Pay, but alas, in the five minutes since I'd boarded, my phone had run out
of juice, so I had no means of proving that I had paid.

  [Different item noted by Gene Wirchenko.  PGN]


Inside New York's Partnership With Israeli iPhone Hacking Company (Cellebrite)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 14:36:46 -0400
The Manhattan District Attorney's office uses subscription software from
Israeli digital forensics firm Cellebrite that enables it to break into "all
iOS and high-end Android devices" using computers in its offices.* The
Manhattan DA is one of the biggest prosecutors in the U.S., and it has had
this capability since January 2018. Its contract with Cellebrite was worth
$200,000 over three years, covering software licensing and installation,
personnel training, and a set number of device cracks. The contract also
requires the software be used in a "secure room" with no recording
devices. (ONEZERO)

https://onezero.medium.com/exclusive-inside-new-yorks-partnership-with-israeli-iphone-cracking-company-cellebrite-12a2252c3ebf


FBI's Use of Foreign-Surveillance Tool Violated Americans' Privacy Rights (WSJ)

Richard Forno <rforno@infowarrior.org>
October 9, 2019 3:54:44 JST
Dustin Volz and Byron Tau, *The Wall Street Journal*, 8 Oct 2019
https://www.wsj.com/articles/fbis-use-of-foreign-surveillance-tool-violated-americans-privacy-rights-court-found-11570559882

U.S. discloses ruling last year by Foreign Intelligence Surveillance Court
that FBI's data queries of U.S. citizens were unconstitutional

WASHINGTON—Some of the Federal Bureau of Investigation's electronic
surveillance activities violated the constitutional privacy rights of
Americans swept up in a controversial foreign intelligence program, a
secretive surveillance court has ruled.  The ruling deals a rare rebuke to
U.S. spying activities that have generally withstood legal challenge or
review.

The intelligence community disclosed Tuesday that the Foreign Intelligence
Surveillance Court last year found that the FBI's pursuit of data about
Americans ensnared in a warrantless Internet-surveillance program intended
to target foreign suspects may have violated the law authorizing the
program, as well as the Constitution's Fourth Amendment protections against
unreasonable searches.

The court concluded that the FBI had been improperly searching a database of
raw intelligence for information on Americans—raising concerns about
oversight of the program, which as a spy program operates in near total
secrecy.  The court ruling identifies tens of thousands of improper searches
of raw intelligence databases by the bureau in 2017 and 2018 that it deemed
improper in part because they involved data related to tens of thousands of
emails or telephone numbers—in one case, suggesting that the FBI was
using the intelligence information to vet its personnel and cooperating
sources. Federal law requires that the database only be searched by the FBI
as part of seeking evidence of a crime or for foreign intelligence
information.

In other cases, the court ruling reveals improper use of the database by
individuals. In one case, an FBI contractor ran a query of an intelligence
database—searching information on himself, other FBI personnel and his
relatives, the court revealed.

The Trump administration failed to make a persuasive argument that modifying
the program to better protect the privacy of Americans would hinder the
FBI's ability to address national-security threats, wrote U.S. District
Judge James Boasberg, who serves on the FISA Court, in the partially
redacted 167-page opinion released Tuesday.  “The court accordingly finds
that the FBI's querying procedures and minimization procedures are not
consistent with the requirements of the Fourth Amendment,'' Mr. Boasberg
concluded.


How Photos of Your Kids Are Powering Surveillance Technology (NYT)

Dewayne Hendricks <dewayne@warpspeed.com>
October 12, 2019 20:58:26 JST
Kashmir Hill and Aaron Krolik, *The New York Times*, 11 Oct 2019
Millions of Flickr images were sucked into a database called MegaFace.
Now some of those faces may have the ability to sue.

https://www.nytimes.com/interactive/2019/10/11/technology/flickr-facial-recognition.html

The pictures of Chloe and Jasper Papa as kids are typically goofy fare:
grinning with their parents; sticking their tongues out; costumed for
Halloween. Their mother, Dominique Allman Papa, uploaded them to Flickr
after joining the photo-sharing site in 2005.

None of them could have foreseen that 14 years later, those images would
reside in an unprecedentedly huge facial-recognition database called
MegaFace. Containing the likenesses of nearly 700,000 individuals, it has
been downloaded by dozens of companies to train a new generation of
face-identification algorithms, used to track protesters, surveil
terrorists, spot problem gamblers and spy on the public at large.

