The RISKS Digest
Volume 31 Issue 46

Monday, 21st October 2019

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report
Forbes
Melbourne cyber-conference organisers pressured speaker to edit 'biased' talk
Josh Taylor
Zuckerberg fears 'erosion of truth' but defends allowing politicians to lie in ads
WashPost
Citizen Data of 92 Million Brazilians Offered for Sale on Underground Forum
CPO Magazine
Fifth-generation broadband wireless threatens weather forecasting
Physics Today
Does your car have automated emergency braking? It's a big fail for pedestrians
Liam Tung
A Police Tesla Nearly Ran Out of Power During a Chase. It Wasn't the Car's Fault.
NYTimes
Mountain village begs tourists not to follow Google Maps and get stuck
CNN
There's an art to artificial intelligence
Forbes
Trying to use the police robot slows down emergency response
NBC
Troubles with Tesla's automated parking feature summon safety regulators
Reuters
Better reply even if told to be patient
Dan Jacobson
Tell HUD: Algorithms Shouldn't Be an Excuse to Discriminate
EFF
Japanese assault suspect 'tracked down pop star via eye reflection in selfie'
The Guardian
How my iPhone landed me with a £476 fine and made me a criminal
Financial Times
Inside New York's Partnership With Israeli iPhone Hacking Company
Cellebrite
FBI's Use of Foreign-Surveillance Tool Violated Americans' Privacy Rights
WSJ
How Photos of Your Kids Are Powering Surveillance Technology
NYT
What's Happening at the Center of the Surveillance Economy
Fortune
Power company happy talk
Dominion Energy
'This Did Not Go Well': Inside PG&E's Blackout Control Room
NYT
Why the PG&E Blackouts Spared California's Big Tech HQs
WiReD
Malware That Spits Cash Out of ATMs Has Spread Across the World
VICE
Student tracking, secret scores: How college admissions offices rank prospects before they apply
WashPost
Fortnite has been down for hours as millions of players stare at a black hole
The Verge
Want to disconnect from your phone? Automakers are making that tougher
ABC News
This just got real: US, UK agencies issue joint VPN security alert
TechBeacon
Blizzard restores Hong Kong player's winnings, reduces suspension after international uproar
WashPost
Fingerprint security? Not so much…
SendGrid
A Young Man Nearly Lost His Life to Vaping
NYTimes
Chinese app on Xi's ideology allows data access to 100 million users' phones, report says
WashPost
One Good Reason to Delist Chinese Companies
Bloomberg
Guess what loses its value faster than your car? Your smartphone.
Adrian Kingsley-Hughes
Mobile security: These health apps aren't good for your phone or your privacy
Danny Palmer
GitHub gets blocking half-backwards
Dan Jacobson
Vaping devices add to fire risks on planes and officials struggle to keep up.
WashPost
With Windows Virtual Desktop, the bad old days are coming back
Computerworld
Former Apple employees create Level Lock smart lock, backed by Walmart
CNBC
Feds bust massive child porn sharing site; hundreds of users arrested
Ars Technica
Re: The broken record: Why Barr's call against end-to-end encryption is nuts
Keith Medcalf
Re: 3D printing
Dam Jackson
Re: PGN comment
R. G. Newbury
Info on RISKS (comp.risks)

Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report (Forbes)

“Peter G. Neumann” <neumann@csl.sri.com>
Tue, 8 Oct 2019 14:50:00 PDT

https://www.forbes.com/sites/zakdoffman/2019/09/24/new-cyberwarfare-report-unveils-russias-secret-weapon-against-us-2020-election/#678a2ea368f5


Melbourne cyber-conference organisers pressured speaker to edit 'biased' talk (Josh Taylor)

Richard Forno <rforno@infowarrior.org>
October 9, 2019 19:59:23 JST

[Via Dave Farber]

After two speakers were banned, a third says organisers tried to edit his presentation.

9 Oct 2019

https://www.theguardian.com/technology/2019/oct/09/melbourne-cyber-conference-organisers-pressured-speaker-to-edit-biased-talk

Organisers at a cyber conference in Melbourne dropped two speakers from the line-up and asked a third to edit a speech on Australia's anti-encryption legislation saying it was ‘biased’. Photograph: Dave Hunt/AAP Organisers at the Australian Cyber Conference in Melbourne asked a speaker to edit his speech on Australia's anti-encryption legislation, after they had dropped two other speakers, who were delivering talks related to whistleblowing, from the line-up at the last minute.

Guardian Australia has learned that Ted Ringrose, partner with legal advice firm Ringrose Siganto was told to edit his speech, and conference organisers had sent him an edited version of his slide pack on his talk stating that the original version was “biased”.

He said they took issue with a comparison between Australia's encryption laws and China's, despite the fact that his talk points out that while Australia's look worse on the surface, in reality it is “just about as bad”. n Ringrose said he pushed back at the attempted censorship and the conference organisers agreed to let him present his talk as planned.

This is in contrast to the decisions made regarding speeches by US whistleblower Thomas Drake and University of Melbourne researcher Dr Suelette Dreyfus.

On Tuesday it was reported former national security agency executive turned whistleblower Drake, along with Dreyfus, were kicked off the conference agenda in what Drake described as an “Orwellian” move by the conference partner, the Australian Cyber Security Centre (ACSC).

The move was criticised as “super weird” by a key speaker at the event, Bruce Schneier, as Drake and Dreyfus set up a website detailing their now-banned speeches.

At the second day of the conference attended by 3,500 people in Melbourne on Thursday, Security technologist Schneier said it was a “super weird story” for Drake and Dreyfus to be banned from speaking at the event, because the speeches themselves were not particularly controversial.

