The RISKS Digest
Volume 32 Issue 25

Monday, 7th September 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator


Blistering Consumer Reports review of Tesla's $8000 full self-driving package, including some serious safety concerns
Research questions
Gene Spafford
Apple Accidentally Approved Malware to Run on MacOS
Parents Face Tech Issues On First Day Of School In Wash DC and Maryland
Man blows up part of house while chasing fly
The surprising secret hidden in a pregnancy test
It Has Come to This: Ignore the CDC
NYTimes OpEd
Intel Slips, and a High-Profile Supercomputer Is Delayed
Amazon Drivers Are Hanging Smartphones in Trees to Get More Work
Russians Again Targeting Americans With Disinformation, Facebook and Twitter Say
FBI worried that Ring doorbells are spying on police
The Subtle Tricks Shopping Sites Use to Make You Spend More
A Saudi Prince's Attempt to Silence Critics on Twitter
California: Tell Your Senators That Ill-Conceived Immunity Passports Won't Help Us
Online Voting Company Pushes to Make It Harder for Researchers to Find Security Flaws
Alfred Ng
Russian election interference continues
“Vote early, vote often?”
Happy National Poll Worker Recruitment Day
Rebecca Mercuri
Re: For Election Administrators, Death Threats Have Become Part of the Job
Court Approves Warrantless Surveillance Rules While Scolding FBI
Blanked-Out Spots On China's Maps Helped Us Uncover Xinjiang's Camps
How Four Brothers Allegedly Fleeced $19 Million From Amazon
A critical flaw is affecting thousands of WordPress sites
Is Your Chip Card Secure? Much Depends on Where You Bank
The Brain Implants That Could Change Humanity
Neuralink: Elon Musk unveils pig he claims has computer implant in brain
The Guardian
New parking technology aims to manage curb space virtually
The Pod People Campaign: Driving User Traffic via Social Networks
Courtney Falk via Gene Spafford
Re: Humans Take a Step Closer to Flying Car
geoff goodfellow
Re: Driverless cars are coming soon followup
Martin Ward
Re: Tesla with Autopilot hits cop car; driver admits he was watching a movie
Barry Gold
Re: Date and time synchronization
David E. Ross Terje Mathisen
Re: Dicekeys, an additional risk
Craig S. Cottingham Bob Wilson
Re: Greenland glacier melt
Amos Shapir David Damerell
Re: Grading by algorithm results in UK debacle
John Murrell
Info on RISKS (comp.risks)

Blistering Consumer Reports review of Tesla's $8000 full self-driving package, including some serious safety concerns (Twitter)

geoff goodfellow <>
Fri, 4 Sep 2020 16:02:39 -1000

Research questions

Gene Spafford <>
Tue, 1 Sep 2020 10:25:33 -0400

How sad that all the computing questions in Dave Farber's] list (at the URL in the post) are devoted to AI/ML. We have an incredibly rich and broad field with many important open problems in software engineering, cybersecurity, privacy, HPC, programming environments, HCI, robotics, databases, machine architecture, distributed/cloud/fog computing, IoT, and more. I'm surprised that at least one of the other fads didn't show up, such as quantum computing. (Thankfully, this was one list that didn't include the death cult favorite blockchain.)

It seems about every 20 years the AI/ML bug bites people and causes a huge surge of interest. After all, the idea of creating thinking artifacts is rather appealing, especially to investors who would rather not be paying salaries of real people on an on-going basis, and to military planners who envision regiments of disposable killing machines. Many of the advancements in the area have occurred simply because we have faster processing and more memory than the last time we made the big investments in this area =94 which are not advances in AI/ML per se, but came out of more traditional research. Our ability to make bad decisions is now so much faster than human thought (even augmented with bourbon or tequila) that it has far outstripped our willingness to think about ethics and human good. The results are increasingly worrisome to those of us who believe, as a core value, precept 1.2 of the ACM Code of Ethics: Avoid Harm.

