Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Because of a software problem, the uncrewed capsule had to abort its flight to the International Space Station
[Thanks to Steven Cheung at SRI.]
Brad Plumer and Coral Davenport, The New Work Times, 28 Dec 2019 [Long item truncated for RISKS. PGN]
In three years, the administration has diminished the role of science in policymaking while disrupting research projects nationwide. Experts say the effects could be felt for years.
https://www.nytimes.com/2019/12/28/climate/trump-administration-war-on-science.html
WASHINGTON—In just three years, the Trump administration has diminished the role of science in federal policymaking while halting or disrupting research projects nationwide, marking a transformation of the federal government whose effects, experts say, could reverberate for years.
Political appointees have shut down government studies, reduced the influence of scientists over regulatory decisions and in some cases pressured researchers not to speak publicly. The administration has particularly challenged scientific findings related to the environment and public health opposed by industries such as oil drilling and coal mining. It has also impeded research around human-caused climate change, which President Trump has dismissed despite a global scientific consensus.
But the erosion of science reaches well beyond the environment and climate. […]
“When we decapitate the government's ability to use science in a professional way, that increases the risk that we start making bad decisions, that we start missing new public health risks,” said Wendy E. Wagner, a professor of law at the University of Texas at Austin who studies the use of science by policymakers.
“Looks like our users thought you were too good to be true,” the company wrote to Stone on Twitter.
Ransomware infection led to a disruption of camera and physical access control systems, and loss of critical process control monitoring systems
EXCERPT:
An infection with the Ryuk ransomware took down a maritime facility for more than 30 hours; the US Coast Guard said in a security bulletin it published before Christmas. <https://www.dco.uscg.mil/Portals/9/DCO Documents/5p/MSIB/2019/MSIB_10_19.pdf>
The agency did not reveal the name or the location of the port authority; however, it described the incident as recent.
“Forensic analysis is currently ongoing but the virus, identified as 'Ryuk' ransomware,” the US Coast Guard (USCG) said in a security bulletin meant to put other port authorities on alert about future attacks. POINT OF ENTRY: PHISHING EMAIL
USCG officials said they believe the point of entry was a malicious email sent to one of the maritime facility's employees.
“Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility's access to critical files,” the agency said.
The USCG security bulletin describes a nightmare scenario after this point, with the virus spreading through the facility's IT network, and even impacting “industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations.”
Coast Guard officials said the Ryuk infection caused “a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems.”
The maritime facility—believed to be a port authority—was forced to shut down its entire operations for more than 30 hours, the Coast Guard said.
INCREASE IN MARITIME CYBER THREATS…
EXCERPT:
The U.S. Central Intelligence Agency has devised technology to restrict the use of anti-aircraft missiles after they leave American hands, a researcher said, a move that experts say could persuade the United States that it would be safe to disseminate powerful weapons more frequently.
The new technology is intended for use with shoulder-fired missiles called Man-Portable Air-Defense Systems (MANPADS), Dutch researcher Jos Wetzels told a cybersecurity conference here in Leipzig, Germany on Saturday. Wetzels said the system was laid out in a batch of CIA documents published by WikiLeaks in 2017 but that the files were mislabeled and attracted little public attention until now.
Wetzels said the CIA had come up with a smart arms control solution that would restrict the use of missiles “to a particular time and a particular place.” The technique, referred to as geofencing, blocks the use of a device outside a specific geographic area.
Weapons that are disabled when they leave the battlefield could be an attractive feature. Supplied to U.S. allies, the highly portable missiles can help win wars, but they have often been lost, sold, or passed to extremists…
Much worse than original reported
The global hacking campaign known as Cloud Hopper perpetrated by government-sponsored Chinese hackers was much worse than originally reported, according to an investigation by the Wall Street Journal <https://www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061> you should read in full.
