The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 5

Monday 4 February 2019


A study of fake news in 2016
Science via PGN
Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security by Robert Chesney, Danielle Keats Citron
Japanese government plans to hack into citizens' IoT devices
"This smart light bulb could leak your Wi-Fi password"
ZDNet via Gene Wirchenko
Tech addicts seek solace in 12 steps and rehab
How Machine Learning Could Keep Dangerous DNA Out of Terrorists' Hands
Scientific American via Richard Stein
Taking apart a botnet ...
Naked Security via Rob Slade
What If Your Fitbit Could Run on a Wi-Fi Signal?
iPhone FaceTime Bug That Allows Spying Was Flagged to Apple Over a Week Ago
Apple revokes Google's ability to use internal iOS apps, just like Facebook
Apple hits back at Facebook and revokes a key license
Putting the exact size of land in ads
Dan Jacobson
Passwords, escrow, and fallback positions
CoinDesk via Rob Slade
My old RISKS nightmare comes true - partially
Rex Sanders
Minor Crimes and Misdemeanors in the Age of Automation
ICE set up phony Michigan university in sting operation
WashPost via Monty Solomon
Chinese maker of radios for police, firefighters struggles to outlast Trump trade fight
Keyless Cars Are Easy to Steal Using Cheap Theft Equipment
Fortune via Gabe Goldberg
UK auto theft
Claire Duffin via Chris Drewe
Problems with car key fobs
Gizmodo via Arthur T.
Google, you sent this to too many people, so it must be spam
Dan Jacobson
Re: Buy Bitcoin at the Grocery Store via Coinstar
John Levine
Re: Hidden Automation Agenda of the Davos Elite
Henry Baker
Re: Is it time for Linux?
J Coe
Re: If 5G Is So Important, Why Isn't It Secure?
Mark Thorson
Re: The Duty to Read the Unreadable
Amos Shapir
Re: Risks of Deepfake videos
Amos Shapir
Info on RISKS (comp.risks)

A study of fake news in 2016 (Science)

Peter G Neumann <>
Sat, 2 Feb 2019 10:46:19 -0800
Fake news on Twitter during the 2016 U.S. presidential election
Science (AAAS) 363 issue 6425, 25 Jan 2019, pp. 374-378

This a noteworthy five-authored paper on their detailed examination.
For example, only 1% of individuals accounted for 80% of fake news
source exposures, and 0.1% accounted for 80% of fake news sources
shared.  For RISKS readers who are interested in this phenomenon,
the article is worth reading.

Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security by Robert Chesney, Danielle Keats Citron (SSRN)

geoff goodfellow <>
February 3, 2019 at 12:48:30 AM GMT+9
Contains a landmark law article on deepfakes:

107 California Law Review (2019, Forthcoming)
U of Texas Law, Public Law Research Paper No. 692
U of Maryland Legal Studies Research Paper No. 2018-21
59 Pages Posted: 21 Jul 2018 Last revised: 23 Aug 2018

Robert Chesney, University of Texas School of Law
Danielle Keats Citron, University of Maryland Francis King Carey School of
  Law; Yale University Yale Information Society Project; Stanford Law School
  Center for Internet and Society

Date Written: July 14, 2018


Harmful lies are nothing new. But the ability to distort reality has taken
an exponential leap forward with `deep fake' technology. This capability
makes it possible to create audio and video of real people saying and doing
things they never said or did. Machine learning techniques are escalating
the technology's sophistication, making deep fakes ever more realistic and
increasingly resistant to detection. Deep-fake technology has
characteristics that enable rapid and widespread diffusion, putting it into
the hands of both sophisticated and unsophisticated actors. While deep-fake
technology will bring with it certain benefits, it also will introduce many
harms. The marketplace of ideas already suffers from truth decay as our
networked information environment interacts in toxic ways with our cognitive
biases. Deep fakes will exacerbate this problem significantly. Individuals
and businesses will face novel forms of exploitation, intimidation, and
personal sabotage. The risks to our democracy and to national security are
profound as well. Our aim is to provide the first in-depth assessment of the
causes and consequences of this disruptive technological change, and to
explore the existing and potential tools for responding to it. We survey a
broad array of responses, including: the role of technological solutions;
criminal penalties, civil liability, and regulatory action; military and
covert-action responses; economic sanctions; and market developments. We
cover the waterfront from immunities to immutable authentication trails,
offering recommendations to improve law and policy and anticipating the
pitfalls embedded in various solutions.

