Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Today's NYT article covers many of the points in my recent lectures (vote flipping, obsolete standards, etc.) and alludes to why this isn't accidental.
See: <https://www.nytimes.com/2019/11/30/us/politics/pennsylvania-voting-machines.html> and the eye-opening details at: https://3og1cv1uvq3u3skase2jhb69-wpengine.netdna-ssl.com/wp-content/uploads/2019/09/VOTING-TECHNOLOGY-PROCUREMENT-INVESTIGATION-PUBLIC.pdf
For Philly, $425,000 in lobbying money yielded a $29M contract to ES&S. Less the 10% penalty (the entire purchase should have been rescinded). The $29M may not include the long-term maintenance contract, which gives them even more city funds with access to the devices. And now these machines are in place for maybe 20 years? Sweet deal.
It's not just PA. This voting system replacement scam is going on all over the country where DREs are being upgraded to include the now-required paper. As long as the election officials can hide behind the electronic totals and risk limiting audits they'll continue to avoid hand-counting the ballots. There may be new machines, but the M.O. has not changed. Keep your eye on the swing states (like PA). And spread the word.
Early and often,
https://fortune.com/2019/12/04/election-security-regulations-united-states/
“The problem is that the federal certification itself is weak from a security standpoint and that not all states require it,” says J. Alex Halderman, a professor of computer science and engineering at the University of Michigan. “There are more federal requirements that apply to plastic water bottles or whiskey than apply to electronic voting security, which is absolutely incredible to me.”
In Britain, Fake News Muddies Election Run-Up, Adam Satariano, The New York Times National edition A12, 11 Dec 2019.
In Britain, Disinformation Ahead of a Vote Comes Largely from Within. Adam Satariano and Amie Tsang, The New York Times National edition A13, 11 Dec 2019. “We're seeing anyone and everyone picking up these tactics.”
China Jailed the Most Journalists, Rick Gladstone, The New York Times National edition A13, 11 Dec 2019.
In Iran, a Security Breach Exposes 15M Bank Customers, Farnaz Fassihi and Ronan Bergman, NYTimes National edition A14, 11 Dec 2019.
China tells government offices to remove all foreign computer equipment
Directive is likely to be a blow to US multinational companies like HP, Dell and Microsoft
Chinese president Xi Jinping has ordered that all foreign hardware be removed from government offices and agencies.
China has ordered that all foreign computer equipment and software be removed from government offices and public institutions within three years, the Financial Times reports. The government directive is likely to be a blow to US multinational companies like HP, Dell and Microsoft and mirrors attempts by Washington to limit the use of Chinese technology, as the trade war between the countries turns into a tech cold war.
The Trump administration banned US companies from doing business with Chinese Chinese telecommunications company Huawei earlier this year and in May, Google, Intel and Qualcomm [104]announced they would freeze cooperation with Huawei.
By excluding China from western know-how, the Trump administration has made it clear that the real battle is about which of the two economic superpowers has the technological edge for the next two decades.
This is the first known public directive from Beijing setting specific targets limiting China's use of foreign technology, though it is part a wider move within China to increase its reliance on domestic technology.
The FT reported that the directive would result in an estimated 20m- to 30m pieces of hardware needing to be replaced and that this work would begin in 2020. Analysts told the FT that 30% of substitutions would take place in 2020, 50% in 2021 and 20% in 2022.
The order had come from the Chinese Communist party's central office earlier this year, the analysts said. Two employees from cyber security firms told the paper that government clients had described the policy.
Replacing all the devices and software in this timeframe will be challenging, given that many products developed for US operating systems like Windows for Microsoft. Chinese government offices tend to use desktop computers from the Chinese-owned company Lenovo, but components of the computers, including its processor chips and hard drives are made by American companies.
In May, Hu Xijin, editor of the Global Times newspaper in China, said the withdrawal of sharing by US tech companies with Huawei would not be fatal for the company because the Chinese firm has been planning for this conflict “for years” and would prompt the company to develop its own microchip industry to rival America's.
“Cutting off technical services to Huawei will be a real turning point in China's overall research and development and use of domestic chips,” he said in a social media post. ”Chinese people will no longer have any illusions about the steady use of US technology.”
