The RISKS Digest
Volume 31 Issue 57

Monday, 10th February 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Backhoes, squirrels, and woodpeckers as DoS vectors

Richard Forno

Benjamin Netanyahu's election app potentially exposed data for every Israeli voter

WashPost

The app that broke the Iowa caucus, an inside look

CNET

Tesla Remotely Removes Autopilot Features From Customer's Used Tesla Without Any Notice

Clean Technica

Recent Car Thefts May Be Related To Carsharing App Getaround, Warns D.C. Attorney General

DCist

SSL Certificates are expiring…

Cryptography

Nasty Linux, macOS sudo bug found and fixed

ZDNet

Cisco Flaws Put Millions of Workplace Devices at Risk

WiReD

Data leakage from portable versions of Open Office and Libre Office

Arthur T.

Facebook's Bug Bounty Caught a Data-Stealing Spree

WiReD

The ‘manosphere’ is getting more toxic as angry men join the incels

MIT Tech Review

Explainable AI

Chris Elsässer

Read the FBI's Damning Case Against the Recently Arrested Nintendo Hacker

Vice

Who owns your feelings? Short doc shows how big tech uses AI to track emotions

CBC

Photo Roulette on the App Store

Gabe Goldberg

The ‘race to 5G’ is a myth

WEForum

Not all fun and memes: What's the trouble with TikTok?

CBC

The Night Sky Will Never Be the Same

The Atlantic

Boeing's Starliner space capsule suffered a second software glitch during December test flight

WashPost

Boeing Refuses to Cooperate With New Inquiry into Deadly Crash

NYTimes

NASA Shares Initial Findings from Boeing Starliner Orbital Flight Test Investigation

NASA

Re: Boeing 737s can't land facing west

Terje Mathisen

Re: 99 smartphones …

3daygoaty JC Cantrell

Re: Artificial intelligence-created medicine to be used on humans for first time

Mark Thorson

Re: AI-created medicine to be used on humans

Henry Baker

Re: Election Security At The Chip Level

John R. Levine

Re: Should Automakers Be Responsible for Accidents?

Gabe Goldberg

Info on RISKS (comp.risks)

Backhoes, squirrels, and woodpeckers as DoS vectors

[The video shows] a wireless antenna in California. Network coverage was disrupted by an Acorn woodpecker, a 3-ounce bird stashing an estimated 35-50 gallons/300lbs of acorns.

http://twitter.com/gunsnrosesgirl3/status/1226715791443148800

Social media have been attributing this to squirrels for a long time. I of course try to correct people anytime I see this. It just proves that attribution can be really difficult. RF

Benjamin Netanyahu's election app potentially exposed data for every Israeli voter (WashPost)

https://www.washingtonpost.com/world/middle_east/benjamin-netanyahus-election-app-potentially-exposed-data-for-every-israeli-voter/2020/02/10/98f606c0-4bfe-11ea-967b-e074d302c7d4_story.html

The app that broke the Iowa caucus, an inside look (CNET)

A cybersecurity company got hold of the code for Shadow, the app used in the Iowa caucus, and spoke to CNET about what it found

EXCERPT:

Results from Monday's Iowa caucus were delayed for days because of problems with a smartphone app used to tabulate and report results, causing chaos and frustration among campaigns and voters. A reported coding issue caused the app to only report out partial data, Iowa Democratic Chairman Troy Price said in a statement.

<https://www.cnet.com/news/as-iowa-caucuses-arrive-facebook-has-a-trust-problem/>

<https://www.cnet.com/news/iowa-caucus-results-delayed-due-to-reporting-inconsistencies-after-switching-to-new-tech-system/>

<https://www.cnet.com/news/iowa-caucus-app-debacle-what-went-wrong/>

Cybersecurity company Blue Hexagon obtained a copy of the app, created by a company called Shadow, Inc. Blue Hexagon's head of cyberthreat intelligence and operations, Irfan Asrar, spoke with CNET's Dan Patterson about what went wrong and the overarching cybersecurity concerns this presents for the rest of the 2020 election.