Japanese government plans to hack into citizens' IoT devices (ZDNet)

Gabe Goldberg <>
Wed, 30 Jan 2019 11:55:34 -0500
The Japanese government approved a law amendment on Friday that will allow
government workers to hack into people's Internet of Things devices as part
of an unprecedented survey of insecure IoT devices.

"This smart light bulb could leak your Wi-Fi password" (ZDNet)

Gene Wirchenko <>
Fri, 01 Feb 2019 20:32:42 -0800
      [Q: How many hackers does it take to change a light bulb?
       A: Only one, and keep him and it off your network.]

Charlie Osborne for Zero Day | 1 Feb 2019

This smart light bulb could leak your Wi-Fi password.  LIFX smart bulbs
contained vulnerabilities that could be exploited with a little ingenuity
and the help of a hacksaw.

selected text:

LimitedResults used the LIFX mini white as a test product, a $15.99 device
which can be controlled via smartphone to change the temperature and dimness
levels of lighting at home.

After installing the bulb's accompanying app on an Android device and
setting up the Wi-Fi connection, the researcher grabbed a saw to hack his
way into the hardware within.

After exposing the innards of the bulb and wiping away fireproof paste, the
hacker found that the main component of the bulb is an ESP32D0WDQ6
system-on-chip (SoC) manufactured by Espressif.

It didn't take long to solder a few pins to a board in order to connect to
the LIFX hardware, and after this link was established, LimitedResults found
that Wi-Fi credentials were stored in plaintext within the flash memory.

Tech addicts seek solace in 12 steps and rehab (AP)

Jim Reisert AD1C <>
Sun, 3 Feb 2019 11:34:37 -0700
Martha Irvine, AP, December 26, 2018

  BELLEVUE, Wash. (AP) ” We like to say we're addicted to our phones or an
  app or some new show on a streaming video service.

  But for some people, tech gets in the way of daily functioning and
  self-care. We're talking flunk-your-classes, can't-find-a-job,
  live-in-a-dark-hole kinds of problems, with depression, anxiety and
  sometimes suicidal thoughts part of the mix.

  Suburban Seattle, a major tech center, has become a hub for help for
  so-called `tech addicts', with residential rehab, psychologists who
  specialize in such treatment and 12-step meetings.

How Machine Learning Could Keep Dangerous DNA Out of Terrorists' Hands (Scientific American)

Richard Stein <>
Mon, 4 Feb 2019 11:04:39 +0800

"But Rob Carlson, managing director at Bioeconomy Capital, a venture-capital
firm in Seattle, Washington, is skeptical that stopping DNA-synthesis
companies from being exploited will prevent bioterror attacks. 'If you look
at what sorts of biological threats have cropped up to date, this isn't one
of them,' he says. Most attacks have involved the release of existing
pathogens grown in labs; in 2001, for instance, five people in the United
States died and 17 were sickened after receiving anthrax-laced letters.

"Terrorists are more likely to follow the blueprint of published research,
rather than embark on a research project to design new organisms, Carlson
says. He fears that any government efforts to regulate DNA synthesis would
push would-be bioterrorists underground."

Risk: Ineffective government investment to deter bioweapon deployment by

Taking apart a botnet ... (Naked Security)

Rob Slade <>
Mon, 4 Feb 2019 10:47:59 -0800
The FBI is messing with Joanap, a botnet run by a major North Korean
blackhat group.

Joanap itself is fairly complicated, with infections being started by an SMB
worm, which then installs the Joanap RAT (Remote Access Trojan).  Command
and control is done via a peer-to-peer distributed network.

Which is where the FBI comes in.  A court in the US granted them permission
to set up fake servers pretending to be controllers on Joanap.  As such,
they could spy on individual machines, collect information, or even install
software (possibly to remove the infections and patch vulnerabilities).

In examining the ethics of active defence, I find this fascinating.

I'm pretty sure than in Canadian law the FBI action would actually be
illegal, which is possibly why they are contacting host governments in the
cases of non-US victims.