Companies hope to gain an edge by laying the groundwork for global rules
Chinese technology companies are shaping new facial recognition and surveillance standards at the UN, according to leaked documents obtained by the Financial Times, as they try to open up new markets in the developing world for their cutting-edge technologies.
Companies such as ZTE, Dahua and China Telecom are among those proposing new international standards—specifications aimed at creating universally consistent technology—in the UN's International Telecommunication Union (ITU) for facial recognition, video monitoring, city and vehicle surveillance.
Standards ratified in the ITU, which comprises nearly 200 member states, are commonly adopted as policy by developing nations in Africa, the Middle East and Asia, where the Chinese government has agreed to supply infrastructure and surveillance tech under its Belt and Road Initiative, according to experts.
“African states tend to go along with what is being put forward by China and the ITU as they don't have the resources to develop standards themselves,” said Richard Wingfield, Head of Legal at Global Partners Digital, a company working on human rights on the Internet.
Europe and North America have their own regional standards setting bodies, such as the IETF, IEEE and 3GPP, which are dominated by domestic industry players. The ITU, on the other hand, is a space where companies outside of North America and Europe tend to shape and drive standard development.
Standard writing gives companies an edge in the market by aligning global rules with the specifications of their own proprietary technology, say experts.
Over the past few years, Chinese surveillance infrastructure has swept across regions from Angola to Zimbabwe. For example, earlier this year South African company Vumacam installed 15,000 surveillance cameras with facial recognition capabilities in Johannesburg, supplied by Hikvision.
In August, Uganda confirmed the nationwide installation of Huawei surveillance cameras with face recognition capabilities. Similarly, the Singapore government plans to install facial recognition cameras on its lampposts, a contract that Chinese start-up Yitu has bid for, according to local reports. …
https://www.ft.com/content/c3555a3c-0d3e-11ea-b2d6-9bf4d1957a67
China will require telecom operators to collect face scans when registering new phone users at offline outlets starting Sunday, according to the country's information technology authority, as Beijing continues to tighten cyberspace controls.
In September, China's industry and information technology ministry issued a notice on “safeguarding the legitimate rights and interests of citizens online”, which laid out rules for enforcing real-name registration.
The notice said telecom operators should use “artificial intelligence and other technical means” to verify people's identities when they take a new phone number.
A China Unicom customer service representative told AFP that the December 1 “portrait matching” requirement means customers registering for a new phone number may have to record themselves turning their head and blinking.
“In next steps, our ministry will continue to…increase supervision and inspection…and strictly promote the management of real-name registration for phone users,” said the September notice.
Though the Chinese government has pushed for real-name registration for phone users since at least 2013—meaning ID cards are linked to new phone numbers—the move to leverage AI comes as facial recognition technology gains traction across China where the tech is used for everything from supermarket checkouts to surveillance. …
https://news.yahoo.com/china-introduces-mandatory-face-scans-phone-users-091042257.html
https://www.nytimes.com/2019/11/27/technology/tiktok-censorship-apology.html
The video app said it would review its policies after a 17-year-old in New Jersey who discussed Chinese detention camps was locked out of her account.
Deepfakes can be deep trouble, especially when the alterations are comparatively subtle:
https://www.youtube.com/watch?v=5nDnlA1pv5U
Angelica Mari for Brazil Tech | 9 Dec 2019
Access will be requested to computers that were allegedly used to spread misinformation with taxpayer money. https://www.zdnet.com/article/fake-news-probe-in-brazil-exposes-office-of-hate-within-government/
selected text:
The investigations into the dissemination of fake news have advanced in Brazil as details of the government's online communication strategy have been unveiled.
According to a ten-hour session involving a former government leader in the Congress, Joice Hasselmann, a group of presidential staff routinely spreads fake news and defames the opposition across social networks as part of their day job.
With federal elections scheduled for late September in Germany, momentum is building behind using anti-botnet laws against automated social-media accounts that churn out disinformation.