“[Drake] was going to talk about basically surveillance. It's the sort of talk I would do—government corporate surveillance and everybody is spying on all of us—nothing we don't know,” he said. “[Dreyfus] was going to talk on work she did for the EU on building whistleblower platforms to reduce corruption in third world countries - kind of mundane.”

Schneier blamed someone within Australia's peak cyber security agency for being concerned about the content of the talks.

“My guess is someone at the ACSC saw the word ‘whistleblower’ and because that word is sensitive here, kind of freaked,” he said.

Schneier read out the URL for the website set up overnight hosting the abstracts of the two talks, as well as the slides from Drake's proposed speech, and drew cheers from the crowd when he said they were “morally obligated” to go read them.

“The other lesson is if you make noise and ban something you'll get more press than if you just ignored it.”

Alex Woerndle, deputy chair of the Australian Information Security Association (AISA), which organised the conference, said questions about the two speakers being removed should be directed to ACSC but said: “AISA supports and encourages diversity of views however it's important to note we work with a number of partners, including government, and as such need to manage a variety of views to deliver an event catered for all our stakeholders.”

ACSC did not initially respond to requests for comment on Tuesday. Guardian Australia directly approached officials at the agency's booth at the conference on Wednesday, and was later told that no comment would be provided on the matter.

The conference also banned media from attending a session where an official from Home Affairs explained the development of the government's 2020 cyber security strategy. Non-media attendees said the talk contained nothing that wasn't already public knowledge.

It comes at a time of public debate in Australia on whistleblowing laws and press freedom, following Australian federal police raids on News Corp journalist Annika Smethurst and the ABC over stories politically damaging for the government.

Former spy Witness K decided to plead guilty to breaching secrecy laws by revealing Australia's spying on Timor-Leste while his lawyer, Bernard Collaery, is fighting charges.


Zuckerberg fears 'erosion of truth' but defends allowing politicians to lie in ads (WashPost)

the keyboard of geoff goodfellow <geoff@iconia.com>
Thu, 17 Oct 2019 15:31:12 -1000

Facebook chief Executive Mark Zuckerberg said in an interview he worries “about an erosion of truth” online but defended the policy that allows politicians to peddle ads containing misrepresentations and lies on his social network, a stance that has sparked an outcry during the 2020 presidential campaign.

“People worry, and I worry deeply, too, about an erosion of truth,” Zuckerberg told The Washington Post ahead of a speech Thursday at Georgetown University. “At the same time, I don't think people want to live in a world where you can only say things that tech companies decide are 100 percent true. And I think that those tensions are something we have to live with.” …

https://www.sfgate.com/news/article/Zuckerberg-fears-erosion-of-truth-but-defends-14542091.php https://www.washingtonpost.com/technology/2019/10/17/facebook-ceo-mark-zuckerberg-says-interview-he-fears-erosion-truth-defends-allowing-politicians-lie-ads/ https://www.washingtonpost.com/podcasts/post-reports/facebooks-mark-zuckerberg-struggles-to-balance-truth-and-free-speech/


Citizen Data of 92 Million Brazilians Offered for Sale on Underground Forum (CPO Magazine)

José María Mateos <chema@rinzewind.org>
Mon, 14 Oct 2019 20:58:46 -0400

https://www.cpomagazine.com/cyber-security/citizen-data-of-92-million-brazilians-offered-for-sale-on-underground-forum/

This massive trove of citizen data is a mystery at present. There have been no public announcements of data breaches recently that would correspond to this information.

Research by BleepingComputer indicates that the data is legitimate, however, and may have been stolen from the Department of Federal Revenue of Brazil and consist of information on employed taxpayers in the country. Brazil's population is estimated to be about 210 million, so this would mean that nearly half of the residents of the country have been exposed. The 92 million entries in the database would also match census estimates that put the working population of the country at about 93 million people.

The database contains full names, dates of birth, home province, driver's license and taxpayer ID numbers. Some records contain additional details such as business registration information, phone numbers, license plate numbers, familial relations and dates of death.

BleepingComputer confirmed that the information available through the hacking forums was in an SQL database of about 16 GB in size, and that accurate information about known individuals could be looked up.


Fifth-generation broadband wireless threatens weather forecasting (Physics Today)

George Sherwood <sherwood@testcover.com>
Thu, 10 Oct 2019 14:06:17 -0400

Excerpts from https://doi.org/10.1063/PT.3.4267 by Alex Lopatka

The fight is on over 5G. Telecommunication companies and the US government promote the latest mobile broadband because it will provide faster data-transfer rates. Faster, more reliable digital communication is needed for the newest technologies—autonomous vehicles, Internet-of-things devices, and smart energy grids. But meteorologists, US science agencies, and other countries worry that strong 5G signals, may interfere with satellites that are crucial to weather forecasting.

Widespread 5G deployment will depend on building a new infrastructure of antennas that operate in high-frequency radio bands. Telecom companies and US regulators support 24 GHz for 5G networks because of its greater bandwidth and because the 1—6 GHz radio spectrum is already crowded with 4G, digital TV, radar, and other applications. (The 24 GHz band spans 24.25—24.45 GHz and 24.75—25.25 GHz.)

Spectrum is a finite resource, and the Federal Communications Commission (FCC), which coordinates the commercial use of spectrum in the US, is racing to allocate as much higher-frequency spectrum as possible for 5G technology. The FCC “5G FAST” plan is bringing more spectrum to market, updating infrastructure policy, and modernizing regulations. Other bands are being considered, including 28, 37, 39, and 47 GHz.

In October at the United Nations International Telecommunication Union Radiocommunication Sector (ITU-R) conference, member countries will discuss and vote on how to regulate the 5G signal in the 24 GHz band. The US is poised to push for a higher maximum 5G signal power than what European countries favor. Lower signal power would decrease the range of the 5G signal.

