The RISKS Digest
Volume 31 Issue 83

Saturday, 16th May 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Massachusetts uses same license plate numbers for diff vehicle types
WHDH
Feds Suspect Vast Fraud Network Is Targeting U.S. Unemployment Systems
NYTimes
Australia's largest steel producer shut down by ransomware attack
ABC AU
China is capable of shutting down Europe's 5G network regardless of whether Huawei equipment is included in it
UI.SE
Meaningless “review” of Imperial COVID codebase
Wordpress
Virginia Will No Longer Include Antibody Tests In Overall Test Data
DCist
Stimulus check delays when accounts were overdrawn!
Propublica
App Shows Promise in Tracking New Coronavirus Cases, Study Finds
NYTimes
From asymptomatic to lethal:- Coronavirus discrepancies puzzle scientists
WashTimes
Apple and Google clash with health officials over virus-tracking apps
WashPost
The Prophecies of Q
The Atlantic
DHS to advise telecom firms on preventing 5G cell tower attacks linked to coronavirus conspiracy theories
WashPost
Poll—US believers see message of change from God in virus
AP
Re: COVID SW model is a steaming pile …
Erling Kristiansen
Re: Coronavirus New York Shock: Two-Thirds Of Recent Patients Infected While Staying At Home
Jay Elinsky
Re: Risks in signature verification for mail-in ballots
Paul Burke
Info on RISKS (comp.risks)

Massachusetts uses same license plate numbers for diff vehicle types (WHDH)

danny burstein <dannyb@panix.com>
Wed, 13 May 2020 23:44:43 -0400 (EDT)

Massachusetts issues the same license plate number for different vehicles. So as the news article ref'ed below states, ”there could be Mass passenger 1234, but also commercial 1234, Cape and Island 1234, Red Sox, Purple Heart, and more.”

The EZ Pass readers/back systems in Mass perform some sort of Arthur C. Clarke Magic [*] to determine which vehicle should get charged, but when the license plate is scanned in other states, well…

A local couple was home, sheltering in place during the pandemic. So why was their car was being charged for tolls in another state? Hank's investigation gets answers and action.

Cynthia's red four-door sits in her Concord driveway. Exactly where it's been for weeks. […] So when Cynthia got her April EZ Pass bill she was baffled. It said her car went through tolls in New York, a COVID hot spot. […]

[It turned out that one of the local ambulances, with the same basic plate number, was part of the FEMA mutual aid response in NYC, which went through lots and lots of bridge and tunnel tollgates every day. Lots and lots of bills.]

https://whdh.com/news/hank-investigates-incorrectly-charged-for-ezpass-tolls/

* Per the late science/science fiction author Arthur C. Clarke, “Any sufficiently advanced technology is indistinguishable from magic.”

Feds Suspect Vast Fraud Network Is Targeting U.S. Unemployment Systems (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 16 May 2020 14:59:56 -0400

Investigators detected a sophisticated international attack they said could siphon hundreds of millions of dollars that were intended for the unemployed.

https://www.nytimes.com/2020/05/16/us/coronavirus-unemployment-fraud-secret-service-washington.html


Australia's largest steel producer shut down by ransomware attack (ABC AU)

John Colville <John.Colville@uts.edu.au>
Fri, 15 May 2020 09:17:33 +0000

https://www.abc.net.au/news/2020-05-15/bluescope-steel-cyber-attack-shut-down-kembla-ransomware/12251316


China is capable of shutting down Europe's 5G network regardless of whether Huawei equipment is included in it (UI.SE)

geoff goodfellow <geoff@iconia.com>
Fri, 15 May 2020 09:16:07 -1000

Chinese cyber-espionage presents a huge challenge but almost all spying is carried out by means of applications and phishing, rather than through infrastructure…

https://www.ui.se/globalassets/butiken/ui-paper/2020/ui-paper-no.-5-2020.pdf


Meaningless “review” of Imperial COVID codebase (Wordpress)

William Brodie-Tyrrell <william.brodie.tyrrell@gmail.com>
Thu, 14 May 2020 21:25:30 +0930

As is usually the case, a risk arises from people overestimating the applicability of their expertise. Specifically, commercial software developers “reviewing” a COVID simulation numerical model without understanding its requirements or how scientific software is applied. https://philbull.wordpress.com/2020/05/10/why-you-can-ignore-reviews-of-scientific-code-by-commercial-software-developers/amp/

The risk is that public trust in what was probably an excellent analysis (I'm not an epidemiologist so I couldn't possibly say - and neither can they) will be undermined by tech-bro egos.


Virginia Will No Longer Include Antibody Tests In Overall Test Data (DCist)

Gabe Goldberg <gabe@gabegold.com>
Thu, 14 May 2020 18:54:11 -0400

This week, as Virginia has faced continuing criticism for its lag in widespread coronavirus testing even as it gears up to reopen large swaths of the state, government officials are grappling with yet another backlash.

