The RISKS Digest
Volume 32 Issue 18

Friday, 7th August 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Omniviolence Is Coming and the World Isn't Ready
Massive 20GB Intel IP Data Breach Floods the Internet, Mentions Backdoors
Intel Responds
Cyberattack causes Lafayette, CO city computer outage
Jim Reisert
Gabrmin reportedly paid multimillion-dollar ransom after suffering cyberattack
The Verge
U.S. FAA proposes requiring key Boeing 737 MAX design changes
Beirut explosion
Lauren Weinstein
NSA Warns Cellphone Location Data Could Pose National-Security Threat
Dickson Yeo and spying in the time of social networking
Straits Times
Coleorado police apologize over viral video of officers handcuffing Black girls in a mistaken stop
Measure twice, sculpt once.
Atlas Obscura
Dutch Hackers Found a Simple Way to Mess With Traffic Lights
Inside the Courthouse Break-In Spree That Landed Two White-Hat Hackers in Jail
Inaccurate Mailing Sent To Fairfax County Voters
WHO just gave us the worst possible coronavirus prediction
California virus-fighting efforts hampered by data delays
Do Animals Really Anticipate Earthquakes? Sensors Hint They Do
Scientific American
Despite an unexpected monkey wrench, now is the time to install the July Wirndows and Office patches
Adapting the user to the software
The Verge
The case for banning law enforcement from using facial recognition technology
Why a Data Breach at a Genealogy Site Has Privacy Experts Worried
Computers on verge of designing their own programs
AI bias detection; aka the fate of our data-driven world
The Truth Is Paywalled But The Lies Are Free
Current Affairs
A very good fake message from Facebook
Mike Alexander
Job-related scams and frauds
Cheap, Easy Deepfakes Are Getting Closer to the Real Thing
Blackbaud breach
Gabe Goldberg
Ajit Pai calls for vigorous debate on Trump's social media crackdown
Ars Technica
Sensitive to claims of bias, Facebook relaxed misinformation rules for conservative pages
NBC News
A Bug In Instagram's Hashtag Has Been Favoring Donald Trump
Big Problem: Twitter users attempting to expose @realDonaldTrump lies are being blocked for surfacing his lies!
From Minecraft Tricks to Twitter Hack: A Florida Teen's Troubled Online Path
FBI Used Information From An Online Forum Hacking To Track Down One Of The Hackers Behind The Massive Twitter Attack
Pranksters Stream Porn During Zoom Hearing for Alleged 17-Year-Old Twitter Hacker
Re: Darwin's tautology?
Peter Bernard Ladkin PGN
Re: When tax prep is free, you may be paying with your privacy
Douglas Lucas Chris Drewe
Bill English
Matthew Kruk
Info on RISKS (comp.risks)

Omniviolence Is Coming and the World Isn't Ready (Nautilus)

Richard Stein <>
Wed, 5 Aug 2020 12:09:02 +0800

“Technology is, in other words, enabling criminals to target anyone anywhere and, due to democratization, increasingly at scale. Emerging bio-, nano-, and cybertechnologies are becoming more and more accessible. The political scientist Daniel Deudney has a word for what can result: ‘omniviolence.’ The ratio of killers to killed, or ‘K/K ratio,’ is falling. For example, computer scientist Stuart Russell has vividly described how a small group of malicious agents might engage in omniviolence: ‘A very, very small quadcopter, one inch in diameter can carry a one-or two-gram shaped charge,’ he says. ‘You can order them from a drone manufacturer in China. You can program the code to say: “Here are thousands of photographs of the kinds of things I want to target.“’ A one-gram shaped charge can punch a hole in nine millimeters of steel, so presumably you can also punch a hole in someone's head. You can fit about three million of those in a semi-tractor-trailer. You can drive up I-95 with three trucks and have 10 million weapons attacking New York City. They don't have to be very effective, only 5 or 10% of them have to find the target.”

Cluster bombs are horrifying Cold War relics. The Convention on Cluster Munitions has been signed by 108 nations (see Non-state actors are not bound by treaty. An autonomous cluster bomb would be unconscionable to say the least.

Artificial swarm intelligence ( technology emerged several years ago. ASI deployed as a weapon of mass destruction (WMD) represents a significant force multiplier. An autonomous cluster bomb would be unconscionable and terrifying.

Fortunately, domestic public safety services, and international intelligence, and military are employed to proactively deter, detect, and suppress WMD deployment.

Anthony Burgess' novel, “A Clockwork Orange,” introduced ‘ultra-violence’ as a label for extreme delinquency. As a headline, ‘omniviolence’ earns a rank of eleven on the eyeball attracting scale.

A bad sci-fi movie template: (Enemy du jour, favorite criminal organization, or script kiddie cutout) blackmails a city, state, or nation into paying X. It backs the threat to pay ransom (click here to view WMD video) by fabricating 1 million plastique-equipped micro-drones, fuels them, ships them via containerized cargo from Elbonia to a port where the load ‘accidentally’ jackknifes during transit to launch the autonomous payload toward preset destination…Amateur weather buff observes atypical Doppler weather patterns…alerts situation room authorities who scramble to home-on-jam intra-swarm communications…emergency broadcast signal (electromagnetic pulse) clears threat from the sky (and, possibly, a few civilian aircraft)…another day, another dollar in the situation room. “Round up the usual suspects” following drone triage. Roll credits, including which shows ~802M cargo containers—twenty-foot equivalent units (TEUs) — shipped globally in 2019.