Hasselmann's statement describe the inner workings of a cluster operating right next to the presidential office in Bras�lia, charged with the development and execution of the online communication with the supporter base.
https://mustangnews.net/professor-by-day-scambuster-by-night-business-professor-helps-scam-victims/
EXCERPT:
It's easy to anthropomorphize artificial intelligence. We imagine befriending Siri, or that our self-driving car has our best interests at heart. When we paint a picture of an advanced AI, we might imagine machines that learn, similar to the ways a toddler might learn. We imagine them thinking or coming to conclusions similar to how we do. Even the term neural networks—an algorithm modeled after the human brain—brings up images of a brain-like machine, making decisions. However, thinking an artificial intelligence works in the same way as a human brain can be misleading and even dangerous, says a recent paper <https://link.springer.com/article/10.1007/s11023-019-09506-6> in Minds and Machines <https://link.springer.com/journal/11023> by David Watson <https://www.oii.ox.ac.uk/people/david-watson/> of the Oxford Internet Institute and the Alan Touring Institute…
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00092491en_us
IMPORTANT: This HPD8 firmware is considered a critical fix and is required to address the issue detailed below. HPE strongly recommends immediate application of this critical fix. Neglecting to update to SSD Firmware Version HPD8 will result in drive failure and data loss at 32,768 hours of operation and require restoration of data from backup in non-fault tolerance, such as RAID 0 and in fault tolerance RAID mode if more drives fail than what is supported by the fault tolerance RAID mode logical drive. By disregarding this notification and not performing the recommended resolution, the customer accepts the risk of incurring future related errors.
32768 hours is strongly suggestive of a very naive bug. In a RAID where all the drives were new originally, this could very quickly destroy the volume. [TWO TO THE FIFTEENTH! strikes again. PGN]
In the run-up to Y2K, one of the fixes was “windowing”, where two digit years below 20 (for example) were treated as in the 21st century and years above 20 were in the 20th. There was some speculation that there might be problems when the end of the window arrived.
This might just be an example: https://nakedsecurity.sophos.com/2019/11/27/splunk-customers-should-update-now-to-dodge-y2k-style-bug/ even though the product was written after 2000, if a pre-existing library was used. If it is a Y2K end-of-window problem, there may be similar problems about to appear.
People who weren't involved in solving the Y2K problem seem to think is wasn't a serious issue. But it was and despite the billions of dollars spent and the tens of thousands of people who worked to identify and fix the problems, 15 nuclear reactors shut down on January 1st 2000. I led the Y2K service line for Deloitte Consulting for a few years and I have described what really happened. See: https://s3-eu-west-1.amazonaws.com/content.gresham.ac.uk/data/binary/2773/2017-04-04-MartynThomas_Y2K-T.pdf
[spotted by Phil Porras]
“By subtly increasing or decreasing the current delivered to a CPU — operations known as ‘overvolting’ and ‘undervolting’—a team of scientists has figured out how to induce SGX faults that leak cryptographic keys, break integrity assurances, and potentially induce memory errors that could be used in other types of attacks.”
https://khn.org/news/website-errors-raise-calls-for-medicare-to-be-flexible-with-seniors-enrollment/
Ok, who here would ever trust basic caller ID, and triply so in a Major Issue like the impeachment hearings?
Regarding those phone logs, displayed in the impeachment process, that seemed to show that Rudy spoke with OMB numerous times:
[Wall Street Journal]
That number, along with the other references in the report to a number associated with OMB, all correspond to a placeholder number that shows up when officials in several White House departments make calls, according to people familiar with the matter. The people said the number shows up on the caller ID of individuals outside the White House when some White House officials call them from a landline.
dannyb recalls getting phone calls from the NYTimes phone network with caller ID of “111-111-1111”, and about five years ago when the NYT actually ran a story saying there were going to end that nonsense.
https://www.wsj.com/articles/ubers-dirty-little-secret-shared-driver-accounts-11574883278
A new method using fiber-optic cables pinpointed the previously hidden system—and it may reveal more seismic surprises around the globe
EXCERPT:
Beneath The Cerulean waters of Monterey Bay, just a few miles southeast of Santa Cruz, California, a never-before-seen cluster of faults has been found lurking on the ocean floor.
These newly spotted wrinkles in Earth's crust <https://science.sciencemag.org/cgi/doi/10.1126/science.aay5881>, described in a paper published today in Science, are still largely a mystery. We can't say much about their size, shape, or how active they are. Still, the findings show that even in one of the most seismically studied corners of the planet, fault maps of the ocean floor contain gaping holes. That's a big problem, because if we don't know where sea-floor faults are, coastal communities are going to be in the dark about any earthquake or tsunami threats they might present.