I remember reading Frank Herbert's Dune in about 1975. I thought the idea of the Butlerian Jihad was quite interesting, especially in light of films such as The Corbin Project and Terminator. The Doomsday network in Dr. Strangelove also comes to mind. (I could list another dozen movies and novels, including War Games, The Matrix, Ava, and 2001. Surely someone has a list of these somewhere.) When I did some of my original research on computer viruses, When Harley Was One brought another view of the issues to mind that was beginning to appear in the real world. One does not need to turn to science fiction to see some of the issues. Regular readers of the Risks Digest and works by Charles Perrow (e.g., The Next Catastrophe) can see real-world examples and extrapolations.

My point in citing these works is not only that moving key decision-making from humans to computers is potentially dangerous, but that some of those same complexities and pitfalls are foreseeable—or even predictable. Why, therefore, isn't the scoping, containment, and safe use of computing THE dominant research problem for our field—and society, in general? Do we need a Skynet to emerge and a Butlerian Jihad to occur to get on that path? We're already flirting with self-destruction with our damage to the environment and some bio-engineering. Do we need to add cybernetic war to the mix to ensure our demise? (Hmm, tongue-in-cheek thought experiment: as the Russians are using social media to promote social division and turmoil, perhaps an extraterrestrial species is seeding our research to promote our self-destruction. While Elon Musk was showing off his porcine Neuralink, perhaps someone should have gotten a DNA sample from him to check his humanity?)

Fundamentally, we are building systems that are already too complex to make without flaws, and we continue to add layers and nodes. The people designing these systems may believe in a Star Trek future, but with human nature as it is, Blade Runner is more where we seem to be headed. The systems being fielded are unsecurable and safety hazards. Devoting so much attention to adding further complexity that we don't fully understand and whose results we can't explain is only making things worse; chaos emerges, entropy wins, eschatology comes to the fore.

If there is to be a list of major research challenges in CS published, let's have one that is representative of the breadth and richness of the field, and that includes problems that have profound impact on people rather than representing current hype.

> Research questions that could have a big social impact, organised by
> discipline
> Introduction
> People frequently ask us what high-impact research in different
> disciplines might look like. This might be because they're already working
> in a field and want to shift their research in a more impactful
> direction. Or maybe they're thinking of pursuing an academic research
> career and they aren't sure which discipline is right for them.
> In any case, below you will find a list of disciplines and a handful of
> research questions and project ideas for each one. They are meant to be
> illustrative, in order to help people who are working or considering
> working in these disciplines get a sense of what some attempts to approach
> them from a longtermist perspective might look like. They also represent
> projects that we think would be useful to pursue from a longtermist
> perspective.
> The lists are not meant to be exhaustive; nor are they meant to express a
> considered view on what we think the most valuable questions and projects
> in each area are. Our primary strategy in compiling these lists was to
> look through research agendas and collections others have put together
> (linked throughout as well as at the end). We generally included questions
> or projects that seemed both useful for informing decisions about how to
> improve the long-term future and like good examples of research in their
> respective disciplines. When choosing between a higher-value question or
> project and one that struck us as more illustrative, we often chose the
> latter.

Apple Accidentally Approved Malware to Run on MacOS (WiReD)

Gabe Goldberg <>
Tue, 1 Sep 2020 01:20:41 -0400

The ubiquitous Shlayer adware has picked up a new trick, slipping past Cupertino's notarization defenses for the first time.

Parents Face Tech Issues On First Day Of School In Wash DC and Maryland (DCist)

Gabe Goldberg <>
Mon, 31 Aug 2020 18:26:32 -0400

Hundreds of thousands of students in the District and Maryland powered on their laptops Monday for the start of a school year like no other.

The first day of virtual classes hit some snags. In Montgomery County, error messages flashed on computer screens when students tried logging on to their first classes of the school year. In Prince George's County, two children missed half of their morning classes when pages on their school-issued Chromebooks would not load. […]

Gabrielle Brown, a spokeswoman for Prince George's County Public Schools, said two of the county's more than 200 schools experienced problems because too many people were using the same web server.

Brown said the 133,000-student school system fixed the problem by moving the schools to different servers. She did not say which schools experienced the issues.