“The precipitating issue here is the potential for what's called out-of-band interference,” says Jordan Gerth of the University of Wisconsin Madison. Water-vapor molecules emit electromagnetic radiation at 23.8 GHz, and instruments such as the Advanced Technology Microwave Sounder aboard NOAA's Joint Polar Satellite System infer atmospheric air-temperature and moisture data from the 23.6—24.0 GHz emission band. The measurements are used to calibrate numerical weather-prediction models, such as NOAA's Global Forecast System.

A 5G signal could leak across the 250 MHz gap between the water-vapor emission band and the 24 GHz 5G band, which could make it nearly impossible for microwave instruments to differentiate between water vapor and emissions from 5G smartphones. Microwave instruments have no other frequencies they can use to sense water vapor. Filtering for noise from a 5G network would be difficult says Joel Johnson of the Ohio State University. “If there's thousands of these little transmitters all over the place, then it's very hard to correct for them.”

Neil Jacobs, a NOAA assistant secretary of commerce, explained that using the 24 GHz band for 5G with the signal strength proposed by the FCC, 20 decibel watts per 200 MHz, would decrease the data collected from microwave instruments by 77%.

Jacobs said that such data loss would return the US weather prediction capability to “somewhere around 1980.” Citing an unpublished NOAA study, he further testified that a lower signal strength of 40 or 50 dBW per 200 MHz “would result in roughly zero data loss.” That range, one-hundredth to one-thousandth of the FCC's proposed limit, was determined with guidance from the ITU-R and industry.


Does your car have automated emergency braking? It's a big fail for pedestrians (Liam Tung)

Gene Wirchenko <gene@shaw.ca>
Mon, 07 Oct 2019 10:43:17 -0700

Liam Tung | October 7, 2019 Drivers should not rely on automatic braking tech, and pedestrians must be wary of drivers. https://www.zdnet.com/article/does-your-car-have-automated-emergency-braking-its-a-big-fail-for-pedestrians/

selected text:

A new study by the American Automobile Association (AAA) shows that automated emergency braking cannot be trusted when it comes to preventing running over a person crossing the street.

Tests carried out at just 20mph (32kph) showed that the braking system only avoided running over an adult-sized dummy 40% of the time. However, somewhat encouragingly, during an additional 35% of the time, the vehicle automatically lowered its speed by 4.4mph, but nonetheless still crashed into the dummy.

The results were much worse when testing the systems for children crossing the road. Using a child-sized dummy, vehicles only avoid running over the child 11% of the time, but in an additional 25% of cases slowed down by 5.9mph. AAA comments that “evaluated pedestrian detection systems were ineffective during nighttime conditions”.

The results for Tesla, which is pushing the boundaries of autonomous driving, don't look good either. Automatic braking cutting speed by an average of 2.8mph in three test runs and did not slow down at all in two runs. However, in five test runs with the vehicles traveling around a right curve, all of them ran over the pedestrian. “When a pedestrian target was located immediately after a right curve, all test vehicles failed to apply any degree of automatic braking,” the AAA writes.

All the vehicles' automatic braking systems were useless at avoiding crashing into a child who darts out into the road from between two parked cars. The key message from the AAA is that drivers cannot and should not rely on automatic braking systems until they're proven to work consistently in all situations and conditions.


A Police Tesla Nearly Ran Out of Power During a Chase. It Wasn't the Car's Fault. (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 8 Oct 2019 11:20:36 -0400

Gas or electric, all cars need to be refueled in some way, the police in Fremont, Calif., said. https://www.nytimes.com/2019/10/03/us/tesla-police-car-chase.html


Mountain village begs tourists not to follow Google Maps and get stuck (CNN)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 15 Oct 2019 10:08:09 -0600

Julia Buckley, CNN • 15 Oct 2019

(CNN) ” Unspoilt beaches at the foot of steep cliffs, romantic winding roads, and plenty of mountain wilderness—Italy's Mediterranean island of Sardinia has it all. But some tourists are finding the combination a little too difficult to take.

Authorities in Baunei, in Sardinia's eastern province of Ogliastra, have launched an appeal to visitors, telling them not to rely on Google Maps to get around the area.

Tourists are routinely following their GPS down lanes that are unsuitable for cars and onto off-road tracks in a bid to make their way to “hidden” beaches, needing to be rescued by the local fire brigade when they get stuck.

The move follows 144 emergency call-outs for both cars and hikers in the province over the past two years.

The emergency services are effectively funded by the local community. Tourists do not have to pay for their rescue.


There's an art to artificial intelligence (Forbes)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sun, 13 Oct 2019 07:20:46 -1000

As hard as it is to believe, artificial intelligence (AI) was rarely mentioned in the discussions related to digital transformation that began almost a decade ago. Now, no mention of transformation would make sense without how AI is making it all possible.

The intertwining of digital transformation and AI is the subject of an upcoming book by Marco Iansiti and Karim Lakhani, both Harvard University professors. In their new book, Competing in the Age of AI, they look at successful digitally savvy enterprises across the globe, and how they do things differently. <https://amzn.to/2otTLLl>,

Success in today's digital economy comes from cloud, data science, and nurturing a well-networked ecosystem of partners and contributors. “The new breed of digital firm is all about innovation in the business model, experimenting and recombining various aspects of value creation and value capture,” according to Iansiti and Lakhani. Previously, value creation was usually achieved through simple transactional processes with customers in traditional organizations. In the digital world, things are more multi-dimensional.