“It's gross and uncomfortable,'' said Mx. Papa, who is now 19 and attending
college in Oregon. “I wish they would have asked me first if I wanted to be
part of it. I think artificial intelligence is cool and I want it to be
smarter, but generally you ask people to participate in research. I learned
that in high school biology.''

By law, most Americans in the database don't need to be asked fortheir
permission—but the Papas should have been.

As residents of Illinois, they are protected by one of the strictest state
privacy laws on the books: the Biometric Information Privacy Act, a 2008
measure that imposes financial penalties for using an Illinoisan's
fingerprints or face scans without consent. Those who used the database --
companies including Google, Amazon, Mitsubishi Electric, Tencent and
SenseTime—appear to have been unaware of the law, and as a result may
have huge financial liability, according to several lawyers and law
professors familiar with the legislation.

How MegaFace was born

How did the Papas and hundreds of thousands of other people end up in the
database? It's a roundabout story.

In the infancy of facial-recognition technology, researchers developed their
algorithms with subjects' clear consent: In the 1990s, universities had
volunteers come to studios to be photographed from many angles. Later,
researchers turned to more aggressive and surreptitious methods to gather
faces at a grander scale, tapping into surveillance cameras in coffee shops,
college campuses and public spaces, and scraping photos posted online.

According to Adam Harvey, an artist who tracks the data sets, there are
probably more than 200 in existence, containing tens of millions of photos
of approximately one million people. (Some of the sets are derived from
others, so the figures include some duplicates.) But these caches had
flaws. Surveillance images are often low quality, for example, and gathering
pictures from the Internet tends to yield too many celebrities.

In June 2014, seeking to advance the cause of computer vision, Yahoo
unveiled what it called “the largest public multimedia collection that has
ever been released,'' featuring 100 million photos and videos. Yahoo got the
images—all of which had Creative Commons or commercial use licenses --
from Flickr, a subsidiary.

The database creators said their motivation was to even the playing field in
machine learning. Researchers need enormous amounts of data to train their
algorithms, and workers at just a few information-rich companies—like
Facebook and Google—had a big advantage over everyone else.

“We wanted to empower the research community by giving them a robust
database,'' said David Ayman Shamma, who was a director of research at Yahoo
until 2016 and helped create the Flickr project. Users weren't notified that
their photos and videos were included, but Mr. Shamma and his team built in
what they thought was a safeguard.

They didn't distribute users' photos directly, but rather links to the
photos; that way, if a user deleted the images or made them private, they
would no longer be accessible through the database.

But this safeguard was flawed. The New York Times found a security
vulnerability that allows a Flickr user's photos to be accessed even after
they've been made private. (Scott Kinzie, a spokesman for SmugMug, which
acquired Flickr from Yahoo in 2018, said the flaw “potentially impacts a
very small number of our members today, and we are actively working to
deploy an update as quickly as possible.''  Ben MacAskill, the company's
chief operating officer, added that the Yahoo collection was created “years
before our engagement with Flickr.'')

Additionally, some researchers who accessed the database simply downloaded
versions of the images and then redistributed them, including a team from
the University of Washington. In 2015, two of the school's computer science
professors—Ira Kemelmacher-Shlizerman and Steve Seitz—and their
graduate students used the Flickr data to create MegaFace.

Containing more than four million photos of some 672,000 people, it held
deep promise for testing and perfecting face-recognition algorithms.


What's Happening at the Center of the Surveillance Economy (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 16:52:29 -0400
https://fortune.com/2019/10/07/surveillance-economy-startup-envoy/


Power company happy talk (Dominion Energy)

Gabe Goldberg <gabe@gabegold.com>
Mon, 14 Oct 2019 15:43:23 -0400
*Newer technology to give customers fewer outages, faster restoration times,
and new tools to track and control their energy usage.*

New technology being deployed across the energy grid will reduce outages,
speed up restoration time, and give our customers reliable service they can
count on. We are investing in thousands of smart devices on the grid that
automatically report outages when they occur, and prevent certain outages
before they happen by identifying equipment that could be near failure. The
devices also can isolate outages by automatically rerouting power so fewer
customers are impacted, and a allow us to quickly dispatch crews directly to
the source of the outage.  View a video <https://youtu.be/3rMGxE7Cr3k> to
learn more about the Smart Grid.