Scalability, what's that…

Man blows up part of house while chasing fly (

Richard Stein <>
Mon, 7 Sep 2020 11:24:02 +0800

“The man, who is in his 80s, was about to tuck into his dinner when he became irritated by a fly buzzing around him. He picked up an electric racket designed to kill bugs and start swatting at it—but a gas canister was leaking in his Dordogne home.”

The non-electric flyswatter, perhaps less effective than the juiced-up model, does not possess ignition risk.

The surprising secret hidden in a pregnancy test (

Richard Stein <>
Mon, 7 Sep 2020 11:11:08 +0800

“A teardown of a digital pregnancy test has created a buzz after revealing it contained a standard paper test, similar to those used by GPs. The experiment has raised questions about whether the extra cost of digital pregnancy tests is justified. Some say the electronics give women a clearer answer but others point to the e-waste created by digital test kits. The experiment also found the digital test contained a microprocessor more powerful than early home computers. But the electronics themselves did not play a role in the hormone detection.”

The website ( yields two peer-reviewed references on home-based pregnancy tests. Among them is “Comparison of analytical sensitivity and women's interpretation of home pregnancy tests” @ by Sarah Johnson, Michael Cushion, Sharon Bond, Sonya Godbert, Joanna Pike retrieved on 06SEP2020. I do not know if the publisher, “The Journal of Clinical Chemistry and Laboratory Medicine” requires reviewer conflict of interest disclosures.

Their conclusion: “Many home-based pregnancy tests commonly used by women are not as accurate as their packaging information claims. International test standards which define appropriate performance characteristics for home pregnancy tests are urgently required.”

Computers leave no margin for doubt when they render output. Whether the correct result is rendered is another matter. False negative/positive rates of detection are considerations. The cited reference suggests that “trust, but verify” is the best strategy.

There is also the matter of e-waste disposal and/or recycling. estimates 50 million metric tons world-wide annually by 2020.

It Has Come to This: Ignore the CDC (NYTimes OpEd)

Dave Farber <>
Tue, 1 Sep 2020 13:49:23 +0900
[I consider this to be non-political. Dave Farber]

Harold Varmus and Rajiv Shah, The New York Times, 31 Aug 2020

[Harold Varmus, a professor at Weill Cornell Medicine and a former director of the National Institutes of Health, was a co-chair of President Barack Obama's Council of Advisers on Science and Technology. Rajiv Shah is president of the Rockefeller Foundation.]>

It Has Come to This: Ignore the CDC

The agency's new guidelines are wrong, so states have to step up on their own to suppress the coronavirus.

We were startled and dismayed last week to learn that the Centers for Disease Control and Prevention, in a perplexing series of statements had altered its testing to reduce the testing of asymptomatic people for the coronavirus. <> <>

These changes by the CDC will undermine efforts to end the pandemic, slow the return to normal economic, educational and social activities, and increase the loss of lives.

Like other scientists and public health experts, we have argued that more asymptomatic people, not fewer, need to be tested to bring the pandemic under control. Now, in the face of a dysfunctional CDC, it's up to states, other institutions and individuals to act. <>

Understanding what needs to be done requires understanding the different purposes of testing. Much of the current testing is diagnostic. People should get tested if they have symptoms—respiratory distress, loss of smell, fever. There is no argument about this testing, and the altered CDC guidelines do not affect it.

But under its revised guidelines, the CDC seeks to dissuade people who are asymptomatic from being tested. Yet this group poses both the greatest threat to pandemic control and the greatest opportunity to bring the pandemic to an end. It is with this group that our country has failed most miserably.

Consider the logic. Without tests or a highly effective vaccine, the only certain way to prevent further spread of the virus would be to isolate everyone from everyone else. In theory, this would work, but it is untenable — if not impossible—because of the economic and social consequences of shutdowns.

Tests, however, can reduce the number of people who need to be isolated — and only for as long as they are shown to be infected. If those tests were to be performed frequently (even daily) and widely (even universally), it is almost certain that the pandemic would evaporate in just a few weeks.