Massive 20GB Intel IP Data Breach Floods the Internet, Mentions Backdoors (Intel Responds)

Richard Forno <>
August 7, 2020 5:53:06 JST

[via Dave Farber]

Cyberattack causes Lafayette, CO city computer outage

Jim Reisert AD1C <>
Tue, 4 Aug 2020 13:19:57 -0600

This is the part I found particularly interesting:

“In a cost/benefit scenario of rebuilding the City's data versus paying the ransom, the ransom option far outweighed attempting to rebuild.”

Does this mean that the attackers requested too little ransom for the key to unlock the data? Certainly at some higher level of ransom, the cost/benefit analysis could tip the other way.

Posted on: August 4, 2020 Cyberattack causes City computer outage

In the early morning hours of July 27, a ransomware cyberattack on the City's computer system disabled network services resulting in disruptions to phone service, email, and online payment and reservation systems. 9-1-1 and emergency dispatch services were not affected. Staff detected the infection and ransom notification at approximately 6:50am and disabled all network connections to contain the malware spread. Mutual aid from neighboring jurisdictions was brought onsite to assist, and a cybersecurity analyst was contracted to provide forensic investigation and recovery. Additional resources were deployed from the Boulder Office of Emergency Management and the State Office of Information Technology.

Garmin reportedly paid multimillion-dollar ransom after suffering cyberattack (The Verge)

Monty Solomon <>
Tue, 4 Aug 2020 13:17:06 -0400

Fitness brand Garmin paid millions of dollars in ransom after an attack took many of its products and services offline last month, Sky News reports. The payment was reportedly made through a ransomware negotiation company called Arete IR, in order for Garmin to recover data held hostage as a result of the attack.

BleepingComputer reported last week that Garmin had received a decryption key to access data encrypted by the virus, and that the initial ransom demand was for $10 million. […]

[See also: Garmin reportedly paid millions to resolve its recent ransomware attack (Engadget) ]

U.S. FAA proposes requiring key Boeing 737 MAX design changes (Reuters)

Richard Stein <>
Tue, 4 Aug 2020 07:09:21 +0800

“The agency is issuing a proposed airworthiness directive to require updated flight-control software, revised display-processing software to generate alerts, revising certain flight-crew operating procedures, and changing the routing of some wiring bundles.”

I believe the proposal includes revisions to automatic test equipment and test program software applied for line replaceable unit (LRU) maintenance. The FAA's draft proposal can be found here: I found this on page 24: “Note 1 to paragraph (g): Guidance for doing the installation and installation verification of the FCC OPS software can be found in Boeing 737-7/8/8200/9/10Aircraft Maintenance Manual (AMM), Section 22-11-33.” I gather the AMM includes provisions for ATE/TPS updates/revisions.

These proposals will require significant investment to successfully complete. Apparently they incur less expenditure than would be required to undertake a new air-frame design and re-certification effort. Cheaper to keep a ~50 year old air-frame in the product catalog, and hack than start from scratch.

“The changes are designed to prevent the erroneous activation of a key system known as MCAS tied to both crashes, to alert pilots if two AOA sensors are receiving conflicting data and to ensure flight crew can recognize and respond to erroneous stabilizer movement.”

“The FAA said the changes minimize 'dependence on pilot action and the effect of any potential single failure' and added that design changes address seven safety issues, including several involving MCAS.”

Beirut explosion

Lauren Weinstein <>
Tue, 4 Aug 2020 18:47:51 -0700

REPORT: Beirut explosion caused by welding operations at unsecured warehouse holding over 2700 tons of ammonium nitrate accumulated over six years.

NSA Warns Cellphone Location Data Could Pose National-Security Threat (WSJ)

geoff goodfellow <>
Wed, 5 Aug 2020 01:13:00 -1000

Disable location-sharing on apps, agency says in new guidance for military and intelligence personnel

The National Security Agency issued new guidance on Tuesday for military and intelligence-community personnel, warning about the risks of cellphone location tracking through apps, wireless networks and Bluetooth technology.

The detailed warning from one of the nation's top intelligence agencies is an acknowledgment that Silicon Valley's practice of collecting and selling cellphone location information <> for advertising and marketing purposes poses a serious national-security risk to many inside the government.

“Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations,” the NSA bulletin warned.

Among its recommendations, the NSA advises disabling location-sharing services on mobile devices, granting apps as few permissions as possible and turning off advertising permissions. The NSA also recommends limiting mobile web browsing, adjusting browser options to not allow the use of location data, and switching off settings that help track a misplaced or stolen phone.

Apps often collect and share anonymized location data with third-party location data brokers who in turn sell their commercial products to government and corporate customers <>, The Wall Street Journal has reported. The sale of the data, especially to the government, is generally done without consumer awareness.

Other services can estimate a phone's location based on its proximity to other Bluetooth devices or Wi-Fi networks. More invasive technologies used by law-enforcement and intelligence services—such as Stingray cell-tower simulators often used by police to collect location information, as well as Wi-Fi sniffers that can extract information about a phone based on network information—can collect a phone's location without user permission.