<https://www.cbsnews.com/video/cyber-experts-weigh-in-on-the-app-that-crashed-the-iowa-caucus/>

<https://www.zdnet.com/article/the-scariest-hacks-and-vulnerabilities-of-2019/>

Blue Hexagon is still diagnosing exactly why the app failed. But the final version of the app has several problems within the code, including links to people's personal websites, Asrar said. “What we believe is, this is an oversight, and an example of the app being rushed into production,” he added. The larger concern is that the app was so easy to obtain, which means anyone could access the infrastructure supporting it and potentially cause damage, Asrar said.

Watch the video for the full interview

<https://www.cnet.com/videos/inside-shadow-an-exclusive-look-at-the-mobile-app-that-broke-the-iowa-caucus/> and more insight into the Shadow, Inc. app. […]

https://www.cnet.com/news/the-app-that-broke-the-iowa-caucus-an-inside-look/

Tesla Remotely Removes Autopilot Features From Customer's Used Tesla Without Any Notice (Clean Technica)

EXCERPT:

One of the less-considered side effects of car features moving from hardware to software is that important features and abilities of a car can now be removed without any actual contact with a given car. Where once de-contenting involved at least a screwdriver (or, if you were in a hurry, a hammer), now thousands of dollars of options can vanish with the click of a mouse somewhere. And that's exactly what happened to one Tesla owner, and, it seems many others.

Alec (I'll withhold his last name for privacy reasons) bought a 2017 Tesla Model S on December 20 of last year, from a third-party dealer who bought the car directly from Tesla via auction on November 15, 2019. The car was sold at auction as a result of a California Lemon Law buyback, as the car suffered from a well-known issue where the center-stack screen developed a noticeable yellow border.

<https://cleantechnica.com/2019/07/06/tesla-rolls-out-uv-light-fix-for-yellowing-screen-border/>

When the dealer bought the car at auction from Tesla on November 15, it was optioned with both Enhanced Autopilot and Tesla's confusingly-named Full Self Driving Capability together, these options totaled $8,000. You can see them right on the Monroney sticker for the car:…

<https://jalopnik.com/tesla-is-still-using-the-phrase-full-self-driving-to-de-1835012651>

https://jalopnik.com/tesla-remotely-removes-autopilot-features-from-customer-1841472617

Recent Car Thefts May Be Related To Carsharing App Getaround, Warns D.C. Attorney General (DCist)

“Vehicles listed on Getaround could be at increased risk of theft because keys are left inside of the car and the car's location is visible to anyone searching the platform,” according to a release from the OAG.

https://dcist.com/story/20/02/05/recent-car-thefts-may-be-related-to-carsharing-app-getaround-warns-d-c-attorney-general/

Ya think?

SSL Certificates are expiring… (Cryptography)

“Forget the Y2K bug, “things” are starting to break as SSL Certificates start expiring.”

Several authority certificates are expiring:

5/30/2020 6/21/2020 9/22/2020 12/31/2020

IoT—Internet of Expired Certificates.

Perfectly good HW, but with firmware that can't be updated.

I just hope that implantable medical devices can have their builtin certificates updated!

I wonder how many “smart” cars will stop running when their builtin SSL certificates expire?

Problems: bad hash functions (MDx,SHA1) are also causing certificate problems even though the RSA algorithm—even at 1024 bits—still seems to be holding.

Nasty Linux, macOS sudo bug found and fixed (ZDNet)

Sudo is a very popular, very simple Unix-system sysadmin application. It enables users to switch identities for the purpose of running a single command. Usually, but not always, it lets you run a command as the root, system administrator, user. Sudo's easy to abuse, but it's so darn useful, until it's not. A recently discovered sudo bug once more spells out why you should be wary of this command.