That much diagnostic testing is not feasible, given the costs and logistics, as well as the likelihood that some would refuse to comply.

So it makes sense to modulate the strategy by testing those who are at greatest risk of infection, and those who are most likely to spread the virus if they become infected.

We can make well-informed predictions about those who should be given priority. Most obviously, testing is essential for those who are known to have been significantly exposed to an infected person, as determined by contact tracing. But testing is also important for those who have been or will soon be mixing with large groups in close quarters at work; entering the schools and colleges that are now reopening; and attending public events like concerts and sports matches.

The financial and other practical demands of widespread testing can be lowered by making rational decisions about the optimal times for performing the tests—a few days after being in contact with an infected person, for instance, or just before congregating with many others.

The logistics and costs can be further reduced by simplifying the tests — using saliva samples collected at home, rather than uncomfortable nasal swabs that require trained personnel at specific locations; or by using so-called antigen tests, a cheap and rapid method to look for viral proteins, rather than expensive laboratory machines to find viral RNA. Even if these tests are a bit less accurate, their lower cost, higher speed and more frequent use make up for it.

Some of these new methods have already been authorized for use by the Food and Drug Administration. And the Department of Health and Human Services has also committed to purchasing large quantities of antigen tests. <> <>

These are practical and essential actions that need to be taken now. In the absence of sensible guidance from the CDC, what can the country do to control the pandemic? We urge at least three actions.

State and local leaders should be emboldened to act independently of the federal government and do more testing. Some governors and local public health officials, from both parties, are already doing so and are ignoring the CDC's revisions <>. This position is legally sound, since the CDC is an advisory agency, not a regulatory one. Still, such discord undermines confidence in public health directives.

Insurance companies, city and state governments, and the Center for Medicare and Medicaid Services should recognize the economic and health benefits of testing prioritized, asymptomatic populations and provide reasonable reimbursement for these tests. A major impediment to more widespread testing has been the lack of coverage in the absence of symptoms or known contacts with infected individuals. The costs of testing are decreasing as new methods, like antigen testing, are introduced, and may be further reduced as the pooling of samples makes testing more efficient.

While more widespread testing for the virus is an essential factor in pandemic control, we need to make it part of a broad program that helps prevent transmission—mask-wearing, hand-washing, quarantining and use of personal protective equipment.

The CDC, the federal agency that should be crushing the pandemic, is promoting policies that prolong it. That means that local, state and organizational leaders will have to do what the federal government won't.

Intel Slips, and a High-Profile Supercomputer Is Delayed (NYTimes)

Richard Stein <>
Tue, 1 Sep 2020 21:13:29 +0800

The exascale computer: 1E9 GFLOP == 10^15 FLOPs, or 1 exaFLOP (1 EFLOP?), double-precision FLOPS @ 64-bit per IEEE-754-2008.

That Intel is tardy suggests a few foundry issues to address before they can cost-effectively stamp out the new “Ponte Vecchio” graphical processing units (GPUs) for integration. A challenge to achieve high-yields for GPUs chiplets stacked ~70 angstroms apart—the diameter of ~77 hydrogen atoms.

Aurora's paper specification can be found here: The box hosts a modest 10 petabytes of physical memory, a pool that will also serve as an excellent cosmic-ray target. Assuming 1 Tbytes of physical memory per node (10 * 1024 * 10^12 10Pbytes) yields 10240 compute+memory modules in the box.

The chip and module packaging sophistication for cooling, signal routing, power distribution, and message-passing network fabric constitutes a considerable challenge to engineer and to operate for sustained uptime. Power consumption will likely be significant, and probably require a dedicated utility source.

There's been a longstanding race among nations and technology companies to achieve and apply massively parallel processing (MPP) computation. The “winner” gets bragging rights, and temporarily sustains a technological edge that eventually translates into consumer marketplace sales. MPPs currently represent the only affordable means to “out compute” strategic competitors.

