The RISKS Digest
Volume 32 Issue 23

Tuesday, 25th August 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Grading by algorithm results in UK debacle
Adam Satariano
Surge staff and electronic records
Health in AU
Commissioner of FDA admits he provided false information about COVID-19 treatment
MedicalXpress
Profs and loss - China is killing academic freedom in Hong Kong China
The Economist
A Chrome feature is creating enormous load on global root DNS servers
Ars Technica
Mike Godwin, the Creator of Godwin's Law, Is Suing Trump Over His TikTok Executive Order
Reason.com
COVID-19 When Less is More
The Atlantic
Re: Fiddling with the environment
A Michael W Bacon
Re: Driverless cars are coming soon followup
Peter Houppermans
Re: Date and time synchronization
Terje Mathisen
Re: Washington Postal workers defy USPS orders and re-install mail, sorting machines
Jack Christensen
Re: Dicekeys
Arthur T.
Re: Why Does California Have So Many Wildfires?
Henry Baker
Info on RISKS (comp.risks)

Grading by algorithm results in UK debacle (Adam Satariano)

“Peter G. Neumann” <neumann@csl.sri.com>
Tue, 25 Aug 2020 15:55:05 PDT

Adam Satariano, The New York Times, National Edition, 21 Aug 2020 (60% of Page A10, PGN-ed)

Automation pitfalls hit poor hardest. Scores are thrown out, but damage is already done.

The British government used a computer-generated score to replace exams that were canceled due to Covid-19. This resulted in nearly 40% of students in England having their earned A-level exam grades lowered. By the time the policy was changed, many students had lost their accepted university slots. The new score “included in its calculations a school's past performance on tests and a student's earlier results on ‘mock’ exams.”

“Critics say the experience shows the risks ahead as more sophisticated tools like artificial intelligence become available and companies pitch them to public agencies.”


Surge staff and electronic records (Health in AU)

James Cameron <quozl@laptop.org>
Tue, 25 Aug 2020 11:40:20 +1000

At an aged care facility in Sydney, pandemic surge staff did not know how to use the electronic resident-record system, which led to diminished care both inside the facility and by local doctors outside the facility.

https://www.health.gov.au/sites/default/files/documents/2020/08/newmarch-house-covid-19-outbreak-independent-review-newmarch-house-covid-19-outbreak-independent-review-final-report.pdf (page 21)


Commissioner of FDA admits he provided false information about COVID-19 treatment (MedicalXpress)

Lauren Weinstein <lauren@vortex.com>
Tue, 25 Aug 2020 09:59:02 -0700

https://medicalxpress.com/news/2020-08-health-touting-false-plasma.html


Profs and loss - China is killing academic freedom in Hong Kong China (The Economist)

<farber@gmail.com>
Tue, 25 Aug 2020 08:29:42 +0900

https://www.economist.com/china/2020/08/23/china-is-killing-academic-freedom-in-hong-kong


A Chrome feature is creating enormous load on global root DNS servers (Ars Technica)

Monty Solomon <monty@roscom.com>
Tue, 25 Aug 2020 12:33:43 -0400

A Chrome feature is creating enormous load on global root DNS servers https://arstechnica.com/gadgets/2020/08/a-chrome-feature-is-creating-enormous-load-on-global-root-dns-servers/

Chromium's impact on root DNS traffic https://blog.apnic.net/2020/08/21/chromiums-impact-on-root-dns-traffic/


Mike Godwin, the Creator of Godwin's Law, Is Suing Trump Over His TikTok Executive Order (Reason.com)

Gabe Goldberg <gabe@gabegold.com>
Tue, 25 Aug 2020 16:38:44 -0400

Godwin: “I know what moral panics look like; they look kind of like this.”

https://reason.com/2020/08/24/mike-godwin-the-creator-of-godwins-law-is-suing-trump-over-his-tiktok-executive-order/


COVID-19 When Less is More (The Atlantic)

Sheldon <sheldon10101@gmail.com>
Mon, 24 Aug 2020 22:28:23 -0400

https://www.theatlantic.com/health/archive/2020/08/how-to-test-every-american-for-covid-19-every-day/615217/

The Plan That Could Give Us Our Lives Back

The U.S. has never had enough coronavirus tests. Now a group of epidemiologists, economists, and dreamers is plotting a new strategy to defeat the virus, even before a vaccine is found.

… In the past several weeks, he [Michael Mina, a professor of epidemiology at Harvard], has become an evangelist for a total revolution in how the U.S. controls the pandemic. Instead of restructuring daily life around the American way of testing, he argues, the country should build testing into the American way of life.

The wand that will accomplish this feat is a thin paper strip, no longer than a finger. It is a coronavirus test. Mina says that the U.S. should mass-produce these inexpensive and relatively insensitive tests—unlike other methods, they require only a saliva sample—in quantities of tens of millions a day. These tests, which can deliver a result in 15 minutes or less, should then become a ubiquitous part of daily life. Before anyone enters a school or an office, a movie theater or a Walmart, they must take one of these tests. Test negative, and you may enter the public space. Test positive, and you are sent home. In other words: Mina wants to test nearly everyone, nearly every day.