(Oh, and remember to patch your systems, which is the only reason the
blackhats were able to build Joanap in the first place ...)

What If Your Fitbit Could Run on a Wi-Fi Signal? (SciAm)

Richard Stein <>
Wed, 30 Jan 2019 11:10:15 +0800

"...molybdenum disulfide (MoS2)—a two dimensional material because it is
just three atoms thick—can act like an antenna to convert radio signals
from wi-fi, cell phones and radio or television broadcasts into power for
wireless devices.

"Palacios says the two-dimensional semiconductor can reap 30 to 50
microwatts from ambient wi-fi signals of about 100 microwatts, enough to
operate pacemakers, hearing aids, strain sensors, communication links and
many low-power IoT objects. Such a system could potentially operate without
a battery, lowering weight and avoiding leakage from a medical implant's
power source inside the body." discusses harvesting human
body heat to power devices.

Steer clear of TEMPEST facilities, or low ambient RF environments if you
wear an implantable device powered by MoS2. Neglecting to use a battery
backup may be hazardous to your health.

iPhone FaceTime Bug That Allows Spying Was Flagged to Apple Over a Week Ago (NYTimes)

Lauren Weinstein <>
Tue, 29 Jan 2019 18:58:50 -0800

  On Jan. 19, Grant Thompson, a 14-year-old in Arizona, made an unexpected
  discovery: Using FaceTime, Apple's video chatting software, he could
  eavesdrop on his friend's phone before his friend had even answered the
  call. His mother, Michele Thompson, sent a video of the hack to Apple the
  next day, warning the company of a "major security flaw" that exposed
  millions of iPhone users to eavesdropping. When she didn't hear from Apple
  Support, she exhausted every other avenue she could, including emailing
  and faxing Apple's security team, and posting to Twitter and Facebook. On
  Friday, Apple's product security team encouraged Ms. Thompson, a lawyer,
  to set up a developer account to send a formal bug report. But it wasn't
  until Monday, more than a week after Ms. Thompson first notified Apple of
  the problem, that Apple raced to disable Group FaceTime and said it was
  working on a fix. The company reacted after a separate developer reported
  the FaceTime flaw and it was written about on the Apple fan site, in an article that went viral.

Apple revokes Google's ability to use internal iOS apps, just like Facebook (WashPost)

Monty Solomon <>
Fri, 1 Feb 2019 02:41:51 -0500
The companies said they are hoping to resolve the issue quickly.

Apple hits back at Facebook and revokes a key license (CNBC)

Gabe Goldberg <>
Wed, 30 Jan 2019 15:27:08 -0500
  * TechCrunch found that Facebook had been paying people to install a
    research app that grants access to all of the user's phone and web
  * Following the report, Apple said the app violates its policies.
  * A Facebook spokesperson said the app had "a clear on-boarding
    process" that asked participants for permission.

CNBC: Apple hits back at Facebook and revokes a key license

Putting the exact size of land in ads

Dan Jacobson <>
Sat, 02 Feb 2019 21:18:23 +0800
"5,678 square meters prime farm land for sale, $xx0000. Call Mrs. Holmes
at LLoyd 5-1212."

Or if Junior happens to have the local cadaster list, he can go visit
the property himself, disposing of Mrs. Holmes.

Just sort the list on the size column, and `voila', only one parcel in
town with that size!

Passwords, escrow, and fallback positions (CoinDesk)

Rob Slade <>
Sat, 2 Feb 2019 12:23:46 -0800
Crypto exchange QuadrigaCX seems to be filing for bankruptcy.  It's got lots
of money--locked up in cryptocurrency "cold storage."  The password was only
known to the CEO.  The CEO died in December.

Lots and lots of legal battles are involved ...

My old RISKS nightmare comes true - partially

Rex Sanders <>
Thu, 31 Jan 2019 12:31:40 -0800
On 28 Jan 2009 for RISKS 25.55 I wrote:

>Subject: What if you can't pull the plug?
>Last night I literally awoke from a nightmare about my iPhone getting
>hacked, spewing spam and doing other nasty things.  The nightmare was that I
>had no way to shut it off, and no way to disconnect it from the Internet.