Smart meters will let customers take control of their energy usage through
new options like timely usage insights, customizable alerts for high energy
usage and bills, and outage information so customers no longer have to
notify Dominion Energy when lights are out and alerts to give customers
updates about their restoration status. The process for starting or stopping
service also is streamlined.
<https://www.dominionenergy.com/company/electric-projects/smart-meters>

  On Smart Meter page: *Power outage detection* - Smart meters can notify us
  when your power goes out and when it has been restored

Searching brings plenty warnings about myriad health problems caused by
smart meters. Discounting those as discredited crackpottery, I do wonder how
notification works when power is out. Each meter a cellphone? With battery
backup? Seems unlikely. And is there a dark (so to speak) side to power
company happy talk?


'This Did Not Go Well': Inside PG&E's Blackout Control Room (NYT)

Monty Solomon <monty@roscom.com>
Sat, 12 Oct 2019 19:38:56 -0400
https://www.nytimes.com/2019/10/12/business/pge-california-outage.html

As the utility turned off power to millions of Californians, its website
went down and it struggled to communicate with local officials and inform
residents.


Why the PG&E Blackouts Spared California's Big Tech HQs (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 16:16:26 -0400
Silicon Valley companies are served by safer, robust transmission lines.
Regular homes? Not so much.

https://www.wired.com/story/why-the-pgande-blackouts-spared-californias-big-tech-hqs/


Malware That Spits Cash Out of ATMs Has Spread Across the World (VICE)

José María Mateos <chema@rinzewind.org>
Tue, 15 Oct 2019 18:46:31 -0400
https://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world

A joint investigation between Motherboard and the German broadcaster
Bayerischer Rundfunk (BR) has uncovered new details about a spate of
so-called "jackpotting" attacks on ATMs in Germany in 2017 that saw thieves
make off with more than a million Euros. Jackpotting is a technique where
cybercriminals use malware or a piece of hardware to trick an ATM into
ejecting all of its cash, no stolen credit card required. Hackers typically
install the malware onto an ATM by physically opening a panel on the machine
to reveal a USB port.


Student tracking, secret scores: How college admissions offices rank prospects before they apply (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Wed, 16 Oct 2019 12:47:54 -0400
Student tracking, secret scores: How college admissions offices rank
prospects before they apply Records reviewed by The Washington Post show
that at least 44 public and private universities in the United States work
with outside consulting companies to collect and analyze data on prospective
students, either by tracking their Web activity or formulating predictive
scores to measure each student's likelihood of enrolling. The vast majority
of universities reviewed by The Post do not tell students the schools are
collecting their information.

https://www.washingtonpost.com/business/2019/10/14/colleges-quietly-rank-prospective-students-based-their-personal-data/


Fortnite has been down for hours as millions of players stare at a black hole (The Verge)

Monty Solomon <monty@roscom.com>
Sun, 13 Oct 2019 20:41:52 -0400
https://www.theverge.com/2019/10/13/20909812/fortnite-down-black-hole-chapter-2-the-end


Want to disconnect from your phone? Automakers are making that tougher (ABC News)

Gabe Goldberg <gabe@gabegold.com>
Sun, 13 Oct 2019 21:35:09 -0400
Cathy Chase, president of Advocates for Highway and Auto Safety, said
hands-free technology in vehicles does little to prevent cognitive
distraction among drivers.  "People think they can multitask," she told ABC
News. "Voice to text technology makes mistakes. Then you correct it. You're
thinking about a different conversation—it imperils drivers and
passengers."

https://abcnews.go.com/Business/disconnect-phone-automakers-making-tougher/story?id=66003320

The risk? Those two buried paragraphs.


This just got real: US, UK agencies issue joint VPN security alert (TechBeacon)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 18:41:11 -0400
Spy agencies in the US and UK are jointly warning of big trouble for many
users of enterprise VPNs. Hacker groups—some state-sponsored—are
wreaking havoc at sites that haven't patched their installations.