The tests Mina describes already exist: They are sitting in the office of e25 Bio, a small start-up in Cambridge, Massachusetts; half a dozen other companies are working on similar products. But implementing his vision will require changing how we think about tests. These new tests are much less sensitive than the ones we run today, which means that regulations must be relaxed before they can be sold or used. Their closest analogue is rapid dengue-virus tests, used in India, which are manufactured in a quantity of 100 million a year. Mina envisions nearly as many rapid COVID-19 tests being manufactured a day. Only the federal government, acting as customer and controller, can accomplish such a feat. […]

[Companies in India have developed a fancier version of a standalone COVID-19 test which is being sold for 450 rupees ($6). This test uses the swab up the nose until you sneeze and has a nice cassette and is harder to use than the test from e25 bio. About half the tests in India use these $6 antigen tests. Sadly, there's a fair amount of push back on using these tests rather than PCR.] There is no way that school kids will tolerate a daily swab up your nose until you scream.

To begin to learn more start at rapidtests.org.


Re: Fiddling with the environment (Stein, RISKS-32.22)

A Michael W Bacon <amichaelwbacon@gmail.com>
Tue, 25 Aug 2020 08:37:35 +0100

In RISKS-32.22, Richard Stein wonders what will become of Florida's release of a genetically engineered mosquito intended to combat Dengue Fever.

It's likely that the law of unintended consequences will have effect, and that with the clarity of hindsight many will say the effect was totally predictable.


Re: Driverless cars are coming soon followup (RISKS-32.22)

Peter Houppermans <peter@houppermans.net>
Tue, 25 Aug 2020 11:49:42 +0200

There's more where that came from..

> Competition between car makers to see who can provide us the most
> distraction moves the industry in exactly the wrong direction!

In their apparent desire to attach more bells and whistles to what used to be eminently sane concepts, there is also this trend to make indicators more fancy (at least in Europe where they're separate from brake lights) by implementing them as an animated strip of LEDs that grows by lighting more and more of them.

The problem: this delays signal awareness.

A car's brake and turn signals are there to inform other road users that something is about to happen that may represent a risk. It is not even possible to brake without brake lights flaring, but turn indicators are manual, and apparently still considered optional by whole tribes of road users.

In the past, LED brake lights were even sold as options on the premise that it gave drivers more time to react as they light quicker. However, these swelling indicator lights do the exact opposite: they delay the moment by which the signal imparts a warning to other road users' situational awareness. I deem them a triumph of fashion over safety fundamentals.


Re: Date and time synchronization (Robinson, RISKS-32.22)

Terje Mathisen <terje.mathisen@tmsw.no>
Tue, 25 Aug 2020 13:11:04 +0200

You are going to get a lot of responses to this one, the idea is sound but the implemented logic is completely broken. :-(

> Here is the procedure:
> 1. Get time.
> 2. Get date.
> 3. If the hour is not 11 (for systems that preformat time to AM/PM) or is
>     not 23, exit procedure, date and time are synchronized and nothing more
>     needs to be done.

Since we read time first, then date, the date might have ticked over and now we have 2020-08-25T00:00:00 while the time read happened at 2020-08-24T23:59:59. Combining them results in 2020-08-24T00:00:00 which is of course wrong.

The easiest fix for all such “read two counters as one atomic operation“ is to start by reading the slow one, then the fast one and then the slow one again, i.e. the date here. If the two dates are equal then we are done, otherwise read the time again and return that value together with the second date.

You can of course read both counters every time and then return the second pair only if the dates are different, this has the small but sometimes useful benefit of being constant time as long as the return first pair vs second pair is handled with conditional moves or other branchless code.

> 4. Get the time again
> 5. Get the date again.

If we always read both variables twice, then we can even use the suggested order by returning the first pair unless the second time is less than the first, i.e. it wrapped around, and then we return the second pair.


   hms1 = gettime();
   ymd1 = getdate();
   hms2 = gettime();
   ymd2 = getdate();

   hms = (hms2 < hms1)? hms2 : hms1;
   ymd = (hms2 < hms1)? ymd2 : ymd1;

Re: Washington Postal workers defy USPS orders and re-install mail, sorting machines (RISKS-32.22)

Jack Christensen <christensen.jack.a@gmail.com>
Mon, 24 Aug 2020 19:29:57 -0400

It would be interesting to know exactly what the “risks to the public in computers and related systems” are perceived to be in this item. One cannot help but wonder whether the item was submitted to Risks with some political motivation. Our expectation should be that submissions to Risks be held to a higher standard. Cheap political demagoguery is available anywhere.