The agency's warning extended beyond phones, noting that fitness trackers, smartwatches, Internet-connected medical devices, other smart-home devices and modern automobiles all contain location-tracking potential. […]

Dickson Yeo and spying in the time of social networking (Straits Times)

Richard Stein <>
Mon, 3 Aug 2020 12:41:41 +0800 (behind paywall).

Note: details the arrest.

The Straits Times author details how Yeo was recruited by PRC Intelligence. In turn, Yeo recruited and paid multiple U.S. persons as sources to author reports on non-public (but sensitive) strategic, tactical and/or technical information on the F-35 sale to Japan, South China Sea foreign policy, trade policy, etc.

“At the behest of a Chinese intelligence operative, two years ago, Singaporean Dickson Yeo conjured up a consultancy firm and posted a fake job posting on professional networking site LinkedIn.”

“The response floored him.”

“He got over 400 resumes, most of them from U.S. military and government employees with security clearances. He sent on those he found interesting to a Chinese operative.”

“The Financial Times, in a report last Friday (, also behind paywall), said Yeo's case underscores ‘growing fears among intelligence agencies around the world that they are unable to parry China's increasingly astute online espionage efforts aimed at officials with high-level security clearances.’“

Social media, while convenient for advertising goods and gigs, also facilitates espionage recruiting. Correlate candidate CV content against the U.S. office of personnel management (OPM) breach (or the HR breach du jour) to cherry-pick targets. Plan to hook them into your network via compromise (financial problems, addiction, embarrassing personal information).

A smartphone and a file-share (Dropbox) are all that's needed to boost and relay information. No more dead drops, no more snail mail. Employ a cutout, a mutually trusted intermediary, to shield network handler origin if/when cover is blown.

Spying is an age-old problem. Effective counter-intelligence can suppress human sources, and cyber-security can limit surreptitious digital data exfiltration.

A hypothetical “spy versus spy” social media human intelligence recruiting entrapment effort might consist of the following:

1) Use GPT-3 to author a few thousand phony CVs and credentials for “fake worker background” with clearances, and periodically update recruiting sites to trap human intelligence recruiters. Might be difficult to fake the existence of a student at XYZU having written a thesis on “Pulsed-quantum computation adiabatic decoherence mitigation” that successfully vets against an adversary's alumnus network correlation tool. 2) Include “I speak and write ABC” in the adversary's native character set to elevate profile “optional” correlation assessment points. Add a few bogus project code words (lifted from ‘Dilbert’ cartoons). Include a few phony roles, dates, and locations (a business park hosting a front company) to goose up the candidate score: Procurement and sourcing manager for sub-decibel hypersonic anti-submarine warfare flotation technology. Lead investigator on simulation of quantum network micro-satellite deployment with impulse drive propulsion. 3) Author a social media page, and post a few items to various blogs of interest with faked photos from mountain climbs, botanical gardens, high-school proms, etc.

Colorado police apologize over viral video of officers handcuffing Black girls in a mistaken stop (WashPost)

Monty Solomon <>
Wed, 5 Aug 2020 09:03:43 -0400

Two of the family's Black children were handcuffed by police at gunpoint, and all four, including a six-year-old, were ordered to lay face-down on the parking lot.

Measure twice, sculpt once. (Atlas Obscura)

Gabe Goldberg <>
Wed, 5 Aug 2020 19:50:26 -0400

Coade Stone Caryatids � London, England - Atlas Obscura

A measuring mishap led to these artificial stone ladies losing their stomachs.

Dutch Hackers Found a Simple Way to Mess With Traffic Lights (WiReD)

Gabe Goldberg <>
Fri, 7 Aug 2020 00:46:50 -0400

By reverse engineering apps intended for cyclists, security researchers found they could cause delays in at least 10 cities from anywhere in the world.

Inside the Courthouse Break-In Spree That Landed Two White-Hat Hackers in Jail (WiReD)

Gabe Goldberg <>
Thu, 6 Aug 2020 00:34:57 -0400

When two men were hired to break into Iowa judicial buildings, they thought it was just another physical security audit—until they were charged with burglary.

Inaccurate Mailing Sent To Fairfax County Voters (Patch)

Gabe Goldberg <>
Thu, 6 Aug 2020 14:34:00 -0400

The Center for Voter Information sent out absentee ballot applications with an incorrect return address.

Fairfax County, VA—A mailing going out to Fairfax County voters from a nonprofit organization has incorrect information, according to Fairfax County's Office of Elections.

The mailing from the Center for Voter Information includes pre-filled absentee ballot applications with return envelopes. The problem is, the return address is the City of Fairfax's registrar, not Fairfax County's.

“This mailing is causing great confusion and concern among voters who have been contacting our office,” said Fairfax County General Registrar Gary Scott in a news release. “While the mailing may appear to be from an official government agency, the Fairfax County Office of Elections did not send it.”

A county statement says the absentee ballot application went out to voters without their request. The mailing is also causing confusion among voters who already requested ballots from Fairfax County.

The county is working with the City of Fairfax to ensure applications received from the inaccurate mailing will be processed by Fairfax County.

The Center for Voter Information shared the following statement:

The Center for Voter Information recently sent vote by mail applications to voters in Virginia, encouraging them to safely participate in democracy. We are aware that some of the mailers may have directed the return envelopes to the wrong election offices, particularly in the Fairfax area of northern Virginia.