Iansiti and Lakhani describe the common traits of enterprises taking the lead with AI-powered digital capabilities:…

https://www.forbes.com/sites/joemckendrick/2019/10/10/theres-an-art-to-artificial-intelligence/


Trying to use the police robot slows down emergency response (NBC)

Eli the Bearded <*@eli.users.panix.com>
Thu, 10 Oct 2019 19:39:55 -0400 (EDT)

https://www.nbcnews.com/tech/tech-news/robocop-park-fight-how-expectations-about-robots-are-clashing-reality-n1059671

The city of Huntington Park, California, is evaluating a (some?) gherkin-building-shaped “robocop”. A woman witnessed an altercation and decided to use the robot to summon actual police. Upon pushing the emergency alert button she was told to “step out of the way” and otherwise ignored.

The robot's alert button is not yet connected to the police department, said Cosme Lozano, chief of police of Huntington Park […] The calls are instead directed to Knightscope, the company that creates and leases the robots.

Instead people are supposed to just call 911 themselves, a message the robot eventually spoke aloud.

Not sure what good the robot is then except for security theatre.


Troubles with Tesla's automated parking feature summon safety regulators (Reuters)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 14:36:21 -0400

https://www.reuters.com/article/us-tesla-safety-nhtsa/troubles-with-teslas-automated-parking-summon-safety-regulators-idUSKBN1WH280


Better reply even if told to be patient

Dan Jacobson <jidanni@jidanni.org>
Fri, 11 Oct 2019 06:09:16 +0800

Interesting. Even if the tech representative says he has referred the problem to higher levels, and I should be patient and wait for his reply…

But the system expects the customer to still reply, else…

“If you missed our previous reply, please check your Junk/Spam folders. If we do not hear back from you within 7 business days, your ticket will be closed automatically.

Thank you, Logitech Support”

So the user had better reply each time, even if only “OK.”


Tell HUD: Algorithms Shouldn't Be an Excuse to Discriminate (EFF)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 16:17:22 -0400

The U.S. Department of Housing and Urban Development (HUD) recently released a proposed rule that will have grave consequences for the enforcement of fair housing laws. Under the Fair Housing Act, individuals can bring claims on the basis of a protected characteristic (like race, sex, or disability status) when there is a facially-neutral policy or practice that results in unjustified discriminatory effect, or disparate impact. The proposed rule makes it much harder to bring a disparate impact claim under the Fair Housing Act. Moreover, HUD's rule creates three affirmative defenses for housing providers, banks, and insurance companies that use algorithmic models to make housing decisions. As we've previously explained, these algorithmic defenses demonstrate that HUD doesn't understand how machine learning actually works.

https://www.eff.org/deeplinks/2019/10/tell-hud-algorithms-are-no-excuse-discrimination


Japanese assault suspect 'tracked down pop star via eye reflection in selfie' (The Guardian)

José María Mateos <chema@rinzewind.org>
Fri, 11 Oct 2019 19:11:53 -0400

https://www.theguardian.com/world/2019/oct/11/japanese-assault-suspect-tracked-down-pop-star-via-eye-reflection-in-selfie

Police have charged a man in Tokyo with assaulting a pop star, saying he tracked her down through the reflection in her eyes on a selfie she posted, according to local media reports.

I haven't seen the selfie to check for myself, but at this point I'd place this in the “plausible” section.

This seems a new risk of selfies to me:


How my iPhone landed me with a £476 fine and made me a criminal (Financial Times)

José María Mateos <chema@rinzewind.org>
Fri, 11 Oct 2019 19:17:37 -0400

https://www.ft.com/content/e8a177d4-dfae-11e9-9743-db5a370481bc

The digital payments revolution was meant to make things better for the consumer. No more banknotes falling out of your back pocket; no more waiting days on end for cheques to clear; no more missing your train because the tourist at the front of the queue doesn't know how to use the ticket machine.

Or it was for me, anyway ” I'm fully signed up to the digital revolution, you see. Not only do I rarely carry cash, but I hardly ever leave the house with my wallet. I'm one of the estimated 8m Britons who use their smartphones to make contactless payments.

But smart though my phone is, it is not infallible. And like many new technologies, digital payments solve some problems, but they also create new, unforeseen ones. A paper ticket might be inherently easier to lose than a phone, but at least it doesn't just die on you whenever it feels like it.

It all started one October afternoon last year, when a bus inspector asked to see my £1.50 ticket. I had tapped into the bus with my iPhone using Apple Pay, but alas, in the five minutes since I'd boarded, my phone had run out of juice, so I had no means of proving that I had paid.


Inside New York's Partnership With Israeli iPhone Hacking Company (Cellebrite)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 14:36:46 -0400

The Manhattan District Attorney's office uses subscription software from Israeli digital forensics firm Cellebrite that enables it to break into “all iOS and high-end Android devices” using computers in its offices. The Manhattan DA is one of the biggest prosecutors in the U.S., and it has had this capability since January 2018. Its contract with Cellebrite was worth $200,000 over three years, covering software licensing and installation, personnel training, and a set number of device cracks. The contract also requires the software be used in a “secure room” with no recording devices. (ONEZERO)

https://onezero.medium.com/exclusive-inside-new-yorks-partnership-with-israeli-iphone-cracking-company-cellebrite-12a2252c3ebf


FBI's Use of Foreign-Surveillance Tool Violated Americans' Privacy Rights (WSJ)

Richard Forno <rforno@infowarrior.org>
October 9, 2019 3:54:44 JST

Dustin Volz and Byron Tau, The Wall Street Journal, 8 Oct 2019 https://www.wsj.com/articles/fbis-use-of-foreign-surveillance-tool-violated-americans-privacy-rights-court-found-11570559882

U.S. discloses ruling last year by Foreign Intelligence Surveillance Court that FBI's data queries of U.S. citizens were unconstitutional

WASHINGTON—Some of the Federal Bureau of Investigation's electronic surveillance activities violated the constitutional privacy rights of Americans swept up in a controversial foreign intelligence program, a secretive surveillance court has ruled. The ruling deals a rare rebuke to U.S. spying activities that have generally withstood legal challenge or review.