Recently, while trying to move from an old iPhone to an iPhone 8 Plus - and
following Apple's online instructions - the newer iPhone froze with the
power ON. The "hold the power button down for a long time" trick didn't
work. For one troubleshooting cycle, the 8+ stayed on-but-frozen for over 60
hours while connected to power.

Luckily, the 8+ doesn't appear to be hacked by anything other than buggy
upgrade software.

Called Apple support—they gave me another combination of button presses
to unfreeze the phone. Except it took four tries to work.

Apparently Apple changed the forced restart scheme twice since the iPhone's
introduction. But if your phone is frozen, you probably don't have any way
to look up the latest method.

Minor Crimes and Misdemeanors in the Age of Automation (

Gabe Goldberg <>
Fri, 1 Feb 2019 00:08:00 -0500
Author writes:

  In November, I broke the law. I crossed over a solid white line to make a
  right turn at a traffic intersection. At the time I was unaware of my
  violation. I was on my way to a shopping mall in an unfamiliar part of
  town to buy my wife a gift for her birthday. My only defense is that I was
  following the instructions emitted from the map app on my cellphone.  It
  told me to make a right turn. So I did. Little did I know I was being

ICE set up phony Michigan university in sting operation (WashPost)

Monty Solomon <>
Fri, 1 Feb 2019 02:34:51 -0500
Never heard of the University of Farmington? That's because it never
actually existed.

Chinese maker of radios for police, firefighters struggles to outlast Trump trade fight (WashPost)

Monty Solomon <>
Fri, 1 Feb 2019 02:41:19 -0500
The Chinese firm Hytera is subject to a U.S. import ban after a judge ruled
it infringed on patents held by Motorola Solutions.

Keyless Cars Are Easy to Steal Using Cheap Theft Equipment (Fortune)

Gabe Goldberg <>
Wed, 30 Jan 2019 11:58:13 -0500
"Thefts involving electronic devices are on the up, and it's clear
manufacturers could do more to make their vehicles secure," the consumer
organization quoted David Jamieson, the West Midlands police commissioner,
as saying.

However, the U.K.'s Society of Motor Manufacturers and Traders (SMMT)
insisted that new cars "are more secure than ever, and the latest technology
has helped bring down theft dramatically with, on average, less than 0.3% of
the cars on our roads stolen."

"We continue to call for action to stop the open sale of equipment with no
legal purpose that helps criminals steal cars," said SMMT CEO Mike Hawes.

Who you gonna believe—the manufacturers association or that empty space
where your car was?

UK auto theft (Re: RISKS-30.96)

Chris Drewe <>
Mon, 28 Jan 2019 22:11:17 +0000
This has had much coverage in UK newspapers recently, such as this article
from today:

  Claire Duffin, *The Daily Mail*, 28 Jan 2019

  Almost all of the UK's best-selling cars can be 'unlocked in
  minutes' by cheap gadgets bought online as watchdog warns of spike
  in 'keyless thefts'

 * Four out of five of the most popular cars in the UK last year at
   risk of keyless theft.
 * Official figures for the year to September showed car thefts were
   up 10 per cent.
 * In one test consumer watchdog Which? found only the Vauxhall Corsa
   was safe.

> Almost all of the UK's bestselling cars are at risk of keyless theft, a
> study shows.
> Many new cars now have keyless entry systems, or can have them added as
> an upgrade.
> It allows the driver to open and start the car without using a
> traditional key, as long as the fob is nearby.
> But thieves have taken advantage of this new technology. Using two
> devices, known as a relay amplifier and a relay transmitter, they can
> capture electromagnetic signals emitted by key fobs from where they are
> sitting inside the car owner's home.
> Working in pairs, one thief stands by the car with his transmitter,
> while a second waves the amplifier close to the house.
> The amplifier will detect a signal from the key fob, amplify it and send
> it to the accomplice's transmitter.
> This tricks the car into thinking the key is in close proximity,
> prompting it to open. Thieves can then drive the vehicle away using the
> push-button keyless ignition.
> The process can take less than one minute � and once they have the car,
> they can quickly replace locks and entry devices.