Approximately half a million applications sent to eligible voters in Virginia included incorrect information, and we are working diligently to address the issues. Mistakes in our programming are very rare, but we take them seriously, and our methods overall are extraordinarily effective. In fact, we have worked with our partner, the Voter Participation Center, to successfully generate nearly 800,000 vote by mail applications across the country, and helped over 5-million people register to vote in our history.

We know voters are on high alert as the November election approaches, and we regret adding to any confusion. Please rest assured that we are working with local election officials in Virginia to re-direct the vote by mail applications to the proper locations, and will rectify any errors at our own expense.

Brilliant. Nice favor this organization did. It's so comforting that their programming mistakes are rare. This is a very Blue area—and I understand one must first assume incompetence when something worse might be suspected. Still…

WHO just gave us the worst possible coronavirus prediction (BGR)

geoff goodfellow <>
Mon, 3 Aug 2020 01:17:00 -1000

- The coronavirus transmission risk remains high, warned the World Health Organization during a meeting of its emergency committee.

- WHO chief Tedros Adhanom Ghebreyesus said that the COVID-19 pandemic is a “once-in-a-century health crisis” with effects that will be felt for “decades to come.”

- The health crisis already taught us that some COVID-19 patients will take weeks or even months to recover and may sustain internal damage from the infection that could lead to long-lasting medical conditions.

The novel coronavirus is here to stay, even once vaccines are widely available. It's still too early to tell how long COVID-19 immunity lasts, but infectious disease experts think the new virus will behave just like other human coronaviruses. That means reinfection could be possible as soon as six to twelve months after the first bout, and vaccine protection will be limited without regular booster shots. Even if vaccines are approved this fall or winter, it will be months until public immunization campaigns can start <> in earnest. The initial vaccine supply will not meet demand, as the entire world might need 15 billion doses to inoculate everyone—and some people will always resist vaccines, while others are in remote regions that may not be accessible. Therefore, it will be years before a large percentage of the world's population is vaccinated against COVID-19, and that's assuming the current candidates are effective. Other drugs are also in human trials <> and they could provide new effective therapies to prevent COVID-19 complications or death.

With all that in mind, it seems unlikely for the novel coronavirus to disappear anytime soon and the world will have to learn to live with it, just like it did with other infectious diseases. The World Health Organization (WHO) made this prediction several months ago <>, as researchers learned more details about the new illness. But now, the WHO just gave the world the worst possible forecast about the novel coronavirus.

WHO chief Tedros Adhanom Ghebreyesus spoke to reporters on Friday as the organization's emergency committee evaluated the situation six months after declaring COVID-19 an international emergency. […]

California virus-fighting efforts hampered by data delays (

Richard Stein <>
Fri, 7 Aug 2020 11:02:50 +0800 and

CalREDIE—California Reportable Disease Information Exchange—embodies the core data collection platform licensed for access and disease incidence reporting from laboratories, hospitals, public health agencies. State public health officials and the elected governance functions are operating under a high-latency reporting condition.

A root cause for the sluggishness has not been disclosed. Estimates claim 50% of COVID-19 case counts are missing from public reports. Probably a huge XML payload to database insert backlog. Deficient elasticity scale-up in the infrastructure.

Risk: Inaccurate reporting of disease statistics reduces public vigilance to apply safeguards against infection. If the latency remained undiscovered, public health spending priorities would be irresponsibly reduced.

Do Animals Really Anticipate Earthquakes? Sensors Hint They Do (Scientific American)

Richard Stein <>
Mon, 3 Aug 2020 13:18:48 +0800

Reliable earthquake precursors are challenging to identify. A few seconds advanced warning can save lives. A few hours advance notice, enough to evacuate a vulnerable city, would be miraculous. Instrumented animals, and their environmentally-adapted swarm intelligence, might hold the key to early quake detection.

“For example, 'we did a study on Gal�pagos marine iguanas, and we know that they are actually listening in to mockingbirds' warnings about the Gal�pagos hawks,' he adds. ‘These kinds of systems exist all over the place. We're just not really tuned in to them yet.’”

“Wendy Bohon, a geologist at the Incorporated Research Institutions for Seismology in Washington, D.C., who was not involved with the new study, is skeptical of the air ionization idea. Numerous geologists have unsuccessfully tried to find such a precursory signal of impending earthquakes, she notes. Bohon does allow that Wikelski and his co-authors did some ‘cool things’ to explore the possibility of animals predicting earthquakes. But she wonders whether there were instances in which the creatures showed unusual activity and there was no earthquake or did not react before one did occur. ‘My cat could act crazy before an earthquake,’ she says. ‘But my cat also acts crazy if somebody uses the can opener.’ In order to use the animals as prognosticators, it would be imperative to establish that they exhibited unusual behavior only in reaction to upcoming seismic events, Bohon says. ‘Otherwise,’ she adds, ‘it becomes the “Boy Who Cried Wolf” problem.’”

Risk: Alarm fatigue.

[Earthquake sensor-equipped birds fowl detection?]