In this latest security hole, CVE-2019-18634, Apple Information Security researcher Joe Vennix discovered that if the “pwfeedback” option is enabled in your sudoers configuration file, any user, even one who can't run sudo or is listed in the sudoers file, can crack a system.

https://www.zdnet.com/article/nasty-linux-macos-sudo-bug-found-and-fixed/

Cisco Flaws Put Millions of Workplace Devices at Risk (WiReD)

To exploit the bugs, attackers would first need a foothold inside a target's network, but from there they could fan out quickly, compromising one vulnerable Cisco device after another to bore deeper into a system. And once attackers controlled a switch or router they could start to intercept unencrypted network data, like files and some communications, or access a company's active directory, which manages authentication for users and devices.

“It's still hop by hop. As a hacker, you still need an initial attack vector into the network,” says Ang Cui, founder of the IoT security firm Red Balloon, who has disclosed numerous Cisco bugs. “But once you're there, at each hop you have the same vulnerability present—all the switches, firewalls, and routers in a network could be affected by this. So you're going to have to own a lot of devices, but once you own all of them you've literally taken over every single piece of the network.”

https://www.wired.com/story/cisco-cdp-flaws-enterprise-hacking/

Data leakage from portable versions of Open Office and Libre Office

Note: this post is Windows-centric. I'm not sure if a similar problem occurs on other platforms.

Many people run the portable version of Office (Open or Libre) from a specific location (such as a thumb drive) in order to keep all data off of other locations (such as the C: drive). This might not be working as expected.

One of the first things one does in such a case is verify the locations of default files, temp files, etc. The temp files location is a few directories down from %temp% (or maybe %tmp%) and probably on C:. So one changes it to a directory on the same drive where Office resides. Unfortunately, that doesn't work. More unfortunately, Office doesn't tell you that it didn't work.

My first indication was that when I restarted the program, its temp directory had reverted to within %temp%. I thought that, even though it remembered other changes, it somehow wasn't remembering that one.

In fact, it's more sinister. Not only is it not remembering it, it's not using the updated location. When it starts, it immediately creates files in its temp directory, and it keeps using that same directory until Office is closed, regardless of what you type in as an override once the program is running. Really, it shouldn't let you type an override in for that directory, so you'd know it can't be overridden.

I use Open Office, but web searches suggest: that Libre Office has the same problem, that it has existed for a long time, and that it has not been fixed.

For myself, I created a .bat file to reset temp and tmp before starting Open Office, and that appears to fix the problem. My .bat file to run Office from drive E: is:

setlocal set tmp=e:\temp set temp=e:\temp start “Open Office on E” “e:\Program Files\OpenOffice\OpenOfficePortable.exe” endlocal

Facebook's Bug Bounty Caught a Data-Stealing Spree (WiReD)

A few months ago, the company disclosed that apps were siphoning data from up to 9.5 million of its users. It only found out thanks to a bug bounty submission.

https://www.wired.com/story/facebook-bug-bounty-app-data-stealing/

The ‘manosphere’ is getting more toxic as angry men join the incels (MIT Tech Review)

Men from the less extreme end of the misogynistic spectrum are drifting toward groups that espouse violence against women, a new study suggests.

https://www.technologyreview.com/s/615155/the-manosphere-is-getting-more-toxic-as-angry-men-join-the-incels/

Explainable AI

Geoff, Looking over your recent posts on IS & RISKS, I noticed this at the end (probably from MIT Tech Review):

Ehsan is part of a small but growing group of researchers trying to make AIs better at explaining themselves, to help us look inside the black box. The aim of so-called interpretable or explainable AI (XAI) is to help people understand what features in the data a neural network is actually learning — and thus whether the resulting model is accurate and unbiased. [=A6]

Once again, AI is reinvented!

But first, it would be nice if the Tech Review writer (Douglas Heaven) knew that interpretable and explainable are not the same thing.