The intelligence community disclosed Tuesday that the Foreign Intelligence Surveillance Court last year found that the FBI's pursuit of data about Americans ensnared in a warrantless Internet-surveillance program intended to target foreign suspects may have violated the law authorizing the program, as well as the Constitution's Fourth Amendment protections against unreasonable searches.

The court concluded that the FBI had been improperly searching a database of raw intelligence for information on Americans—raising concerns about oversight of the program, which as a spy program operates in near total secrecy. The court ruling identifies tens of thousands of improper searches of raw intelligence databases by the bureau in 2017 and 2018 that it deemed improper in part because they involved data related to tens of thousands of emails or telephone numbers—in one case, suggesting that the FBI was using the intelligence information to vet its personnel and cooperating sources. Federal law requires that the database only be searched by the FBI as part of seeking evidence of a crime or for foreign intelligence information.

In other cases, the court ruling reveals improper use of the database by individuals. In one case, an FBI contractor ran a query of an intelligence database—searching information on himself, other FBI personnel and his relatives, the court revealed.

The Trump administration failed to make a persuasive argument that modifying the program to better protect the privacy of Americans would hinder the FBI's ability to address national-security threats, wrote U.S. District Judge James Boasberg, who serves on the FISA Court, in the partially redacted 167-page opinion released Tuesday. “The court accordingly finds that the FBI's querying procedures and minimization procedures are not consistent with the requirements of the Fourth Amendment,” Mr. Boasberg concluded.


How Photos of Your Kids Are Powering Surveillance Technology (NYT)

Dewayne Hendricks <dewayne@warpspeed.com>
October 12, 2019 20:58:26 JST

Kashmir Hill and Aaron Krolik, The New York Times, 11 Oct 2019 Millions of Flickr images were sucked into a database called MegaFace. Now some of those faces may have the ability to sue.

https://www.nytimes.com/interactive/2019/10/11/technology/flickr-facial-recognition.html

The pictures of Chloe and Jasper Papa as kids are typically goofy fare: grinning with their parents; sticking their tongues out; costumed for Halloween. Their mother, Dominique Allman Papa, uploaded them to Flickr after joining the photo-sharing site in 2005.

None of them could have foreseen that 14 years later, those images would reside in an unprecedentedly huge facial-recognition database called MegaFace. Containing the likenesses of nearly 700,000 individuals, it has been downloaded by dozens of companies to train a new generation of face-identification algorithms, used to track protesters, surveil terrorists, spot problem gamblers and spy on the public at large.

“It's gross and uncomfortable,” said Mx. Papa, who is now 19 and attending college in Oregon. “I wish they would have asked me first if I wanted to be part of it. I think artificial intelligence is cool and I want it to be smarter, but generally you ask people to participate in research. I learned that in high school biology.”

By law, most Americans in the database don't need to be asked fortheir permission—but the Papas should have been.

As residents of Illinois, they are protected by one of the strictest state privacy laws on the books: the Biometric Information Privacy Act, a 2008 measure that imposes financial penalties for using an Illinoisan's fingerprints or face scans without consent. Those who used the database — companies including Google, Amazon, Mitsubishi Electric, Tencent and SenseTime—appear to have been unaware of the law, and as a result may have huge financial liability, according to several lawyers and law professors familiar with the legislation.

How MegaFace was born

How did the Papas and hundreds of thousands of other people end up in the database? It's a roundabout story.

In the infancy of facial-recognition technology, researchers developed their algorithms with subjects' clear consent: In the 1990s, universities had volunteers come to studios to be photographed from many angles. Later, researchers turned to more aggressive and surreptitious methods to gather faces at a grander scale, tapping into surveillance cameras in coffee shops, college campuses and public spaces, and scraping photos posted online.

According to Adam Harvey, an artist who tracks the data sets, there are probably more than 200 in existence, containing tens of millions of photos of approximately one million people. (Some of the sets are derived from others, so the figures include some duplicates.) But these caches had flaws. Surveillance images are often low quality, for example, and gathering pictures from the Internet tends to yield too many celebrities.

In June 2014, seeking to advance the cause of computer vision, Yahoo unveiled what it called “the largest public multimedia collection that has ever been released,” featuring 100 million photos and videos. Yahoo got the images—all of which had Creative Commons or commercial use licenses — from Flickr, a subsidiary.

The database creators said their motivation was to even the playing field in machine learning. Researchers need enormous amounts of data to train their algorithms, and workers at just a few information-rich companies—like Facebook and Google—had a big advantage over everyone else.

“We wanted to empower the research community by giving them a robust database,” said David Ayman Shamma, who was a director of research at Yahoo until 2016 and helped create the Flickr project. Users weren't notified that their photos and videos were included, but Mr. Shamma and his team built in what they thought was a safeguard.

They didn't distribute users' photos directly, but rather links to the photos; that way, if a user deleted the images or made them private, they would no longer be accessible through the database.

But this safeguard was flawed. The New York Times found a security vulnerability that allows a Flickr user's photos to be accessed even after they've been made private. (Scott Kinzie, a spokesman for SmugMug, which acquired Flickr from Yahoo in 2018, said the flaw “potentially impacts a very small number of our members today, and we are actively working to deploy an update as quickly as possible.” Ben MacAskill, the company's chief operating officer, added that the Yahoo collection was created “years before our engagement with Flickr.”)

Additionally, some researchers who accessed the database simply downloaded versions of the images and then redistributed them, including a team from the University of Washington. In 2015, two of the school's computer science professors—Ira Kemelmacher-Shlizerman and Steve Seitz—and their graduate students used the Flickr data to create MegaFace.

Containing more than four million photos of some 672,000 people, it held deep promise for testing and perfecting face-recognition algorithms.