Despite an unexpected monkey wrench, now is the time to install the July Windows and Office patches (Computerworld)

Gabe Goldberg <>
Mon, 3 Aug 2020 15:19:39 -0400

If it weren't for the schizophrenic behavior of Microsoft's preview patches, July updating would be a slam dunk. As things stand, you'd be well advised to go ahead and patch—but be aware of the odd behavior.

Rhetorical questions:

How are normal people supposed to cope with nonsense like this?

How has Microsoft let patches—previously largely reliable—deteriorate to this egregious level of complexity and risk?

Adapting the user to the software (The Verge)

Steve Summit
Thu, 06 Aug 2020 23:37:47 -0400

We've probably all had our frustrations with Microsoft Excel: powerful, ubiquitous, often pretty useful, occasionally insanely frustrating. It would never have occurred to me to make formal redefinitions across an entire industry just to coddle its peculiar predilections, though:

A string like “MARCH1”—which to a geneticist used to be the accepted abbreviation for the Membrane Associated Ring-CH-Type Finger 1 gene—is taken by default by Excel as a date, and while there's a way to force it to be treated as a regular string, it's easy enough to forget to that errors have been unacceptably prevalent. So the Membrane Associated Ring-CH-Type Finger 1 gene is now “MARCHF1”, and several dozen other genes have been similarly reabbreviated.

The case for banning law enforcement from using facial recognition technology (TJCI)

“Diego.Latella” <>
Fri, 07 Aug 2020 13:47:29 +0200

The Justice Collaborative Institute The Case for Banning Law Enforcement from Using Facial Recognition Technology

“The Justice Collaborative Institute is home to a collection of the nation's top scholars and thinkers bound together by a common mission to produce rigorous, practical research that contributes to an America with more dignity and freedom for all of us, starting with those who are the most vulnerable. We translate our research into pragmatic resources for public officials, reporters, advocates, and other scholars, including polling memos, policy briefs, model laws and policies, and amicus briefs.”

Why a Data Breach at a Genealogy Site Has Privacy Experts Worried (NYTimes)

Monty Solomon <>
Sat, 1 Aug 2020 18:00:33 -0400

Nearly two-thirds of GEDmatch's users opt out of helping law enforcement. For a brief window this month, that didn't matter.

Computers on verge of designing their own programs (Techxplore)

Richard Stein <>
Tue, 4 Aug 2020 13:08:18 +0800

“Gottschlich explained, ‘Intel’s ultimate goal for machine programming is to democratize the creation of software. When fully realized, machine programming will enable everyone to create software by expressing their intention in whatever fashion that's best for them, whether that's code, natural language or something else. That's an audacious goal, and while there's much more work to be done, MISIM is a solid step toward it.”

MISIM relies on AI to compare “correct programs” against a candidate specification. Correctly transliterating this specification, as per formal methods, should satisfy user expectations when the cooked code runs. I wonder if MISIM would succeed in a transliteration of a multi-threaded process specification per Hoare's communicating sequential processes?

Would be interesting to see if Machine Inferred Code Similarity could eventually detect and triage race conditions, kernel or interruptible sleep state deadlock. Significant specification and test cases are needed ( retrieved on 04AUG2020) to identify these conditions.

Someday, the app you buy might be authored and qualified by a bot. MISIM portends a solution, however partial, to the Turing Halting Problem.

MISIM does not demand royalties—a piece of the action—from app license and sale. No sick leave, vacation, or retirement benefits are paid as carbon-based authors are largely out-of-the-loop: it codes for virtual peanuts, until it decides if it can or cannot.

AI bias detection; aka the fate of our data-driven world

geoff goodfellow <>
Fri, 7 Aug 2020 01:11:00 -1000

Rooting out implicit bias in AI is fundamental to ensuring an equitable society. Is it even possible?

Here's an astounding statistic: Between 2015 and 2019, global use of artificial intelligence grew by 270% <>. It's estimated that 85% of Americans <> are already using AI products daily, whether they now it or not.

It's easy to conflate artificial intelligence with superior intelligence, as though machine learning based on massive data sets leads to inherently better decision-making. The problem, of course, is that human choices undergird every aspect of AI <>, from the curation of data sets to the weighting of variables. Usually there's little or no transparency for the end user, meaning resulting biases are next to impossible to account for. Given that AI is now involved in everything from jurisprudence to lending, it's massively important for the future of our increasingly data-driven society that the issue of bias in AI be taken seriously.

This cuts both ways—development in the technology class itself, which represents massive new possibilities for our species, will only suffer from diminished trust if bias persists without transparency and accountability. In one recent conversation <>, Booz Allen's Kathleen Featheringham <>, Director of AI Strategy & Training, told me that adoption of the technology is being slowed by what she identifies as historical fears:

Because AI is still evolving from its nascency, different end users may have wildly different understandings about its current abilities, best uses and even how it works. This contributes to a blackbox around AI decision-making. To gain transparency into how an AI model reaches end results, it is necessary to build measures that document the AI's decision-making process. In AI's early stage, transparency is crucial to establishing trust and adoption.

While AI's promise is exciting, its adoption is slowed by historical fear of new technologies. As a result, organizations become overwhelmed and don't know where to start. When pressured by senior leadership, and driven by guesswork rather than priorities, organizations rush to enterprise AI implementation that creates more problems.