The report says that at least a dozen cloud providers were affected, but focuses on HP to illustrate the severity of the intrusions and the tactics used to attack and defend. “The Journal found that Hewlett Packard Enterprise Co. was so overrun that the cloud company didn't see the hackers re-enter their clients' networks, even as the company gave customers the all-clear.”
“Inside the clouds, the hackers, known as APT10 to Western officials and researchers, had access to a vast constellation of clients. The Journal's investigation identified hundreds of firms that had relationships with breached cloud providers, including Rio Tinto, Philips, American Airlines Group Inc., Deutsche Bank AG, Allianz SE, and GlaxoSmithKline PLC.” […]
“They came in through cloud service providers, where companies thought their data was safely stored. Once they got in, they could freely and anonymously hop from client to client, and defied investigators' attempts to kick them out for years.”
A lot of this was known in broad terms, as revealed by a Reuters investigation in June. <https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/> The more detailed WSJ investigation <https://www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061> shows just how vulnerable our data is when stored by a third party, and how aggressively state-sponsored hackers continue to pursue it.
https://www.theverge.com/2019/12/31/21044173/cloud-hopper-apt10-china-hackers
https://patch.com/virginia/annandale/s/gyddx/wawa-data-breach-dc-va-customers-could-be-affected
[“Paging Monty Python …”]
Charlie Osborne for Zero Day | 18 Dec 2019 https://www.zdnet.com/article/an-executive-died-taking-investor-cryptocurrency-with-him-now-they-want-the-body-exhumed/ Executive dies, taking investor cryptocurrency with him. Now they want the body exhumed. The CEO of Quadriga was the only one who could access user funds, but claims of his death have not satisfied everyone.
opening text:
The former Quadriga CX CEO Gerald Cotten died suddenly this year, taking the keys required to access cryptocurrency funds belonging to investors with him.
Now, these same traders, devoid of millions in investment, have requested that the body of the firm's former CEO be exhumed to confirm his death.
[Monty Solomon noted this on Ars Technica: Exhume dead cryptocurrency exec who owes us $250 million, creditors demand https://arstechnica.com/information-technology/2019/12/cryptocurrency-investors-want-to-exhume-ceo-who-took-250-million-to-his-grave/ PGN]
https://www.boston.com/news/local-news/2019/12/20/south-end-cars-towed-city-error
This essay describes a two-step risk process which tourists consciously (or unconsciously) perform when considering travel destination activities.
The process is apparently not unique to vacation planning, but seems to characterize the conduct in large, human-structured entities such as businesses, and governments. Organizational structures, when unethically or capriciously governed, can manufacture products or publish services that injure public health and safety.
> From the article, the process is outlined as:
a) Risk Denied—Trek to an active volcano for a once in a lifetime photograph. For White Island, the volcano's historical and current eruption potential/activity level has been tracked since 1975 and available via https://www.geonet.org.nz/about/volcano/whiteisland.
b) Risk Economized—Business profit priority over rigorous life cycle practices compromise public safety. Messages from 2016, prior to 737 MAX deployment certification, indicated flight simulation MCAS anomalies that were not communicated to regulators (until very recently), and were generally shirked by senior Boeing governance given triple constraint (scope, schedule, cost) impact.
Risk: Governance situation awareness denial, aka myopia.
https://www.wired.com/story/alleged-bitcoin-scam-like-pyramid-scheme/
https://www.nytimes.com/interactive/2019/12/20/opinion/location-data-national-security.html
China is now using Indian actions to shut down the Internet as a justification for its own throttling:
17 Dec 2019 http://en.people.cn/n3/2019/1217/c90000-9641267.html
[News summary provided by Rebecca Mercuri, Ph.D. <mercuri@acm.org>.]
Richard DeMillo <https://www.cc.gatech.edu/people/richard-demillo>, a Georgia Tech professor who sat on Verified Voting's advisory board, and UC Berkeley statistics professor and associate dean Philip Stark <https://www.stat.berkeley.edu/~stark/>, a VV board member, have resigned from the advocacy group, stating that they believe that Verified Voting has been giving election officials false confidence in some voting machines and providing cover for the companies that make and sell these machines.