I'm guessing that the cars constantly send a signal inviting any fobs within
range to respond, and if one does reply with the correct code for the car,
it unlocks the doors and allows the engine to be started; it's designed to
work only over a few yards/metres, but the thieves' relays enable the range
to be extended.  People often drop their keys in a bowl or case just inside
the front door of their houses so that they can be grabbed as they leave.
(In the olden days, thieves used magnets on rods passed through the
letterbox to snaffle bunches of keys on keyrings, or would ring the doorbell
and have an accomplice discreetly take keys while the householder was
distracted.)  By the way, Vauxhall was the UK brand name for GM cars,
although it's recently been sold to a European automaker.)

Problems with car key fobs (Gizmodo)

"Arthur T." <>
Sat, 02 Feb 2019 15:12:37 -0500
People with car key fobs were staying away from a Canadian co-op store
because they might not be able to start their cars. Anarchists? Gremlins?
Competitors? No, just "a malfunctioning remote car starter" nearby.

Google, you sent this to too many people, so it must be spam

Dan Jacobson <>
Sun, 03 Feb 2019 04:50:33 +0800
> The big announcement came,
> From: "Google+ Team" <>
> Subject: Your personal Google+ account is going away on April 2, 2019

Alas, a little too big, as it was nailed as spam by big-time mail filtering
companie(s). Wonder what will happen when Facebook eventually sends theirs
to an even larger list.

My mom says that "X-VR-SPAMCAUSE: ggystttmpsimb..." means "GooGle, you sent
this to too many people so it must be spam."

Re: Buy Bitcoin at the Grocery Store via Coinstar (Fortune)

"John Levine" <>
28 Jan 2019 22:55:16 -0500
Coinstar?  Those are the machines where you put in $10 in cash and it
gives you a slip for $8.  Seems just the thing for Bitcoin.

Re: Hidden Automation Agenda of the Davos Elite (NYT)

Henry Baker <>
Tue, 29 Jan 2019 07:32:45 -0800
A couple of thoughts on automation:

1.  What do we really want these soon-to-be-laid-off people to do?  Does it
make any sense to pay people to produce goods inefficiently, in the style of
Soviet factories making goods that will never be consumed, just so they have
a job?  The economist Milton Friedman supposedly asked why workmen were
using shovels instead of machinery to build a canal.  The answer came back:
"We need to provide more jobs."  Friedman's response: "Then why not give
them spoons instead of shovels."

To his credit, Friedman championed a version of universal basic income (UBI)
to allow for both economic efficiency and economic support for those
displaced.  I'm not sure that UBI provides much of an identity of self-worth
for these ex-workers, but it is at least a start in the right direction.

2.  Since the Great Recession starting in 2008-9, governments around the
First World have kept interest rates at negative or zero ("ZIRP").  Who do
you think benefits directly from ZIRP?  The coal miner?  The minimum wage
employee?  Not so much.  When capital becomes cheaper than labor, it's a
*no-brainer* to invest in automation, and the Davos elites have "backed up
the truck" to gorge on zero-interest-rate money to invest in robotics and
AI, knowing that eventually ZIRP would end, and this gravy train would stop.
At that point, these investments would pay off as labor became more
expensive relative to robots and automation.

The truth is, most of the First World has a demographic problem, in that
their populations are *falling*, so countries like Japan and China are going
to become totally reliant upon robots just to support their ever-growing
percentage of retired workers.  So we're going to need robots and
automation, but we're also going to need mechanisms to provide support and
activities other than meaningless jobs to enable people to live full and
meaningful lives.

Re: Is it time for Linux? (Dave Crooke)

J Coe <>
Tue, 29 Jan 2019 20:43:04 +0000
I was waiting for another to reply to this message from Risk 31.02 as I feel
my lowly station of systems engineer in a small team in an education setting
I shouldn't be preaching to the masses, there are many more worth voices
than my own.

That being said, I don't feel Linux is the solution that some seems to claim
it is.

As always, all views are my own and do not represent anyone other than

I disagree with the ideas and ideals that Linux is some bastion of security
while I will admit Linux does have the edge on Microsoft OS's I simply do
not believe that in itself this enough to necessarily say it should be used
over any operating system, Microsoft or otherwise. I also feel Linux has a
perceived higher level of security than it actually does along with a number
of userbase and technical climate realities that skews both hard and
anecdotal evidence in Linux's favor.