The new research also offers a solution to our tectonic blindspot: We can harness the hundreds of thousands of miles of fiber optic cables <https://www.nytimes.com/interactive/2019/03/10/technology/internet-cables-oceans.html> that send emails, Tweets, and video messages ping-ponging across Earth every day. Scientists discovered California's newest known offshore faults by borrowing a garden hose-size fiber optic cable that spans the sea-floor of Monterey Bay and turning it into an ad-hoc seismic array. (Also find out how researchers used ancient Aztec records to find a previously unknown seismic risk in Mexico .) <https://www.nationalgeographic.com/science/2019/10/ancient-aztec-records-reveal-hidden-earthquake-risk-in-mexico/>
Researchers hope this new method might one day be used to collect treasure troves of seismic data in major cities that are already undergirded by networks of fiber optic telecommunications cables but don't have the budget or physical space to install thousands of seismometers. Cables located directly offshore of major population centers, meanwhile, might be slightly retooled to serve as the backbone for new early warning systems. <https://earther.gizmodo.com/inside-the-plan-to-prepare-the-pacific-northwest-for-a-1832591821>
“The possibilities are pretty large,” says study coauthor Craig Dawe <https://www.mbari.org/dawe-craig/> of the Monterey Bay Aquarium Research Institute. “Worldwide, there's lots of fiber optic cable deployed.”
Illuminating the sea-floor…
Dexcom's continuous glucose monitoring technology has been a quiet revolution for diabetes patients. The wearable patch keeps tabs on diabetics' blood sugar levels in real time. What's more, the Dexcom G5 and G6 devices can transmit information to a smartphone app through a service called Dexcom Follow—critical for the parents and caregivers of diabetics, who can receive instant notifications of dangerous oscillations in blood glucose for those who may not be capable of monitoring such data themselves.
But, at some point late Friday evening, the Dexcom Follow service went dark. And it still hadn't been fully restored as of Monday afternoon, according to an update on the company's Facebook account.
https://fortune.com/2019/12/02/dexcom-outage-blackout-diabetes-patients-blood-sugar-monitor/
https://www.wsj.com/articles/facebook-experiences-sporadic-outages-11574963022
A vulnerability in the way Microsoft applications use OAuth for third-party authentication could allow an attacker to take over Azure cloud accounts.
At least 54 sub-domains with with whitelisted URL endings were not registered in the Azure portal.
Attackers can take advantage of this by taking over these domains and then registering them, meaning that they would be approved by default and could request users' ‘access_tokens’, which would then allow them to take actions using users' permissions. If a victim is an Azure admin, for instance, an attacker could access high-level permissions, like adding unwanted members to a Microsoft Active Directory role, resetting other users' passwords or adding users to groups,
https://threatpost.com/microsoft-oauth-flaw-azure-takeover/150737/
The earliest compiled high-level languages were considered “self-programming computers” and “the end of programming by humans”. In a way, that was correct—since programming until then was mostly done in assembly languages; indeed not many assembly programmers are still around by now.
But what such “end of programming” predictions miss, is that while coding is a rote activity that may be replaced by automation, programming is not. The role of a programmer is to expect the unexpected, and tell machines what to do in such unforeseen circumstances; even with AI, humans will always be needed to mediate the real world to mechanical entities.
I contacted the RAIB about this poor design having read their safety digest https://www.gov.uk/government/publications/safety-digest-102019-hockley
My concerns were that the FMEA should have picked the non-detection of the failure of the fasteners up as well as a lot of other faults including:
The reply from the RAIB is as follows:
Thank you for your email. The diagram shows only components relevant to the incident and the omitted components include a second micro switch which detects the position of the right hand (non-incident) door. This is an old but widely used design. The methods used in the design were unlikely to be as now, so our safety digest concentrated on the need for effective fastener retention, a message which applies well beyond the door arrangement involved in the incident.
Without a detailed design analysis it is difficult to know which of the first 7 items on my list above are mitigated by a second microswitch.