In DeMillo's December 1 resignation letter to Barbara Simons (chair of VV's board of directors), he claimed that “Verified Voting's policy positions were unpredictable, contradictory, and not aligned with the values I once believed we shared. On more than one occasion, Verified Voting has taken contradictory public stances in the span of a few days, undercutting allies and supporters. The pattern of espousing new positions and making public statements that take local VV stakeholders by surprise is nothing new. Rather than seeking out advice, Verified Voting has gone to great lengths to avoid it.”
With respect to VV's involvement in a Risk Limiting Audit (RLA) pilot in Georgia, DeMillo claimed that “Verified Voting's seal of approval for the security theatrics in Bartow County undermines efforts to make elections more accountable. … No audit based on an untrustworthy audit trail can confirm the correctness of the outcome. Billing such an exercise as an RLA and touting it as a proof of security plays into the hands of cynics.”
Stark, who resigned on November 21, accused VV of being on the wrong side saying: “Our message to jurisdictions that buy poorly designed, insecure, universal-use BMD [ballot marking device systems] should be, ‘We tried to warn you. You need a better voting system’ … Instead, we're saying, 'Don't worry: VV will teach you to sprinkle magic RLA dust and fantasies about parallel testing on your untrustworthy election. All will be fine; you can use our authority and reputation to silence your critics.”
https://www.wired.com/story/meet-the-mad-scientist-who-wrote-the-book-on-how-to-hunt-hackers/
https://www.npr.org/2019/12/18/789436174/the-phoebus-cartel
[NOTE: See http://catless.ncl.ac.uk/Risks/30/11#subj7.1 for the first mention of 'Phoebus Cartel' in comp.risks.]
Planned obsolescence encompasses two key business priorities that fuel the consumer marketplace:
1) Products are designed and manufactured to fail within a certain service lifetime interval;
2) Product obsolescence promotes incremental improvements, and new versions become available for consumer purchase, often promoted as 'greener, reduced operational cost expenditure, faster, more reliable, etc.' than their predecessors to induce sales.
Brand loyalty or guilt from being 'left behind' can compel a repurchase decision.
Light bulbs were originally designed and manufactured to never fail. Their nascent longevity and resilience testifies to engineering pride and demonstrable human ingenuity. However, light bulb manufacturing businesses observed that a marketplace saturated with very durable illumination products limits future sales: revenue capture and realization stall, and long-term profit potential and earnings drop.
And the light bulb's initially immutable nature, since reduced to ~1000 continuous hours (for the old wire filament type), taught business that product innovation via incremental change can promote future profit generation.
In structured business organizations, product change embodies processes governed according to a risk management framework that weighs requirements, process alternatives, and operational key performance metrics against concrete business outcome potentials (market-share capture and revenue growth, reputation improvement, etc.).
For technological devices, a new software revision or hardware enhancement represents a product change that requires sophisticated, accountable, and ethically motivated process governance. The evolution or introduction of cellphones, smart home appliances, aircraft maneuvering augmentation systems, pharmaceutical infusion devices, robotic surgery platforms, implanted medical devices, etc. epitomize incremental technological change.
Tom Wolfe's “The Right Stuff” states concisely: “No bucks, no Buck Rogers.” Technological change is “Buck Rogers.” Incremental product change requires investment. Risk—to the public, to the business, to the environment — arises from change, especially so for software, multi-billion transistor chips, neuromorphics, memristors, quantum computers, etc. The creators and builders of these products constitute considerable business expenses; intellectual property innovation is not free, unless it is stolen.
Business risk planning and mitigation cannot be 100% complete or accurate. Capricious collaboration, peculiar organizational behavior, and mistake can be inimical to successful risk planning initiatives. Perfection does not, and cannot, exist anywhere in a business or project life cycle context.