Second, it would be nice if the writer looked at the extensive literature on explanation in AI systems; goes back to the great-grandparent of AI systems, MYCIN, and its explanation subsystem. [note: MYCIN's ‘certainty factors’ were soon supplanted at Stanford by Bayes networks]

Per Geoff Hinton, Deep learning NNs are approximations of (full) Bayesian classifiers. Explanation of Bayesian inference has long been seen to be in need of ‘explanation’ (or perhaps ‘convincing’ :-)) because human reason under uncertainty has often been found to deviate from Bayesian inference (which is provably optimal).

The earliest reference to explanation of Bayesian inference I've found is the following (and it should be obvious why I looked no further ;-)):

Elsaesser, Christopher (1987) Explanation of Probabilistic Inference for Decision Support Systems Proceedings of the Third Conference on Uncertainty in Artificial Intelligence (UAI-87), Morgan Kaufmann, San Francisco, CA.

That paper reported work I did for my PhD thesis at Carnegie Mellon. My techniques were substantially improved and extended by Merek Druzdzel. For example:

Henrion, M. and M. J. Druzdzel (1990). Qualitative and linguistic explanations of probabilistic reasoning in belief networks. Proceedings of the Sixth Conference on Uncertainty in Artificial Intelligence, pages 10-20 Cambridge, MA, Association for Uncertainty in AI.

NOT that re-invention is not worthwhile. Just that at least in this case its nothing new. :-)

Read the FBI's Damning Case Against the Recently Arrested Nintendo Hacker (Vice)

The hacker who stole from Nintendo for years bragged about it online, and didn't even try to hide his real name or activities.

https://www.vice.com/en_us/article/akwkk5/read-the-fbis-damning-case-against-the-recently-arrested-nintendo-hacker

Who owns your feelings? Short doc shows how big tech uses AI to track emotions (CBC)

https://www.cbc.ca/news/canada/montreal/stealing-ur-feelings-1.5362954

Watching Noah Levenson's short documentary Stealing Ur Feelings is undoubtedly intended to be an uncomfortable experience.

The short film, which premiered in Montreal as part of the International Documentary Festival this week, explains how big business has the capacity to use artificial intelligence programs and facial recognition software to track and monitor the emotions of its users.

But he does this by using the same technology against the viewers of the film. “It uses facial emotion recognition AI to watch you back. So it analyzes your face as you react to content it shows you,” explained Levenson.

“So, the film uses the camera in your device to make you the star of the film.”

Photo Roulette on the App Store

In Photo Roulette you compete with your friends to quickly guess whose photo is shown! Play with random photos from you (sic) and your friends' phones in this social and exciting Photo Roulette game! Feel the thrill before each picture and share the hilarious moments that occur with the pictures of your friends and family!

https://apps.apple.com/us/app/photo-roulette/id1050443738

Nevermind someone hacking your phone for pictures, play the game and see what's distributed.

The ‘race to 5G’ is a myth (WEForum)

EXCERPT:

Telecommunications providers relentlessly extol the power of fifth-generation (5G) wireless technology. Government officials and policy advocates fret that the winner of the “5G race” will dominate the Internet of the future, so America cannot afford to lose out. Pundits declare that 5G will revolutionize the digital world.

<https://www.weforum.org/agenda/2018/01/the-world-is-about-to-become-even-more-interconnected-here-s-how/> <https://www.cnn.com/2020/01/24/perspectives/america-china-5g-race/index.html> <https://www.weforum.org/agenda/2019/01/here-s-how-5g-will-revolutionize-the-digital-world/>

It all sounds very thrilling. Unfortunately, the hype has gone too far. 5G systems will, over time, replace today's 4G, just as next year's iPhone 12 will improve on this year's 11. 5G networks offer significantly greater transmission capacity. However, despite all the hype, they won't represent a radical break from the current mobile experience. First of all, the “race to 5G” is a myth. 5G is a marketing term for a family of technologies, which carriers can stretch to cover a variety of networks. The technical standards are still under development <https://www.brookings.edu/research/5g-in-five-not-so-easy-pieces/>, so what counts as “true” 5G is arguable. As with 4G, the 5G rollout will take years, as carriers upgrade their networks with new gear and users buy new phones. Just as they do today, connections will fall back to slower speeds when users aren't near enough to a tower, or if the network is overloaded. There's no magic moment when a carrier, or a nation, “has” 5G.