Media reports, including a story in the Richmond Times-Dispatch and a scathing article in The Atlantic, highlighted that the state was including antibody testing in its overall coronavirus testing numbers, artificially boosting those numbers and driving down the percentage of positive cases.

Governor Northam has repeatedly cited increased testing capacity as the main reason that most of Virginia will begin to re-open starting this Friday.

On Thursday, the Virginia Department of Health announced they would no longer include the results of antibody tests in their overall data, though officials stressed that its inclusion did not significantly alter the trends that aided the governor in making the decision to reopen. About 15,000 antibody tests had been included, making up about nine percent of the overall testing number.

The commonwealth says the inclusion of this antibody testing data wasn't done on purpose—it was the fault of an automatic computer programming system.

https://dcist.com/story/20/05/14/virginia-will-no-longer-include-antibody-tests-in-overall-test-data/

Same as HAL 9000, Colossus the Forbin Project, etc. No human's fault…


Stimulus check delays when accounts were overdrawn! (Propublica)

Lindsay Marshall <Lindsay.Marshall@newcastle.ac.uk>
Mon, 27 Apr 2020 17:24:46 +0000

Plenty in this article for RISKS lovers to chew on.

https://www.propublica.org/article/millions-of-people-face-stimulus-check-delays-for-a-strange-reason-they-are-poor


App Shows Promise in Tracking New Coronavirus Cases, Study Finds (NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 15 May 2020 13:28:58 -0400

The app, which allows people to record their symptoms, was remarkably effective in predicting infections. The most reliable indicators, researchers found, were loss of smell and taste.

https://www.nytimes.com/2020/05/11/health/coronavirus-symptoms-app.html


From asymptomatic to lethal:- Coronavirus discrepancies puzzle scientists (WashTimes)

the keyboard of geoff goodfellow <geoff@iconia.com>
Fri, 15 May 2020 09:17:27 -1000

COVID-19 lack of symptoms compared to Zika outbreaks

EXCERPT:

The share of people who are infected with the coronavirus but never get sick varies widely from place to place, from less than 20% of cruise ship passengers in Japan to a whopping 95% of inmates at an Ohio prison, underscoring the challenge in weeding out infections and isolating the virus as parts of the world reopen.

During the mosquito-borne Zika outbreak in 2015 and 2016, scientists were confident that 75% of those infected would not develop symptoms.

But scientists are having a hard time pinpointing a global average for COVID-19, the disease caused by the new coronavirus, and are finding different rates in different places.

A study in Iceland found that half of those who tested positive for the coronavirus infection showed no signs of illness. Nearly 1 in 5, or 17.9%, of infected passengers on the Diamond Princess cruise ship off Japan were asymptomatic, according to a March study.

The Center for Evidence-Based Medicine at Oxford University said 50% to 70% of people in an Italian village west of Venice were asymptomatic, compared with 31% of Japanese nationals evacuated from Wuhan, China, where the outbreak began in December. […]

https://www.washingtontimes.com/news/2020/may/14/coronavirus-asymptomatic-discrepancies-compared-zi/


Apple and Google clash with health officials over virus-tracking apps (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Fri, 15 May 2020 16:13:22 -0400

The tech giants have refused officials' pleas to allow the collection of location data and to help contact-tracing teams learn where new infections have spread.

https://www.washingtonpost.com/technology/2020/05/15/app-apple-google-virus/


The Prophecies of Q (The Atlantic)

Monty Solomon <monty@roscom.com>
Thu, 14 May 2020 19:59:36 -0400

American conspiracy theories are entering a dangerous new phase.

https://www.theatlantic.com/magazine/archive/2020/06/qanon-nothing-can-stop-what-is-coming/610567/


DHS to advise telecom firms on preventing 5G cell tower attacks linked to coronavirus conspiracy theories (WashPost)

Monty Solomon <monty@roscom.com>
Wed, 13 May 2020 23:11:27 -0400

Disinformation has spurred sporadic attacks against cell towers in the United States.

https://www.washingtonpost.com/national-security/dhs-to-advise-telecom-firms-on-preventing-5g-cell-tower-attacks-linked-to-coronavirus-conspiracy-theories/2020/05/13/6aa9eaa6-951f-11ea-82b4-c8db161ff6e5_story.html


Poll—US believers see message of change from God in virus (AP)

the keyboard of geoff goodfellow <geoff@iconia.com>
Fri, 15 May 2020 09:19:26 -1000

EXCERPT:

The coronavirus has prompted almost two-thirds of American believers of all faiths to feel that God is telling humanity to change how it lives, a new poll finds.

While the virus rattles the globe, causing economic hardship for millions and killing more than 80,000 Americans, the findings of the poll by the University of Chicago Divinity School and The Associated Press-NORC Center for Public Affairs Research indicate that people may also be searching for deeper meaning in the devastating outbreak.