I propose the following test for RISKS submissions. If “risks to the public in computers and related systems” can be said to exist, then we should be able to imagine one or more solutions, that when applied to said computers or related systems, could possibly address the issue.

In the linked article, there seems to be no hint of this sort of technological issue. Certainly mail sorting machines must be computerized, but these days most everything is, so that in itself is too low a standard to be useful.


Re: Dicekeys (RISKS-32.22)

“Arthur T.” <Risks202008.6.atsjbt@xoxy.net>
Tue, 25 Aug 2020 11:42:49 -0400

There is much to like about the Dicekeys concept, but there's also much to criticize. (Note: I am neither a mathematician nor a security professional.)

For me, any inaccuracy makes everything else questionable. My calculations show 2^194 rather than 2^196 possibilities. Each die has 6 sides and 4 orientations of the top for 24 possibilities. So there are 24^25 outcomes of rolling all of them. Order counts, so multiply by 25 factorial. Log base 2 of that number is just over 193.66. I'm not sure where he's getting the extra bits of randomness reported.

For non-techies, physical randomization may seem more secure than computer-generated. But if the dice are not extremely well made, they'll be a bit less random than theory suggests. Techies will easily find cryptographically secure random number generators, and 59 digits yields about 2^196 bits (as does a 32-character string made up of upper case, lower case, numbers, and 8 symbols).

If you want a very long-term master password, you want to be able to back up its generator. You can do that by taking a picture of the dice box, but then you're no more (or less) secure than you were with non-physical keys. If you generate a long number or symbol key, you can print a more standard bar code that doesn't require trusting someone else's special programming. And then a secure hash hides your original number. I expect that readers for general-use bar codes will be around for a long time, whereas I'd worry about the longevity of the special-use scanner developed for Dicekeys.

So I admire the concept and the work and thought that went into making it a real product. But I won't be a customer, and I wouldn't recommend it to anyone I know. In addition to the above considerations, computer-generated random numbers are free.


Re: Why Does California Have So Many Wildfires? (NYTimes)

Henry Baker <hbaker1@pipeline.com>
Tue, 25 Aug 2020 07:54:29 -0700

This NYTimes article hasn't a clue. The short answer is: fire SUPPRESSION and too few controlled burns.

As a resident of Southern California for ~40 years and having lived in the vicinity of at least 40 wildfires, I've studied this issue a bit.

The white colonists who destroyed the indigenous native American way of life were ‘know-it-alls’ who never comprehended the clever and quite efficient fire management strategies of these ‘primitive’ people, and the folly of our ‘expert’ mismanagement of the ecosystem in the past 300 years has sown the seeds of our wildfire problems today.

Here in Southern California, you only get the following (egrep) choices for annual behavior for essentially all un-cultivated land:

  1. (rain/growth/){1,3}burn
  2. (rain/growth/){4,75}wildfire
  3. (rain/growth/){76,}apocalyptic firestorm

Notice that burn|wildfire|firestorm is a necessary consequent to ‘rain/growth’.

Of course, you can always eliminate ‘rain’, hence eliminating ‘growth’ and ‘fire’, but then you get an Atacama-like desert.

So if we intend to continue living here in Southern California, I vote for option #1.

https://www.theguardian.com/us-news/2019/nov/21/wildfire-prescribed-burns-california-native-americans

“For more than 13,000 years, the Yurek, Karuk, Hupa, Miwok, Chumash and hundreds of other tribes across California and the world used small intentional burns to renew local food, medicinal and cultural resources, create habitat for animals, and reduce the risk of larger, more dangerous wild fires.”

“The Spanish were the first California colonizers to prevent the indigenous people from burning the land. In 1850, the US government passed the Act for Government and Protection of Indians, which outlawed intentional burning in California even before it was a state.”

“Early National Forest Service officials considered ‘the Indian way’ of ‘light-burning’ to be a primitive, ‘essentially destructive theory’.”

“For native people, the land is a renewing resource, and they feel a responsibility to keep it healthy. Light, frequent burning of the forest understory maintains oak tree health … Fire clears and maintains prairie landscapes as habitat for elk and deer, and visibility through the dense woods for hunting them.”

https://en.wikipedia.org/wiki/Native_American_use_of_fire_in_ecosystems

“When first encountered by Europeans, many ecosystems were the result of repeated fires every one to three years, resulting in the replacement of forests with grassland or savanna, or opening up the forest by removing undergrowth.”

“By the time that European explorers first arrived in North America, millions of acres of ‘natural’ landscapes were already manipulated and maintained for human use. Fires indicated the presence of humans to many European explorers and settlers arriving on ship.

“By the 17th century, native populations were on the verge of collapse due to the introduction of European diseases (such as smallpox) and widespread epidemics (the flu) against which the indigenous peoples had no immunity. … As Native people were forced off their traditional landbases or killed, traditional land management practices were abandoned.”

Please report problems with the web pages to the maintainer

x
Top