Even if there was a race, it's over: South Korea and China have already built <https://www.cnn.com/2019/11/01/tech/5g-china/index.html> much more extensive 5G networks than the United States. But that shouldn't be cause for panic. Customers in those countries may have a leg up on faster connections, but that doesn't necessarily create a sustainable strategic advantage. Romania is one of 10 countries with significantly faster <https://www.speedtest.net/global-index> average fixed broadband connections than America today, yet no one in Washington seems concerned that will give Romanian firms a dominant advantage. The major tech platforms delivering innovative digital services to the world are still based in the United States and China. There are important concerns <https://www.cnn.com/2019/12/05/tech/huawei-us-ban-lawsuit/index.html> about the Chinese networking firm Huawei creating backdoors for surveillance or tilting the carrier equipment market toward Chinese-defined standards. Your 5G user experience, however, won't depend on who makes the gear in the guts of the network. The overheated rhetoric is based on the misconception that 5G heralds a new era of services for end-users. In reality, the claimed performance—hundreds of megabits or even gigabits per second — is misleading. Averages and ideal numbers mask huge variations depending <https://www.cnn.com/2019/08/09/tech/5g-review/index.html> on distance to an antenna, obstructions, weather and other factors. The fastest speeds require “millimeter wave” spectrum, which doesn't penetrate walls or foliage well, and is generally less reliable than the lower frequencies used today. Millimeter wave requires a much denser network of antennas, which could be cost-prohibitive outside dense urban areas. Even if that hurdle is overcome, a gigabit per second to millions of phones requires a network able to move traffic at that speed end-to-end, which doesn't exist today. […]

https://www.cnn.com/2020/02/03/perspectives/5g-disruption/index.html

Not all fun and memes: What's the trouble with TikTok? (CBC)

https://www.cbc.ca/news/technology/tiktok-criticism-expansion-in-canada-1.5336375 It's been a bad week for TikTok.

The Chinese-owned video-sharing app, wildly popular with teens, was forced to issue a rare public statement about its data security practices and whether it censors content on behalf of Beijing.

In short, TikTok said it can be trusted with its users' data and that it doesn't delete videos just because of “sensitivities related to China.” But that's done little to quiet the app's increasingly vocal critics who worry the platform, with its short lip-sync and comedy videos, is the latest example of Beijing's overseas intelligence-gathering operation.

Toronto-based privacy advocate Ann Cavoukian told CBC News she is skeptical of TikTok's defence, because “surveillance among the Chinese is non-stop.”

The Night Sky Will Never Be the Same (The Atlantic)

If Elon Musk has his way, thousands of bright artificial lights will streak through the dark

EXCERPT:

Last year, Krzysztof Stanek got a letter from one of his neighbors. The neighbor wanted to build a shed two feet taller than local regulations allowed, and the city required him to notify nearby residents. Neighbors, the notice said, could object to the construction. No one did, and the shed went up.

Stanek, an astronomer at Ohio State University, told me this story not because he thinks other people will care about the specific construction codes of Columbus, Ohio, but rather because it reminds him of the network of satellites SpaceX is building in the space around Earth. “Somebody puts up a shed that might obstruct my view by a foot, I can protest. But somebody can launch thousands of satellites in the sky and there's nothing I can do? As a citizen of Earth, I was like,Wait a minute.”