The agencies—the NSA and the NCSC—have long remediation checklists for
your admin pleasure. So drop everything”even if you've already patched your
VPN.

https://techbeacon.com/security/just-got-real-us-uk-agencies-issue-joint-vpn-security-alert


Blizzard restores Hong Kong player's winnings, reduces suspension after international uproar (WashPost)

Monty Solomon <monty@roscom.com>
Sat, 12 Oct 2019 18:54:45 -0400
After international uproar, the American gaming giant eases punishment for
Hong Kong player who expressed his political views on China.

https://www.washingtonpost.com/technology/2019/10/12/blizzard-restores-hong-kong-players-winnings-reduces-suspension-after-international-uproar/


Fingerprint security? Not so much... (SendGrid)

Gabe Goldberg <gabe@gabegold.com>
Fri, 18 Oct 2019 16:44:53 -0400
*Samsung has admitted that anyone can unlock a Galaxy S10 phone ” which has
an in-screen fingerprint scanner ” by putting a cheap screen protector on
it.* Samsung says the scanner is `malfunctioning' and will be fixed with a
software patch. In the meantime, users should turn off fingerprint
authentication. The peanut gallery has urged Apple to use in-screen
fingerprint scanners rather than Face ID, and there are some rumors
<https://u5080173.ct.sendgrid.net/wf/>


A Young Man Nearly Lost His Life to Vaping (NYTimes)

Monty Solomon <monty@roscom.com>
Wed, 16 Oct 2019 11:49:16 -0400
He thought vaping THC would be safer than smoking marijuana, but the fumes
shut down his lungs.
https://www.nytimes.com/2019/10/15/health/vaping-thc-illness.html

It is possible to become addicted to marijuana or dependent on it, according
to the National Institute on Drug Abuse.

A computer-science student, he explored the dark web to find THC vendors
with lower prices than he paid on the street, and turned money from his bank
account into Bitcoin, to make purchases that would be encrypted and
untraceable. On the electronic order forms, he requested the best and
strongest THC available.

Boxes of cartridges, 25 for $400, started arriving in the mail early last
summer. The return address was a house on a residential street in Ventura,
Calif.

The products had a variety of labels, including Dank Vapes, the same name
reported by many other people who got sick. It is not actually a brand, but
a label that sellers can put on any product. Some of the other cartridges
may have been counterfeit versions of brands that are legal in some
states. No one knows what is in the knockoff products or who makes them,
health officials say.


Chinese app on Xi's ideology allows data access to 100 million users' phones, report says (WashPost)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sun, 13 Oct 2019 07:16:39 -1000
The Chinese Communist Party appears to have "superuser" access to all the
data on more than 100 million cellphones, owing to a back door in a
propaganda app that the government has been promoting aggressively this
year.

An examination of the code in the app shows it enables authorities to
retrieve every message and photo from a user's phone, browse their contacts
and Internet history, and activate an audio recorder inside the device,
according to a U.S.-funded analysis.

"The [Chinese Communist Party] essentially has access to over 100 million
users' data," said Sarah Aoun, director of technology at the Open Technology
Fund, an initiative funded by the U.S. government under Radio Free
Asia. "That's coming from the top of a government that is expanding its
surveillance into citizens' day-to-day lives."

The party, led by Xi Jinping, launched the app, called "Study the Great
Nation," in January. The name is a pun because the Chinese word for study --
"xuexi"—contains the authoritarian leader's family name...

https://www.greenwichtime.com/news/article/Chinese-app-on-Xi-s-ideology-allows-data-access-14516955.php

https://www.washingtonpost.com/world/asia_pacific/chinese-app-on-xis-ideology-allows-data-access-to-100-million-users-phones-report-says/2019/10/11/2d53bbae-eb4d-11e9-bafb-da248f8d5734_story.html


One Good Reason to Delist Chinese Companies (Bloomberg)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sun, 13 Oct 2019 07:17:08 -1000
*They shouldn't be on U.S. exchanges if they won't submit to the same audit
scrutiny as everyone else. *

EXCERPT:

No one would accept Goldman Sachs Group Inc. or Tesla Inc. being able to
access U.S. capital markets without regulatory oversight. So it's
indefensible that Chinese companies listed on the Nasdaq or New York Stock
Exchange enjoy this privilege. The news that Trump administration officials
are considering delisting such firms
<https://www.bloomberg.com/news/articles/2019-09-27/white-house-weighs-limits-on-u-s-portfolio-flows-into-china-k12ahk4g> is therefore overdue and
welcome.