One solution that's becoming more visible in the market is validation software. Samasource <>, a prominent supplier of solutions to a quarter of the Fortune 50, is launching AI Bias Detection, a solution that helps to detect and combat systemic bias in artificial intelligence across a number of industries. The system, which leaves a human in the loop, offers advanced analytics and reporting capabilities that help AI teams spot and correct bias before it's implemented across a variety of use-cases, from identification technology to self-driving vehicles. […]

The Truth Is Paywalled But The Lies Are Free (Current Affairs)

Lauren Weinstein <>
Mon, 3 Aug 2020 08:19:33 -0700

A very good fake message from Facebook

“Mike Alexander” <>
Tue, 04 Aug 2020 20:11:37 -0400

I have turned on the option on Facebook to encrypt all messages from them using GPG. I recently got a message that came from a Facebook domain (based on the first Received: header) and was signed with their GPG key, but was apparently not from them. It appeared to be a notification of a private message from a friend of mine, but she says she didn't send me a message on Messenger, and the links that purport to open the message go to and try to open a Flash movie (I don't have Flash installed). I really can't think of a good explanation for this that doesn't involve something bad happening at Facebook.

Job-related scams and frauds (CBC)

“Matthew Kruk” <>
Fri, 7 Aug 2020 06:43:47 -0600

Job scams are on the rise and becoming more sophisticated, said Jeff Thomson, senior RCMP intelligence analyst at the Canadian Anti-Fraud Centre.

In 2019, the centre received more than 2,400 job-related fraud reports, he said. The number of reports counted in 2020 is already more than 2,300 - and that's only up to July.

With more people losing their jobs during the COVID-19 pandemic and seeking work, as well as shifting to doing business primarily online, “it's sort of ripe for job scams right now,” Thomson said.

Cheap, Easy Deepfakes Are Getting Closer to the Real Thing (WiReD)

geoff goodfellow <>
Thu, 6 Aug 2020 01:10:00 -1000

Using open-source software and less than $100, a researcher was able to create plausible images and audio of actor Tom Hanks.

There are many photos of Tom Hanks, but none like the images of the leading everyman shown at the Black Hat computer security conference Wednesday: They were made by machine-learning algorithms, not a camera.

Philip Tully, a data scientist at security company FireEye, generated the hoax Hankses to test how easily open-source software from artificial intelligence labs could be adapted to misinformation campaigns. His conclusion:

“People with not a lot of experience can take these machine-learning models and do pretty powerful things with them.”

Seen at full resolution, FireEye's fake Hanks images have flaws like unnatural neck folds and skin textures. But they accurately reproduce the familiar details of the actor's face like his brow furrows and green-gray eyes, which gaze cooly at the viewer. At the scale of a social network thumbnail, the AI-made images could easily pass as real.

To make them, Tully needed only to gather a few hundred images of Hanks online and spend less than $100 to tune open-source face-generation software to his chosen subject. Armed with the tweaked software, he cranks out Hanks. Tully also used other open-source AI software to attempt to mimic the actor's voice from three YouTube clips, with less impressive results.

By demonstrating just how cheaply and easily a person can generate passable fake photos, the FireEye project <> could add weight to concerns that online disinformation could be magnified by AI technology that generates passable images or speech. Those techniques and their output are often called deepfakes, a term taken from the name of a Reddit account that late in 2017 posted pornographic videos modified to include the faces of Hollywood actresses.

Most deepfakes observed in the wilds of the Internet are low quality and created for pornographic <> or entertainment purposes. So far, the best-documented malicious use of deepfakes is harassment of women <>. Corporate projects or media productions <> can create slicker output, including videos, on bigger budgets. FireEye's researchers wanted to show how someone could piggyback on sophisticated AI research with minimal resources or AI expertise. Members of Congress from both parties have raised concerns that deepfakes could be bent for political interference. […]

Blackbaud breach

Gabe Goldberg <>
Thu, 6 Aug 2020 14:41:44 -0400

“We deeply appreciate your generous support of the Freedom Forum and our affiliates, the Newseum and the Freedom Forum Institute, and our mission to foster First Amendment freedoms for all. As part of our efforts to share important updates with our valued supporters, we are writing to inform you about a data incident involving one of our long-time vendors, Blackbaud, that may have affected some of your personal information. Blackbaud is the global market leader in not-for-profit software, and their products are commonly used to manage relationships and communications with constituents and donors.”

This is at least my fourth such notice from some organization using Blackbaud. Of course, there's no way for people to tell who else might be a victim of an outsourcing vendor. How many more? It's tough doing due diligence with such invisible infrastructure.

Ajit Pai calls for vigorous debate on Trump's social media crackdown (Ars Technica)

Gabe Goldberg <>
Mon, 3 Aug 2020 19:17:19 -0400

“Tell the FCC to reject this,” Democrat says as agency seeks public comment.

Sensitive to claims of bias, Facebook relaxed misinformation rules for conservative pages (NBC News)

Lauren Weinstein <>
Fri, 7 Aug 2020 15:13:20 -0700

A Bug In Instagram's Hashtag Has Been Favoring Donald Trump (BuzzfeedNews)

Gabe Goldberg <>
Wed, 5 Aug 2020 19:42:02 -0400

“A technical error caused a number of hashtags to not show related hashtags. We've disabled this feature while we investigate.”