Since last spring, SpaceX has launched into orbit dozens of small satellites—the beginnings of Starlink, a floating scaffold that the company's founder, Elon Musk, hopes will someday provide high-speed Internet to every part of the world. <https://www.theatlantic.com/science/archive/2019/05/spacex-satellites-starlink/590269/>

SpaceX sent a letter too, in a way. After filing for permission to build its constellation in space, federal regulators held the required comment period, open to the public, before the first satellites could launch.

These satellites have turned out to be far more reflective than anyone, even SpaceX engineers, expected. Before Starlink, there were about 200 objects in orbit around Earth that could be seen with the unaided eye. In less than a year, SpaceX has added another 240. “These are brighter than probably 99 percent of existing objects in Earth orbit right now,” says Pat Seitzer, a professor emeritus at the University of Michigan who studies orbital debris. For months, astronomers have shared images online of their telescopes' fields of view with diagonal white streaks cutting across the darkness, the distinct appearance of Starlink satellites. More satellites are now on the way, both from SpaceX and other companies. If, as Musk hopes, these satellites number in the tens of thousands, ignoring them will be difficult, whether you're an astronomer or not.

In some ways, these satellites pose a familiar problem, a matter of managing the competing interests that scientists, commercial companies, and the public might have in a limited natural resource. But the use of outer space — particularly the part in close vicinity to our planet—has never been tested quite like this before. For most of history, scientists, particularly those who observe the cosmos on visible wavelengths, have had relatively little competition for access to the sky. Passing satellites were considered nuisances and sometimes wrecked data, but they were rare. Some astronomers are now calling for legal action but even those who wouldn't push that far describe Starlink's satellites as a wake-up call: What happens when new and powerful neighbors have a distinct—and potentially disruptive—plan for a place you value?… <https://room.eu.com/news/legal-action-could-be-used-to-stop-starlink-ruining-the-night-say-astronomers>,

[…] https://www.theatlantic.com/science/archive/2020/02/spacex-starlink-astronomy/606169/

Boeing's Starliner space capsule suffered a second software glitch during December test flight (WashPost)

Boeing's Starliner space capsule suffered a second software glitch during December test flight

https://www.washingtonpost.com/technology/2020/02/06/boeings-starliner-space-capsule-suffered-second-software-glitch-during-december-test-flight/

Boeing Refuses to Cooperate With New Inquiry into Deadly Crash (NYTimes)

https://www.nytimes.com/2020/02/06/business/boeing-737-inquiry.html

In both the Max accidents and the 2009 crash, which involved a 737 NG, Boeing's design decisions allowed a single malfunctioning sensor to trigger a powerful computer command, even though the plane was equipped with two sensors. For both models, the company had determined that if a sensor failed, pilots would recognize the problem and recover the plane. But Boeing did not provide pilots with key information that could have helped them counteract the automation error.

After the 2009 crash, regulators required airlines to install a software update for the NG that allowed comparison of data from the two available sensors ” much the same fix that Boeing has now proposed for the Max. In the case of the NG, Boeing had developed a software update before the 2009 accident, but it wasn't compatible with all existing models, including the jet that crashed near Amsterdam.

NASA Shares Initial Findings from Boeing Starliner Orbital Flight Test Investigation (NASA)

https://blogs.nasa.gov/commercialcrew/2020/02/07/nasa-shares-initial-findings-from-boeing-starliner-orbital-flight-test-investigation/

Re: Boeing 737s can't land facing west (RISKS-31.54)

I think this data item, along with the very limited number of identified problematic runways provide a strong clue:

The flight software splits the circle into quadrants, then for at least one quadrant boundary the logic to determine which one is broken, i.e. something like

if (angle < 270.0) quadrant = 3; else if (angle > 270.0) quadrant = 4;

For these particular runways, the planners had enough freedom to be allowed to place each runway exactly where they wanted and decided to draw a perfectly straight line <E-W> using RTK GPS surveying so that the actual direction is 270 degrees exactly, while on all the other “Runway 27”s (approx) in the world which have been certified for 737 landings, there is a small but sufficient angular offset.