Even some who don't affiliate with organized religion, such as Lance Dejesus of Dallastown, Pa., saw a possible bigger message in the virus. […]

https://apnews.com/0bed79d024a56d2ac0b93bc51df80e9b


Re: COVID SW model is a steaming pile … (Wol, RISKS-31.82)

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Thu, 14 May 2020 18:57:29 +0200

Wol missed the point of Baker's article: That running a computer program twice with the same inputs (including PRNG seed, if relevant) should produce identical (not just similar) outputs. If not, something is VERY wrong, and output is essentially useless. You just don't know what you are doing.

Reproducibility in science is something different: Repeating an experiment or observation, or doing a different experiment to determine the same parameters, gives you confidence in the results if they give similar (but not strictly identical) results.

In astronomy, you do observe the same objects using different telescopes, different methods, etc. So also here, finding similar results helps you gain confidence in the results.


Re: Coronavirus New York Shock: Two-Thirds Of Recent Patients Infected While Staying At Home (RISKS-31.82)

Jay Elinsky <jay.m.elinsky@gmail.com>
Fri, 15 May 2020 13:54:43 -0400

I can think of a few reasons why a whole-building air handler in multiple dwelling buildings, posited by Geoff Goodfellow, would be impractical besides its potential to distribute pathogens:

  1. In case of fire, smoke and toxic fumes could be distributed throughout the building;
  2. Cooking odors could be distributed throughout the building;
  3. Impractically large ductwork would be required to carry large quantities of heat over long distances in the building via moving air.

I've lived in two high rise residential buildings with central air conditioning. In neither building is air from throughout the building mixed in a central chamber. In one building, chilled water is distributed to fan coil units located in each room. A fan, controlled by a thermostat in the room, blows room air over the chilled coils. In the other building, central A/C is provided by heat pumps in each unit, almost in the usual way, except that the heat pump transfers room heat to water that circulates throughout the building, rather than to a refrigerant circuit. The circulating water passes through a rooftop cooling tower which transfers the heat to the outdoors.


Risks in signature verification for mail-in ballots

Paul Burke <box1320@gmail.com>
Thu, 14 May 2020 13:05:49 -0700

RISKS Digest 31.82 reported a story that “All California voters will receive mail-in ballots for November”

Far more than “all voters” will receive mail-in ballots. California will mail to inactive addresses too: “over 458,000 likely dead or relocated persons will be mailed ballots… Almost 178,000 have never voted… Mass ‘seeding’ of unclaimed ballots, coupled with ballot ‘harvesting’ by unscrupulous operatives, is a significant risk to the integrity of the November election.” https://www.prnewswire.com/news-releases/hundreds-of-thousands-of-ineligible-persons-could-be-mailed-ballots-if-california-goes-all-mail-in-november-election-301055445.html

Accepting mailed ballots depends purely on comparing one signature on the outside of the envelope to one or more signatures on file. Comparisons are often automated. Successful computer matches are not always reviewed, and false match rates are unknown. “[A]lgorithms that look for a certain number of points of similarity between the compared signatures… different brands of machines are used… ES&S, Olympus, Vantage, Pitney Bowes, Runbeck, and Bell & Howell… a wide range of algorithms and standards, each particular to that machine's manufacturer, are used to verify signatures. In addition, counties have discretion in managing the settings and implementing manufacturers' guidelines… there are no statewide standards for automatic signature verification… most counties do not have a publicly available, written explanation of the signature verification criteria and processes they use” https://www-cdn.law.stanford.edu/wp-content/uploads/2020/04/FINAL-Signature-Verification-Report-4-15-20.pdf

For manual signature reviews, that same Stanford study says, “Most counties review ballot signatures with a basic presumption in favor of counting each ballot… [Some] declare that just three or even one matching characteristic between the ballot signature and the comparison signature will be sufficient to find a match… many county officials expressed that evaluating ballot signatures is made substantially harder by the decline of cursive education and by the use of electronic signature pads during DMV registration, which often produce blurry signatures or flatten otherwise distinctive elements of a signature. Both issues disproportionately affect younger voters, who are more likely to have registered on an electronic signature pad and are less likely to have learned cursive in school. The registrar of one Bay Area county explained that she 'cannot compare a printed name to a signature,' and that people printing rather than signing their names on their ballots is ‘becoming more prevalent over time.’ ” Stanford says that signatures also vary more from people who rarely use Roman characters, such as some Asian-Americans.

“election officials with little or no training in verifying a person's signature are tasked with doing just that… it's unlikely that only one or two samples will show the spectrum of a person's normal variations… Even major treatises on handwriting analysis concede that it is extremely difficult for anyone to be able to figure out if a signature or other very limited writing sample has been forged…” https://www.propublica.org/article/handwriting-disputes-cause-headaches-for-some-absentee-voters

California requires less than a week notice to voters to cure discrepancies. Many states allow less time than that. (And Stanford says they often still require a new signature to match a signature on file.) https://www.ncsl.org/research/elections-and-campaigns/verification-of-absentee-ballots.aspx

I fully support all-mail voting this year. We need to measure and minimize false-positive and false-negative signature verification. What levels will be acceptable? There's scope to suppress young voters and Asian-American voters.

Please report problems with the web pages to the maintainer

x
Top