Technological systems or devices embody complexity that cannot be completely characterized or profiled for risk. Consequently, product failures, or unexpected field operations, materialize as consumer inconvenience, brand outrage, and/or fatality.
An ethical and accountable governance process is expected to engage to forestall catastrophe when change management processes are pressurized or corrupted to overlook relevant risks that potentially sacrifice product viability, especially if public safety is jeopardized by these circumstances.
Product change abandonment, and conscientious evaluation by root cause analysis is essential when potential business profit sacrifice assumes priority over public risk exposure. A product that does no harm is more likely to sell than one that injures the public. Automobiles constitute an acknowledge exception on this point, as do fire-arms, cigarettes, opioid pharmaceuticals, etc. All of these products are subject to regulation and enforcement in the US. Regulatory enforcement effectiveness is unfortunately debatable.
Business risk blindness, and profit pursuit, have repeatedly jeopardized public safety. In an era where regulatory arbitrage, and regulatory capture, enables and sponsors risk blindness, profit motives become brand outrage's and disaster's bridesmaid. Rigorous regulatory structures, strict enforcement and penalties that deters reckless business governance conduct is essential. Businesses must cease exploitation of product change that sacrifices public blood and treasure.
The cause is described as “human error”: but surely it is a design error if a disconnected sensor is indistinguishable from a connected sensor reporting that everything is OK?
Of course I'm aware of the Turing Test, but I think its definition of an “evaluator” who cannot distinguish between a human and a machine on-line, is also a moving target. The more we're used to interacting with “talking machines”, the more we become adept at distinguishing between these and “real” humans.
I think no machine could ever fool its own creators; for them, at least, the answer to the question “When will machines become as intelligent as humans”, would therefore always be “20 year from now”.
Martin Ward writes that The definition of “machines as intelligent as humans” was established back in 1950 in the seminal paper by Alan Turing: “Computing Machinery and Intelligence”, which described the “Turing Test”. It should (still) be required reading for any software engineer.
The concept of machine intelligence is faulty because there is no clear and generally accepted concept of human intelligence. It is not merely the intellectual capability of manipulating logic, and humans survived very well for a long time without formal logic.
Also, despite Turing's clearly superior mathematical mind, he did not sufficiently understand human thinking. For consider, in the early days of language and thinking with language, there was no need to distinguish between speech from a human and speech from, say, a rock. If you heard speech, then of course you would normally assume it was a human speaking. And the first recorded case of a human reacting to words from a machine as if they were from a human was in the Doctor and Eliza experiments, with only the most primitive processing of language. The “Turing Test” is not valid.
There is an older UK case, going back to around Eternal September or before, involving a British Police Officer who was initially convicted of attempted fraud simply for asking about the details of an unrecognized withdrawal from his bank account.
I will check old dead tree issues of Privacy Journal to see if I can find more details in those.
If memory serves the only detail he ever got from the bank was a clerk asking him if he enjoyed his Irish Vacation. He had not been to Ireland.
The bank had a draconian response to his simple request for details of what we would now regard as an obvious case of ATM error or card cloning fraud insisting that the Officer was trying to defraud them, rather than providing details such as the location of the ATM and the time of day.
The Officer was convicted at the lowest level court, which got him fired, as well as convicted. Things only turned around when the British Computer Society got involved, providing Expert Opinion during the appeal about the unreliability of the bank's ATM system and supposed iron clad evidence. “Trust us, it is all in the computer and the computer is always correct” should never be allowed to pass unchallenged in court.
> In the USA, we are cursed by close elections where every vote counts. > Recounts after close elections too often lead to viscous fights over recount
I for one, would love to see those “viscous” fights filmed and put up on you-tube. Perhaps we could make the politicians fight it out in huge tubs of honey.
Please report problems with the web pages to the maintainer