I would have expected such an error to also happen in the opposite direction though, that's why I'm guessing at individual code for each boundary.

Re: 99 smartphones … (RISKS-31.56)

This involved 99 real smart phones running the Google maps app. Can the same effect be achieved by simulating the phones on fewer- or one- physical device(s)? How easy is it then to tell Google Maps you are somewhere you actually aren't?

The hack looks like it could be used to flock self-driving cars away from some route or alternatively, funnel them into some sort of trap. Self-driving cars likely being rather posh cars might be desirable for car jacking, say.

The service that allows the authorities to get all green lights driving across the city for the movement of sensitive freight, high profile people or prisoners - I would presume their route is fixed and not subject to traffic? Gerry Adams came to Melbourne. They organised 5 routes from the airport to a certain Irish pub. At the last minute they picked one of them. Can I use the above hack to route Gerry where I want him?

Re: 99 smartphones ,,, (RISKS-31.56)

I smell a small business opportunity here.

Got too much traffic on your street? Waze leading others to contribute to your traffic headaches?

Hire me! I have the wagon, can get the old phones and, for the right price, will walk your streets at rush hour! Guaranteed to reduce traffic by 10, 20, or even 30 percent!

Now I just have to subcontract this, but being in California with recent independent contractor classification troubles, let's just call the whole thing off.

Another one of my grand schemes shot down.

Re: Artificial intelligence-created medicine to be used on humans for first time (RISKS-31.56)

AI assisted with a small part of drug discovery, not quite the breakthrough suggested by the press.

https://blogs.sciencemag.org/pipeline/archives/2020/01/31/another-ai-generated-drug

Re: AI-created medicine to be used on humans (Stein, R 31.56)

Perhaps they should run the first tests on another AI.

“Typically, drug development takes about five years to get to trial”; here “trial” means the first class action suit.

Remember the principle: “An AI for an AI”.

[Richard Stein replied:

Henry—A good aphorism. Nothing like algorithmic retribution — recursive payback. I favor “Dog Fooding” in this case. Would the pharmaceutical company's investors or employees subject their children to the clinical trial if they qualified as candidates? RS]

Re: Election Security At The Chip Level (SemiEngineering, RISKS-31.56)

Where I live, they have the info you provided when you registered which includes your signature and usually height and eye color which the election officials check. (I used to be one.) The officials are mostly retired local folks, and often know who you are anyway. Very low tech but pretty effective.

Despite endless disinformation to the contrary, in-person voter fraud is not a problem and never has been. If you think about it for two minutes, it's about the worst possible way to steal an election, one vote at a time with each vote subject to challenge. Sensible people steal an election by bribing the officials so when the polls close they stuff the box full of enough ballots to ensure that the correct candidate wins.

For an excellent discussion of this technique, read Robert Caro's “Means of Ascent” which is mostly about how Lyndon Johnson won the 1948 primary that put him in the Senate. It includes a long interview with the guy who had the ballot box.

Re: Should Automakers Be Responsible for Accidents? (Levine, RISKS-31.56)

And parking tickets imposing automaker liability:

Sorry sir, we've remotely disabled your car, now that it's legally parked in your garage. Please complete the attached agreement committing to better behavior, so that we may restore your driving privileges at the end of next month.

On 2/4/2020 5:07 PM, John Levine wrote:

> In article <16.CMM.0.90.4.1580237212.risko@chiron.csl.sri.com7592> you write: >> What a strange scheme: >> >> Automaker enterprise liability would have useful incentives that driver >> liability law misses. >> https://www.cato.org/sites/cato.org/files/serials/files/regulation/2019/3/regulation-v42n1-1.pdf > I can hardly wait: > > “Sorry, sir, you've had three moving violations so we'll have to ask > you to leave the showroom now.”

Please report problems with the web pages to the maintainer