Lost in the debate over measures to restrict portfolio flows to China have
been more mundane questions about the expectations placed on companies that
list in the U.S.  The delisting proposal is the culmination of a
long-simmering dispute over whether the U.S. Securities and Exchange
Commission and government have jurisdiction over Chinese companies that have
their shares traded on American exchanges.
<https://www.bloomberg.com/view/articles/2019-10-04/trump-planned-limits-on-u-s-capital-flows-to-china-ups-trade-war>

Cases of accounting fraud and other irregularities at U.S.-listed Chinese
companies have been widespread.
<https://www.bloomberg.com/news/articles/2017-09-08/-china-hustle-warns-next-big-crisis-born-in-reverse-merger-mud>
Yet the Public Company Accounting Oversight Board has no right to examine
the audits or source documentation of such companies. Chinese accounting
firms have for years resisted demands by U.S. regulators
<https://www.bloomberg.com/news/articles/2015-11-03/u-s-investors-have-one-more-reason-to-fret-about-chinese-firms>
for information about their audits, arguing that disclosing the records
would violate laws that prohibit the transfer of data potentially containing
state secrets to foreign entities. A final agreement that would have allowed
the Washington-based PCAOB to examine Chinese audits unraveled in 2015
<https://www.bloomberg.com/news/articles/2015-11-03/u-s-investors-have-one-more-reason-to-fret-about-chinese-firms> .

The Chinese position presents fundamental problems for regulators and for
investor protection in the U.S. Washington has a choice: It must either
accept having no legal recourse or jurisdictional oversight of Chinese
companies traded on U.S. exchanges, or refuse new initial public offerings
and threaten to delist firms that already have sold shares unless they
comply with regulators' requests...

https://www.bloomberg.com/opinion/articles/2019-10-07/u-s-listed-china-companies-should-follow-rules-or-exit


Guess what loses its value faster than your car? Your smartphone. (Adrian Kingsley-Hughes)

Gene Wirchenko <gene@shaw.ca>
Mon, 07 Oct 2019 10:45:22 -0700
Adrian Kingsley-Hughes, ZDNet, 7 Oct 2019
Smartphones, even high-end devices such as iPhones and Samsung Galaxy
phones, really are a terrible investment.
https://www.zdnet.com/article/guess-what-loses-its-value-faster-than-your-car-your-smartphone/

opening text:

Cars are generally considered to be a poor investment, deprecating by an
average of about 40 percent during the first three years. But that's nothing
compared to smartphones.


Mobile security: These health apps aren't good for your phone or your privacy (Danny Palmer)

Gene Wirchenko <gene@shaw.ca>
Mon, 07 Oct 2019 10:51:45 -0700
Danny Palmer | October 7, 2019
As people turn to mobile apps to help manage health conditions,
cybercriminals have realised there's money to be made.
https://www.zdnet.com/article/mobile-security-these-health-apps-arent-good-for-your-phone-or-your-privacy/

opening text:

People looking for information about diabetes and other conditions could be
at risk from having their private information stolen and privacy invaded
cyber criminals.


GitHub gets blocking half-backwards

Dan Jacobson <jidanni@jidanni.org>
Sat, 12 Oct 2019 03:00:39 +0800
On GitHub I can block somebody, add a comment

  "UPDATE: Send the money instead to account #123..."  to one of their
  issues, then unblock them, add a second reasonable comment, to which they
  would then reply. Readers would assume they got the email for both
  comments, so have no qualms about the first.

  *  (GitHub Developer Support)

    Oct 11, 8:58 AM UTC

    Hey again Dan,

    Thanks for writing in.

    If you block a user, they won't receive notifications for any comments
    you leave on issues (and vice-versa). Note that they will still be able
    to view the comments if they view the issue.

    I had a look through our documentation for blocking a user and I can see
    that we don't explain this particular scenario. I'll make a note for our
    team!

  *  Dan Jacobson

    Oct 11, 1:04 AM UTC

    Just curious, is there any way I, user X, can comment on an issue,
    opened by user Y, but not generate a notification to user Y?

    If I block user Y, can I comment to my heart's content on his issues,
    without worrying he will get notified?

    Is this documented somewhere? Thanks.