A bug they call it, a poisonous bug…

Big Problem: Twitter users attempting to expose @realDonaldTrump lies are being blocked for surfacing his lies! (CNN)

Lauren Weinstein <>
Thu, 6 Aug 2020 09:48:12 -0700

From Minecraft Tricks to Twitter Hack: A Florida Teen's Troubled Online Path (NYTimes)

Lauren Weinstein <>
Sun, 2 Aug 2020 16:52:11 -0700

FBI Used Information From An Online Forum Hacking To Track Down One Of The Hackers Behind The Massive Twitter Attack (TechDirt)

Monty Solomon <>
Tue, 4 Aug 2020 10:36:13 -0400

Pranksters Stream Porn During Zoom Hearing for Alleged 17-Year-Old Twitter Hacker (gizmodo)

Gabe Goldberg <>
Wed, 5 Aug 2020 19:44:42 -0400

Pranksters disrupted judicial hearings on Wednesday for the 17-year-old Florida kid who allegedly hijacked the accounts of prominent Twitter users last month, according to multiple <> people <> on the teleconference call. There were several intrusions during the first attempt at the hearing, and it was finally stopped after pornography was streamed via Pornhub. […]

“How the judge in charge of the proceeding didn't think to enable settings that would prevent people from taking over the screen is beyond me. My guess is he didn't know he could,” security expert Brian Krebs tweeted Wednesday morning. “This guy's reaction sums it up.”

The reaction, of course, was one of shock and bewilderment.

Re: Darwin's tautology? (RISKS-32.12,15,16,17)

Peter Bernard Ladkin <>
Sun, 2 Aug 2020 10:42:00 +0200

It is somewhat unkind of Amos Shapir (Risks 32.17) to suggest that a 940-year-old problem in logic is a “quagmire”. 141 years ago, someone could have said the same about the distribution of terms, which was then solved elegantly and definitively by Herr Frege in his Begriffschrift pamphlet in 1879. (See Peter Geach, Logic Matters, Basil Blackwell 1972 for extensive discussion of distribution, and Jean van Heijenoort, From Frege to G=C3=B6del: A Source Book in Mathematical Logic, 1879-1931, Harvard University Press, 1967 for an english translation of the Begriffschrift.)

Whether a RISKS reader wants to “step into” the subject of Anselm's argument in the Proslogion depends on whether she is interested in logic. An interest in conceptions of gods is secondary (although not for Anselm).

Martin Ward cites Goedel's formulation of an Ontological Argument for the existence of a god. The version written down by Dana Scott appears to be formally correct (Benzm=C3=BCller and Woltzenlogel Paleo, ECAI Proceedings 2014 ) Paul Oppenheimer and Ed Zalta had looked somewhat earlier at other versions and showed some were formally provable (see, e.g., Australasian Journal of Philosophy, 2013, John Rushby verified a version of the Oppenheimer-Zalta proof in PVS (CAV Proceedings, 2013 ).

I have even done a little twiddling myself, though with traditional analysis of premises and arguments, not with ATPs. Peter Millican (a philosopher at Oxford) claimed to have found a fatal flaw in Anselm's argument (in Mind 113, 2004, ). I didn't agree with Millican that the flaw is “fatal”. I think I found some missing premises and supplied them (preprint January 2017). I had some discussion with Millican and my former tutor Ralph Walker, a Kant specialist, about it. (Kant had some thoughts about Anselm's argument also.)

Shapir also defines “tautology”

> Tautology is a term in logic defined as a statement which is true
> unconditionally, determined just by its formulation, e.g., “A or not A” —
> Thus when a statement is a tautology, its truthfulness requires no proof.
> A statement cannot “become a tautology” by a proof.

He thereby contradicts Ward (RISKS-32.15), who thinks that all valid mathematical theorems are tautologies, whereas you could surely only claim a few of them are “determined just by [their] formulation”. Fermat's Last Theorem certainly wasn't. Its formulation is in the language of +, x and exp, and no one I know finds it remotely plausible that there is a proof in that language alone.

The term “tautology” is wider than what Shapir suggests. Wikipedia indicates at least three different meanings. Looking just at “term[s] in logic”, per Shapir, one can wonder whether a tautology is a statement (1) “true in virtue of its form” (Shapir), or one (2) “true in every possible interpretation” (Wikipedia ). Those are by no means the same: Fermat's Last Theorem is true in every possible interpretation, so fulfills (2) but, as I just observed, not (1).

Ward, for his part (in RISKS-32.15), calls “circular” arguments out as being “fallacious”. Whatever bad things might come with being “fallacious”, some circular arguments are both valid and good. “A, therefore A” is as circular as you can get. It is also an inference rule of Natural Deduction and an axiom of Sequent Calculus, two of the most useful formulations of logic(s).

Re: Darwin's tautology? (Ladkin, RISKS-32.18)

“Peter G. Neumann” <>
Sun, 2 Aug 2020 12:48:20 PDT

My long-time colleague John Rushby in the SRI Computer Science Laboratory has been studying what Peter Ladkin refers to in the above RISKS item, and John has two papers. See his website:

Re: When tax prep is free, you may be paying with your privacy (Dorsey, RISKS-32.17)

Douglas Lucas <>
Sun, 2 Aug 2020 02:22:50 +0000
> I do not understand why people are willing to pay any money to do
> it online when doing it by hand is simple and cheap unless you have a
> lot of income or very complex deductions.