What's Happening at the Center of the Surveillance Economy (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 16:52:29 -0400

https://fortune.com/2019/10/07/surveillance-economy-startup-envoy/


Power company happy talk (Dominion Energy)

Gabe Goldberg <gabe@gabegold.com>
Mon, 14 Oct 2019 15:43:23 -0400

Newer technology to give customers fewer outages, faster restoration times, and new tools to track and control their energy usage.

New technology being deployed across the energy grid will reduce outages, speed up restoration time, and give our customers reliable service they can count on. We are investing in thousands of smart devices on the grid that automatically report outages when they occur, and prevent certain outages before they happen by identifying equipment that could be near failure. The devices also can isolate outages by automatically rerouting power so fewer customers are impacted, and a allow us to quickly dispatch crews directly to the source of the outage. View a video <https://youtu.be/3rMGxE7Cr3k> to learn more about the Smart Grid.

Smart meters will let customers take control of their energy usage through new options like timely usage insights, customizable alerts for high energy usage and bills, and outage information so customers no longer have to notify Dominion Energy when lights are out and alerts to give customers updates about their restoration status. The process for starting or stopping service also is streamlined. <https://www.dominionenergy.com/company/electric-projects/smart-meters>

On Smart Meter page: Power outage detection - Smart meters can notify us when your power goes out and when it has been restored

Searching brings plenty warnings about myriad health problems caused by smart meters. Discounting those as discredited crackpottery, I do wonder how notification works when power is out. Each meter a cellphone? With battery backup? Seems unlikely. And is there a dark (so to speak) side to power company happy talk?


'This Did Not Go Well': Inside PG&E's Blackout Control Room (NYT)

Monty Solomon <monty@roscom.com>
Sat, 12 Oct 2019 19:38:56 -0400

https://www.nytimes.com/2019/10/12/business/pge-california-outage.html

As the utility turned off power to millions of Californians, its website went down and it struggled to communicate with local officials and inform residents.


Why the PG&E Blackouts Spared California's Big Tech HQs (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 16:16:26 -0400

Silicon Valley companies are served by safer, robust transmission lines. Regular homes? Not so much.

https://www.wired.com/story/why-the-pgande-blackouts-spared-californias-big-tech-hqs/


Malware That Spits Cash Out of ATMs Has Spread Across the World (VICE)

José María Mateos <chema@rinzewind.org>
Tue, 15 Oct 2019 18:46:31 -0400

https://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world

A joint investigation between Motherboard and the German broadcaster Bayerischer Rundfunk (BR) has uncovered new details about a spate of so-called “jackpotting” attacks on ATMs in Germany in 2017 that saw thieves make off with more than a million Euros. Jackpotting is a technique where cybercriminals use malware or a piece of hardware to trick an ATM into ejecting all of its cash, no stolen credit card required. Hackers typically install the malware onto an ATM by physically opening a panel on the machine to reveal a USB port.


Student tracking, secret scores: How college admissions offices rank prospects before they apply (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Wed, 16 Oct 2019 12:47:54 -0400

Student tracking, secret scores: How college admissions offices rank prospects before they apply Records reviewed by The Washington Post show that at least 44 public and private universities in the United States work with outside consulting companies to collect and analyze data on prospective students, either by tracking their Web activity or formulating predictive scores to measure each student's likelihood of enrolling. The vast majority of universities reviewed by The Post do not tell students the schools are collecting their information.

https://www.washingtonpost.com/business/2019/10/14/colleges-quietly-rank-prospective-students-based-their-personal-data/


Fortnite has been down for hours as millions of players stare at a black hole (The Verge)

Monty Solomon <monty@roscom.com>
Sun, 13 Oct 2019 20:41:52 -0400

https://www.theverge.com/2019/10/13/20909812/fortnite-down-black-hole-chapter-2-the-end


Want to disconnect from your phone? Automakers are making that tougher (ABC News)

Gabe Goldberg <gabe@gabegold.com>
Sun, 13 Oct 2019 21:35:09 -0400

Cathy Chase, president of Advocates for Highway and Auto Safety, said hands-free technology in vehicles does little to prevent cognitive distraction among drivers. “People think they can multitask,” she told ABC News. “Voice to text technology makes mistakes. Then you correct it. You're thinking about a different conversation—it imperils drivers and passengers.”

https://abcnews.go.com/Business/disconnect-phone-automakers-making-tougher/story?id=66003320

The risk? Those two buried paragraphs.


This just got real: US, UK agencies issue joint VPN security alert (TechBeacon)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 18:41:11 -0400

Spy agencies in the US and UK are jointly warning of big trouble for many users of enterprise VPNs. Hacker groups—some state-sponsored—are wreaking havoc at sites that haven't patched their installations.

The agencies—the NSA and the NCSC—have long remediation checklists for your admin pleasure. So drop everything”even if you've already patched your VPN.

https://techbeacon.com/security/just-got-real-us-uk-agencies-issue-joint-vpn-security-alert


Blizzard restores Hong Kong player's winnings, reduces suspension after international uproar (WashPost)

Monty Solomon <monty@roscom.com>
Sat, 12 Oct 2019 18:54:45 -0400

After international uproar, the American gaming giant eases punishment for Hong Kong player who expressed his political views on China.

https://www.washingtonpost.com/technology/2019/10/12/blizzard-restores-hong-kong-players-winnings-reduces-suspension-after-international-uproar/


Fingerprint security? Not so much… (SendGrid)

Gabe Goldberg <gabe@gabegold.com>
Fri, 18 Oct 2019 16:44:53 -0400

Samsung has admitted that anyone can unlock a Galaxy S10 phone ” which has an in-screen fingerprint scanner ” by putting a cheap screen protector on it. Samsung says the scanner is ‘malfunctioning’ and will be fixed with a software patch. In the meantime, users should turn off fingerprint authentication. The peanut gallery has urged Apple to use in-screen fingerprint scanners rather than Face ID, and there are some rumors <https://u5080173.ct.sendgrid.net/wf/>


A Young Man Nearly Lost His Life to Vaping (NYTimes)

Monty Solomon <monty@roscom.com>
Wed, 16 Oct 2019 11:49:16 -0400

He thought vaping THC would be safer than smoking marijuana, but the fumes shut down his lungs. https://www.nytimes.com/2019/10/15/health/vaping-thc-illness.html

It is possible to become addicted to marijuana or dependent on it, according to the National Institute on Drug Abuse.