The first of these things is the Linux userbase. windows is the worlds most
popular desktop OS. This leads by default to a less technical userbase,
where Linux as a desktop OS is often used by the more technically adept.
The more technically adept and I.T. security savvy are less likely to fall
for certain types of attacks such as phishing and clicking on suspicious
links. Both the higher volume of users and the chances of encountering one
of these less savvy users means windows is the more profitable target when
engaging on attacks when the net is cast wide.

Despite its open source nature this doesn't make Linux impervious to
vulnerabilities. Last year Windows 10 had 28 {1} vulnerabilities given a CVE
rating of 9 or more. Debian (which I'm using and I could get the stats
easily) had 20 in 2018 {2}. While 9 is a significant number Debian received
a total of 938 CVE's in 2018 with windows 10 only receiving 254.  Some of
this can be chalked up to the open source model allowing vulnerabilities to
be more easily identified but the concept that Linux has fewer
vulnerabilities or doesn't ship with them is simply not true.

Furthermore the low use case of thing like anti malware products on Linux
means that there is currently a lack of research in this area. In December
2018 ESET discovered 21 "new" families of Linux based malware. The issue
being these malware families weren't new, some appeared to be over 4 years
old. Furthermore, ESET only discovered these families because they we're
being removed by a competing malware ESET were actually investigating.
When you ask a long-term Linux user when they last saw some Linux malware
the answer will likely be never, but with the lack of strong widely used
anti malware tools for Linux the real question would be how would you know?

If everyone was to take the advice and switch to Linux exclusively for both
home and work environment to outcome could result in worse security as
threat actors target the new environment, more malicious actors looking for
weaknesses and vulnerabilities and a lack of tools to provide a decent
defense in depth response.

While this may be a pie in the sky idea, I believe security principles
should be both hardware and software agnostic and this simple changing of an
OS doesn't necessarily make you more secure. Defense in depth, user training
and engagement, proper configuration, and a healthy dose of skepticism and
luck in equal measures. Is really the only way to provide a safe
environment, not specific tools, tech.

Re: If 5G Is So Important, Why Isn't It Secure?

Mark Thorson <>
Tue, 29 Jan 2019 16:15:33 -0800
I can think of two reasons, both of which make an equal amount of sense.  a)
If 5G was perfect how would we sell them 6G? We have to make money too.  b)
Security is like global warming—if we can get by just by paying lip
service to the notion and not doing anything effective about it, that's the
easier and less expensive path.  Until we have a real Pearl Harbor on the
Internet, nobody that matters is going to care.  It's going to take an
incident that bankrupts a large high-profile company, paralyzes the
Internet, kills hundreds of people, or forces the recall of millions of
devices before what is optional becomes mandatory.

Re: The Duty to Read the Unreadable (RISKS-31.04)

Amos Shapir <>
Wed, 30 Jan 2019 10:22:38 +0200
I once tried to read a shrink-wrap EULA (of commercial software) in its
entirety; it took almost an hour, and that's just the reading, I cannot
claim to have actually understood it—despite having more than the 14.5
years of education cited as required by the article, I have no formal legal

That's irrelevant anyway, because under that EULA, by clicking "I agree" I
have put any future dispute I may have with the company under the
jurisdiction of courts in the State of New York; there aren't many lawyers
around here who know enough about NY law to file a case (not at any
reasonable price), so this clause essentially puts possible legal resolution
out of my reach.

IOW, this is not really an "agreement", more like a CYA legal trick designed
to exempt the company from legal responsibility to possible damage
(accidental, and even intentional) their software might inflict upon their

Re: Risks of Deepfake videos (Risks 31.04)

Amos Shapir <>
Wed, 30 Jan 2019 10:48:42 +0200
In the age of instant ubiquitous global communication, there is no need to
manipulate reality in a professional level in order to make people believe
in misinformation.

See for example the anti-Vax case, where a pseudo scientific article
(rejected later) which connected one type of (disused) vaccine to a rare
type of autism—or rather, just the rumour of the article, since it seems
no one had actually read it anyway—had caused so many people to stop
vaccination completely, enough to cause new outbreaks of diseases thought to
be long gone.

Unfortunately, it seems too many people would just believe anything sent by
their friends, rather than bother one click to check facts.

Please report problems with the web pages to the maintainer