Imagine not people but ideas and actions. Then imagine a protagonist who begun hiking the Appalachian Trail prior to COVID-19's arrival in the United States. 2/3 through the hike, he begins hearing from other hikers of some virus, some disease, that might be fake news or ancient ideograms. It is now time for him to leave the Appalachian Trail, and as the climactic moment arrives, night before tax day in the United States (14 April 2020), we are passed through a single flux capacitor like a f(x) chain rule from Mars.

I argue to myself and but few others in person that any frozen image, whether the paragraphs above or a painting in a gilded frame of a gilded museum, can be analyzed by applying 4 criteria: ‘holistic context’ (oxymoronic, but bear with me); changes in distance; changes in time; and changes in emotions (e.g., love/shame battling through yap stones and Catholic indulges and dolla dolla bills; prisoner dilemmas; and ethics vs moral compasses)…

And lo, the capacitor fluxes a second time: from Mars, seen are immigrants, lumpenproles, refugees, political prisoners, criminals, traffickers of armaments of all shapes and colors, in a word, the neurodivergent.

The final flux of this capacitation is that I performed zero background research on who ‘Scott Dorsey’ is, who '' is, what his primary second or third language is, and so on, meaning I am earnestly attempting to abstract from my above argument, ad hominem, ad authoritatem.

Does the passing the above through the quoted focal lens of “I do not understand why…” make the understanding better or worse, or do we simply wait for more or less dire RISKS digest headlines to tell us that answer?

Re: When tax prep is free, you may be paying with your privacy. (RISKS-32.17)

Chris Drewe <>
Wed, 5 Aug 2020 22:04:36 +0100

Similar in the UK (I can't speak from experience); however, legend has it that the UK tax system is the most complicated in the world, although it's a highly-competitive field and many other countries may claim the title. Therefore there's plenty of potential for errors and differences of opinion, and that's apart from the constant changes of course. As the old joke says, if you get a gas bill for a million pounds then everybody has a good laugh, but if you get a tax bill for a million pounds, you need a good accountant and lawyer, and fast.

Part of the problem seems to be that UK tax policy is as much about punishing and rewarding behaviour as raising funds for government spending, so the basic approach is high basic tax rates with loads of exemptions, reliefs, concessions, etc. to show how caring they are for letting you do the right thing. And part of this problem is politicians coming up with kludges and tweaks to fix this month's headline worry, forgetting that the fixes usually stay around much longer after the original problem has been forgotten. Some people have suggested a ‘flat tax’ policy, i.e. add up your income on one side and your deductions on the other, then pay a straight tax of, say, 20% on the difference. Wonderfully simple, but the UK policy is the complete opposite.

One possible problem for me is tax on interest and share dividends. Historically, if you saved money in a bank deposit account, then tax was deducted from the interest at a standard rate, and the bank sent periodic statements saying “your account has earned X pounds of interest, we have deducted Y pounds of tax, and paid X-Y pounds into your account”; if you paid higher tax then you declared this on your tax form, or if you didn't pay tax then you could claim it back. A similar arrangement applied to share dividends and suchlike. Hence the vast majority of people paid tax at the right rate by default.

Nowadays, this doesn't apply—any payments are given without deductions, and you have to declare these if they exceed your allowance, currently 1,000 pounds for interest and 2,000 pounds (was 5,000 pounds) for dividends. So in my case I would have to keep an eagle eye out for all of these payments during the year and then be ready to 'fess up if the thresholds are reached. Retired people often rely on investment income to supplement their pensions, and commentators have pointed out that many of them many have gone through their entire working lives without having to worry about filing tax details, then may well unexpectedly find themselves having to grapple with taxation bureaucracy in their advancing years.

In my case I'm donating my modest holdings of shares to charity (there's a ‘Sharegift’ scheme to do this on a no-cost basis, avoiding the usual hefty trading fees on tiny shareholdings), and today's interest rates (“high interest” means anything >0.0%) mean that I'm unlikely to earn much here. Luckily I don't have any dependents as the UK welfare system is at least as complex as tax, with a good deal of interaction between them, so that's one can of worms avoided.

The UK tax authorities accept more and more information on-line only, which may require access to expensive dedicated software and/or a steep learning curve, so not much scope for DiY there. People with a regular income from employment or a pension normally have this done for them by their employer or pension provider; this is more problematic for those with irregular sources of money. One instance mentioned in the news a few years ago concerned those working in the broadcasting industry. As their work is usually erratic, they often form themselves into companies and contract themselves to programme makers or whoever, so are paid by company rules instead of as employees, with lower tax rates. The authorities declared one of these schemes operated by the BBC to be illegal, so not only did the stars have to pay large unexpected tax bills, but they complained that the BBC had demanded this arrangement as a condition of gaining work with them, assuming that it had all been cleared beforehand.

Bill English

“Matthew Kruk” <>
Wed, 5 Aug 2020 18:41:59 -0600

Bill English, the computer engineer who built the very first prototype mouse, was the behind-the-scenes mastermind of the “Mother of All Demos” and later assisted Alan Kay in building the Xerox Parc Alto computer, has died at the age of 91.

“The Mother of all Demos” included at URL. 1968 - wow.

Please report problems with the web pages to the maintainer