A computer-science student, he explored the dark web to find THC vendors with lower prices than he paid on the street, and turned money from his bank account into Bitcoin, to make purchases that would be encrypted and untraceable. On the electronic order forms, he requested the best and strongest THC available.

Boxes of cartridges, 25 for $400, started arriving in the mail early last summer. The return address was a house on a residential street in Ventura, Calif.

The products had a variety of labels, including Dank Vapes, the same name reported by many other people who got sick. It is not actually a brand, but a label that sellers can put on any product. Some of the other cartridges may have been counterfeit versions of brands that are legal in some states. No one knows what is in the knockoff products or who makes them, health officials say.


Chinese app on Xi's ideology allows data access to 100 million users' phones, report says (WashPost)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sun, 13 Oct 2019 07:16:39 -1000

The Chinese Communist Party appears to have “superuser” access to all the data on more than 100 million cellphones, owing to a back door in a propaganda app that the government has been promoting aggressively this year.

An examination of the code in the app shows it enables authorities to retrieve every message and photo from a user's phone, browse their contacts and Internet history, and activate an audio recorder inside the device, according to a U.S.-funded analysis.

“The [Chinese Communist Party] essentially has access to over 100 million users' data,” said Sarah Aoun, director of technology at the Open Technology Fund, an initiative funded by the U.S. government under Radio Free Asia. “That's coming from the top of a government that is expanding its surveillance into citizens' day-to-day lives.”

The party, led by Xi Jinping, launched the app, called “Study the Great Nation,” in January. The name is a pun because the Chinese word for study — “xuexi – 学习”—contains the authoritarian leader's family name…

https://www.greenwichtime.com/news/article/Chinese-app-on-Xi-s-ideology-allows-data-access-14516955.php

https://www.washingtonpost.com/world/asia_pacific/chinese-app-on-xis-ideology-allows-data-access-to-100-million-users-phones-report-says/2019/10/11/2d53bbae-eb4d-11e9-bafb-da248f8d5734_story.html


One Good Reason to Delist Chinese Companies (Bloomberg)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sun, 13 Oct 2019 07:17:08 -1000

They shouldn't be on U.S. exchanges if they won't submit to the same audit scrutiny as everyone else.

EXCERPT:

No one would accept Goldman Sachs Group Inc. or Tesla Inc. being able to access U.S. capital markets without regulatory oversight. So it's indefensible that Chinese companies listed on the Nasdaq or New York Stock Exchange enjoy this privilege. The news that Trump administration officials are considering delisting such firms <https://www.bloomberg.com/news/articles/2019-09-27/white-house-weighs-limits-on-u-s-portfolio-flows-into-china-k12ahk4g> is therefore overdue and welcome.

Lost in the debate over measures to restrict portfolio flows to China have been more mundane questions about the expectations placed on companies that list in the U.S. The delisting proposal is the culmination of a long-simmering dispute over whether the U.S. Securities and Exchange Commission and government have jurisdiction over Chinese companies that have their shares traded on American exchanges. <https://www.bloomberg.com/view/articles/2019-10-04/trump-planned-limits-on-u-s-capital-flows-to-china-ups-trade-war>

Cases of accounting fraud and other irregularities at U.S.-listed Chinese companies have been widespread. <https://www.bloomberg.com/news/articles/2017-09-08/-china-hustle-warns-next-big-crisis-born-in-reverse-merger-mud> Yet the Public Company Accounting Oversight Board has no right to examine the audits or source documentation of such companies. Chinese accounting firms have for years resisted demands by U.S. regulators <https://www.bloomberg.com/news/articles/2015-11-03/u-s-investors-have-one-more-reason-to-fret-about-chinese-firms> for information about their audits, arguing that disclosing the records would violate laws that prohibit the transfer of data potentially containing state secrets to foreign entities. A final agreement that would have allowed the Washington-based PCAOB to examine Chinese audits unraveled in 2015 <https://www.bloomberg.com/news/articles/2015-11-03/u-s-investors-have-one-more-reason-to-fret-about-chinese-firms> .

The Chinese position presents fundamental problems for regulators and for investor protection in the U.S. Washington has a choice: It must either accept having no legal recourse or jurisdictional oversight of Chinese companies traded on U.S. exchanges, or refuse new initial public offerings and threaten to delist firms that already have sold shares unless they comply with regulators' requests…

https://www.bloomberg.com/opinion/articles/2019-10-07/u-s-listed-china-companies-should-follow-rules-or-exit


Guess what loses its value faster than your car? Your smartphone. (Adrian Kingsley-Hughes)

Gene Wirchenko <gene@shaw.ca>
Mon, 07 Oct 2019 10:45:22 -0700

Adrian Kingsley-Hughes, ZDNet, 7 Oct 2019 Smartphones, even high-end devices such as iPhones and Samsung Galaxy phones, really are a terrible investment. https://www.zdnet.com/article/guess-what-loses-its-value-faster-than-your-car-your-smartphone/

opening text:

Cars are generally considered to be a poor investment, deprecating by an average of about 40 percent during the first three years. But that's nothing compared to smartphones.