Vaping devices add to fire risks on planes and officials struggle to keep up. (WashPost)

Monty Solomon <monty@roscom.com>
Mon, 7 Oct 2019 21:19:55 -0400
Safety officials have struggled to keep up with the deluge of billions of
electronic devices travelers are carrying.

https://www.washingtonpost.com/local/trafficandcommuting/with-little-faa-direction-vaping-devices-add-to-fire-dangers-on-planes/2019/10/03/8de85be0-ca8d-11e9-a1fe-ca46e8d573c0_story.html


With Windows Virtual Desktop, the bad old days are coming back (Computerworld)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 18:23:00 -0400
The PC ” and yes, Microsoft ” set us free. Now Microsoft is taking control.

https://www.computerworld.com/article/3444606/with-windows-virtual-desktop-the-bad-old-days-are-coming-back.html


Former Apple employees create Level Lock smart lock, backed by Walmart (CNBC)

Gabe Goldberg <gabe@gabegold.com>
Wed, 16 Oct 2019 15:33:25 -0400
https://www.cnbc.com/2019/10/15/former-apple-employees-create-level-lock-smart-lock-backed-by-walmart.html

The risk? How about the word "security" not appearing in article?


Feds bust massive child porn sharing site; hundreds of users arrested (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 18 Oct 2019 12:21:05 -0400
https://arstechnica.com/tech-policy/2019/10/child-porn-purveyor-learns-the-hard-way-that-bitcoin-is-traceable/


Re: The broken record: Why Barr's call against end-to-end encryption is nuts (Gallagher/Forno, RISKS-31.45)

"Keith Medcalf" <kmedcalf@dessus.com>
Mon, 07 Oct 2019 13:30:37 -0600
Facebook et al. are free to implement end-to-end encryption as the condition
"without including a means for lawful access to the content of
communications to protect our citizens." has already been met.  Barr and his
cronies are free to utilize the legal process already in place, the
obtaining of a search warrant on reasonable and probably grounds, in order
to obtain the clear-text from one of the end-points.

I believe Mr. Barr and his cronies are really saying that, since they are
unable to satisfy the requirements of "lawful access", they would prefer
Facebook et al. to maintain the "wink and nudge" system wherein due process
does not apply.


Re: 3D printing (ZDNet-Wirchenko, RISKS-31.45)

Ian Jackson <ijackson@chiark.greenend.org.uk>
Wed, 9 Oct 2019 12:01:39 +0100
It's looking more and more certain that 3D printing has a serious safety
problem. [...]

In fact if you read the study[1] this is a massive exaggeration.

The best summary is probably the graphs on p8 of the paper (Fig 4).  On each
graph, the blue bar is estimated background.  The green part of the bar is
the expected addition to human exposure, from the mean of the 3D printing
processes (printers and filaments) they tested.  The upwards error bar
corresponds to the worst-case.  The spots are a set of regulatory exposure
limits.

NB that all of this averaging hides the fact that some filaments are a
factor of 5 better than others (p4, Table 2).  For example, I usually
print in PLA.

The top graph "Predicted Personal Concentration" is if for you sit
right next to the printer, which you would probably not do if you were
printing in ABS or nylon, because it makes a nasty smell.  (PLA smells
quite nice, sort of caramelly.)

And even if you sit right next to the printer, the exposures are by
and large within regulatory limits.  If you don't then the risk is
even lower.  If you print in PLA or PVA the exposure is well within
these limits.

So in summary: if it doesn't smell nice, don't sit right next to the
printer and huff.

[1] https://sci-hub.se/https://doi.org/10.1016/j.buildenv.2019.106209


Re: PGN comment, RISKS-31.45

"R. G. Newbury" <newbury@mandamus.org>
Mon, 7 Oct 2019 23:32:29 -0400
[It's a good thin[g] RISKS does not have a requirement for only *new
     topics*.  “When will they ever learn.''  (The old song, Little Boxes on
     the Hillside'' [and they all look just the same] seems relevant here
     PGN]

Ahh, you are thinking of "Where have all the flowers gone" and the lines
"When will they ever learn? When will they ever learn?"

Sung by Peter, Paul and Mary, and the Kingston Trio and probably many
others.  Those are the two I remember... which kinda dates me!

  [TNX. Noted by several readers.  It's an amusing conflation on my part,
  because I used to sing both songs to lullaby my kids to sleep while
  plunking my guitar.  I must have fallen asleep while remembering.  PGN]

Please report problems with the web pages to the maintainer

Top