My concern here is that there are newspaper articles almost daily (at least in the UK) saying “AI is going to make huge changes to everybody's jobs real soon, so what are politicians going to do about it now?!?”, the RISK being that governments will try to figure out what's going to happen and plan for exactly this, while real life goes off in a different direction. Example analogy is civil aviation when I was a kid in the 1960s; the Brits and French saw the future as supersonic travel and developed Concorde at great cost to taxpayers, while Boeing looked to slow but bigger aircraft and developed the 747 ‘jumbo jet’. Not sure of the precise figures, but there were only 16 Concordes and they last flew about 15 years ago, while 1,500 747s have been built and about 500 are still in service.
> “In 20 years time people will still be predicting that in 20 years time we would have machines as intelligent as humans!”
That's because in this context, “human intelligence” is a moving target. Until the 1960's, looking up a name and number in a phone book was considered a task of human intelligence; until the 1990's, it required human intelligence to plan a travel route using a map and traffic reports; even driving a car was considered a task requiring some form of human intelligence until quite recently.
The point is, at any point in time, what is considered “human intelligence” would always be defined as “what machines cannot do now”. Any task which AI achieves, is naturally taken off the list of what AI is supposed to do if/when finally machines become “as intelligent as human”.
So the answer to the question “When will AI reach human intelligence?”, for a visitor of the early 20th century (actually, anyone over 50 years old) is “they already have”; for a current observer, as Martin Ward notes, it will always be “twenty years from now”.
I have seen Seattle TV stations saying that Washington state mails an automated notice to the registered owner every time that vehicle registration data is provided to a third party. That would make disclosure more transparent than bulk transfer of data without notice and would give voters what they need to influence legislators, or not if they feel that it is no big deal.
In the late 1980s I discovered that the British Columbia Assessment Authority was peddling the names of every home in BC, along with the names of the 2 previous owners, with zero legislative or regulatory authority. The only authority in the Assessment Act for 3rd party disclosure was when a charge against the property existed, and expired when the lien or mortgage was paid off.
I complained to the BC Ombudsman, as it was called then. They produced a report: https://www.bcombudsperson.ca/documents/access-information-and-privacy
The Social Credit (~USA Republican) was in power and drafted Bill 12 to increase Public Sector Privacy Protection, but got voted out of power and withered away to nonexistence after reporters used BC Online to retrieve details about SoCred BC Premier Vander Zalm still being a corporate board member and about land dealings of the company. I was the Technical Architect for the dial up (1988) version of BC Online, but my employer found me other work when I raised Privacy concerns while putting the Technical Proof of Concept demo together. BC Online exploded to over 10,000 paying customers by the end of the first year of operation. Banks, Realtors, car & boat dealers, lawyers, News Rooms. It was all public record data, but much easier to retrieve 24x7 with a computer than by checking paper files in a land office in person during government office hours. It also dealt with concerns such as pages being removed during inspection by the public.
The NDP (~ UK Labour) watered down Bill 12 to draft Bill 50, which was proclaimed as BC's Freedom of Information and Privacy Act. It has a black letter law prohibition on extracting PII for soliciting, yet the BC Assessment Authority kept peddling PII on optical disks, which Realtors used for sending junk mail. The arrival of personally addressed real estate solicitations at our non published home address continued until it went to a full scale inquiry. I was invited to make a submission to the Inquiry. My name appears in the Thanks next to David Loukidelis, who later became BC's second Information and Privacy Commissioner. https://www.oipc.bc.ca/investigation-reports/1258
Shortly the BC Assessment Authority Director who had been stone walling my concerns for a decade disappeared from the BC Public Service. Perhaps his last meeting with his boss went something like this: https://www.youtube.com/watch?v=0r_L5Z7yLTU
He applied to the BC Cabinet for an Applies Despite exemption to the FOIPP Act, but was turned down and kept on peddling PII. Did he not understand the N or the O? That was a pity. It is better when you can be persuasive and change thinking. Settling for only changing who is doing a job, or simply their behaviour, is a last resort.
A Victoria BC municipal web interface showing the owner name and assessed value of every Victoria property, no questions asked, was quickly shut down by an OIPC BC Order.
That was not the end of the arrival of personally addressed solicitations using prohibited extracts from BC government records at our non published address, but that is another story.
Please report problems with the web pages to the maintainer