Mobile security: These health apps aren't good for your phone or your privacy (Danny Palmer)

Gene Wirchenko <gene@shaw.ca>
Mon, 07 Oct 2019 10:51:45 -0700

Danny Palmer | October 7, 2019 As people turn to mobile apps to help manage health conditions, cybercriminals have realised there's money to be made. https://www.zdnet.com/article/mobile-security-these-health-apps-arent-good-for-your-phone-or-your-privacy/

opening text:

People looking for information about diabetes and other conditions could be at risk from having their private information stolen and privacy invaded cyber criminals.


GitHub gets blocking half-backwards

Dan Jacobson <jidanni@jidanni.org>
Sat, 12 Oct 2019 03:00:39 +0800

On GitHub I can block somebody, add a comment

“UPDATE: Send the money instead to account #123…” to one of their issues, then unblock them, add a second reasonable comment, to which they would then reply. Readers would assume they got the email for both comments, so have no qualms about the first.

* (GitHub Developer Support)

Oct 11, 8:58 AM UTC

Hey again Dan,

Thanks for writing in.

If you block a user, they won't receive notifications for any comments you leave on issues (and vice-versa). Note that they will still be able to view the comments if they view the issue.

I had a look through our documentation for blocking a user and I can see that we don't explain this particular scenario. I'll make a note for our team!

* Dan Jacobson

Oct 11, 1:04 AM UTC

Just curious, is there any way I, user X, can comment on an issue, opened by user Y, but not generate a notification to user Y?

If I block user Y, can I comment to my heart's content on his issues, without worrying he will get notified?

Is this documented somewhere? Thanks.


Vaping devices add to fire risks on planes and officials struggle to keep up. (WashPost)

Monty Solomon <monty@roscom.com>
Mon, 7 Oct 2019 21:19:55 -0400

Safety officials have struggled to keep up with the deluge of billions of electronic devices travelers are carrying.

https://www.washingtonpost.com/local/trafficandcommuting/with-little-faa-direction-vaping-devices-add-to-fire-dangers-on-planes/2019/10/03/8de85be0-ca8d-11e9-a1fe-ca46e8d573c0_story.html


With Windows Virtual Desktop, the bad old days are coming back (Computerworld)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Oct 2019 18:23:00 -0400

The PC ” and yes, Microsoft ” set us free. Now Microsoft is taking control.

https://www.computerworld.com/article/3444606/with-windows-virtual-desktop-the-bad-old-days-are-coming-back.html


Former Apple employees create Level Lock smart lock, backed by Walmart (CNBC)

Gabe Goldberg <gabe@gabegold.com>
Wed, 16 Oct 2019 15:33:25 -0400

https://www.cnbc.com/2019/10/15/former-apple-employees-create-level-lock-smart-lock-backed-by-walmart.html

The risk? How about the word “security” not appearing in article?


Feds bust massive child porn sharing site; hundreds of users arrested (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 18 Oct 2019 12:21:05 -0400

https://arstechnica.com/tech-policy/2019/10/child-porn-purveyor-learns-the-hard-way-that-bitcoin-is-traceable/


Re: The broken record: Why Barr's call against end-to-end encryption is nuts (Gallagher/Forno, RISKS-31.45)

“Keith Medcalf” <kmedcalf@dessus.com>
Mon, 07 Oct 2019 13:30:37 -0600

Facebook et al. are free to implement end-to-end encryption as the condition “without including a means for lawful access to the content of communications to protect our citizens.” has already been met. Barr and his cronies are free to utilize the legal process already in place, the obtaining of a search warrant on reasonable and probably grounds, in order to obtain the clear-text from one of the end-points.

I believe Mr. Barr and his cronies are really saying that, since they are unable to satisfy the requirements of “lawful access”, they would prefer Facebook et al. to maintain the “wink and nudge” system wherein due process does not apply.


Re: 3D printing (ZDNet-Wirchenko, RISKS-31.45)

Ian Jackson <ijackson@chiark.greenend.org.uk>
Wed, 9 Oct 2019 12:01:39 +0100

It's looking more and more certain that 3D printing has a serious safety problem. […]

In fact if you read the study[1] this is a massive exaggeration.

The best summary is probably the graphs on p8 of the paper (Fig 4). On each graph, the blue bar is estimated background. The green part of the bar is the expected addition to human exposure, from the mean of the 3D printing processes (printers and filaments) they tested. The upwards error bar corresponds to the worst-case. The spots are a set of regulatory exposure limits.

NB that all of this averaging hides the fact that some filaments are a factor of 5 better than others (p4, Table 2). For example, I usually print in PLA.

The top graph “Predicted Personal Concentration” is if for you sit right next to the printer, which you would probably not do if you were printing in ABS or nylon, because it makes a nasty smell. (PLA smells quite nice, sort of caramelly.)

And even if you sit right next to the printer, the exposures are by and large within regulatory limits. If you don't then the risk is even lower. If you print in PLA or PVA the exposure is well within these limits.

So in summary: if it doesn't smell nice, don't sit right next to the printer and huff.

[1] https://sci-hub.se/https://doi.org/10.1016/j.buildenv.2019.106209


Re: PGN comment, RISKS-31.45

“R. G. Newbury” <newbury@mandamus.org>
Mon, 7 Oct 2019 23:32:29 -0400
[It's a good thin[g] RISKS does not have a requirement for only new topics. “When will they ever learn.” (The old song, Little Boxes on the Hillside” [and they all look just the same] seems relevant here PGN]

Ahh, you are thinking of “Where have all the flowers gone” and the lines “When will they ever learn? When will they ever learn?”

Sung by Peter, Paul and Mary, and the Kingston Trio and probably many others. Those are the two I remember… which kinda dates me!

Please report problems with the web pages to the maintainer

x
Top