MPP software is notoriously challenging to write and debug, given explicit message-passing dependencies (using OpenMPI), deadlock potential, and data load balance issues to sort out. Logical concurrency representations of the computation, via Tony Hoare's communicating sequential process model, is often applied in a single address space with multiple processes to show message-passing deadlock absence. It is far easier to detect and debug deadlock in a single virtual address space than to attempt over a physically distributed memory structure. Once a logically concurrent process structure is deadlock free, map it into the physical MPP architecture (using 10K+ nodes) to accelerate computation against a large (multi-Pbyte) dataset. Then there's the I/O for results interpretation. Factor in a few cosmic ray node crashes along the way. Not for the faint of heart, especially for sequential thinkers.

The PRC may have succeeded in being first to achieve and demonstrate an sustained eFLOP, though confirmation remains specious. See

Amazon Drivers Are Hanging Smartphones in Trees to Get More Work ()

geoff goodfellow <>
Tue, 1 Sep 2020 11:03:30 -1000

Someone seems to have rigged Amazon system to get orders first. Operation reflects ferocious rivalry for gigs in a bad economy. Phones hang in a tree outside a Whole Foods store in Evanston, Illinois, on 29 Aug 2020.

A strange phenomenon has emerged near Inc. delivery stations and Whole Foods stores in the Chicago suburbs: smartphones dangling from trees. Contract delivery drivers are putting them there to get a jump on rivals seeking orders, according to people familiar with the matter.

Someone places several devices in a tree located close to the station where deliveries originate. Drivers in on the plot then sync their own phones with the ones in the tree and wait nearby for an order pickup. The reason for the odd placement, according to experts and people with direct knowledge of Amazon's operations, is to take advantage of the handsets' proximity to the station, combined with software that constantly monitors Amazon's dispatch network, to get a split-second jump on competing drivers.

That drivers resort to such extreme methods is emblematic of the ferocious competition for work in a pandemic-ravaged U.S. economy suffering from double-digit unemployment. Much the way milliseconds can mean millions to hedge funds using robotraders, a smartphone perched in a tree can be the key to getting a $15 delivery route before someone else.

Drivers have been posting photos and videos on social-media chat rooms to try to figure out what technology is being used to receive orders faster than those lacking the advantage. Some have complained to Amazon that unscrupulous drivers have found a way to rig the company's delivery dispatch system. […] -or-

Russians Again Targeting Americans With Disinformation, Facebook and Twitter Say

Monty Solomon <>
Tue, 1 Sep 2020 20:14:01 -0400

The companies said the FBI had warned them that a so-called troll farm in St. Petersburg set up a network of fake user accounts and a website.

FBI worried that Ring doorbells are spying on police (

Richard Stein <>
Wed, 2 Sep 2020 08:38:29 +0800

“The 2017 incident describes how someone under investigation was able to 'covertly monitor law enforcement activity while law enforcement was on the premises' and alert his neighbour and landlord. It does not name the brand of video doorbell used.”

IoT doorbell devices that capture surveillance photos of “suspicious” individuals is acceptable? Enable the device settings for that option to prevent indiscriminate, pervasive surveillance.

Download the latest app that repairs the “allow cops to be photographed on duty” defect escape?

The Subtle Tricks Shopping Sites Use to Make You Spend More (WiReD)

Gabe Goldberg <>
Wed, 2 Sep 2020 00:47:22 -0400

Through deceptive designs known as “dark patterns,” online retailers try to nudge you toward purchases you wouldn't otherwise make.

A Saudi Prince's Attempt to Silence Critics on Twitter (WiReD)

Gabe Goldberg <>
Wed, 2 Sep 2020 01:01:09 -0400

An ongoing investigation reveals how Mohammed bin Salman's team allegedly infiltrated the platform—and got away with it.

California: Tell Your Senators That Ill-Conceived Immunity Passports Won't Help Us (EFF)

Gabe Goldberg <>
Wed, 2 Sep 2020 13:09:27 -0400

Electronic Frontier Foundation:

Californians should not be forced to present their smartphones to enter public places. But that's exactly what A.B. 2004 would do, by directing the state to set up a blockchain-based system for immunity passports: a verified health credential that shows the results of someone's last COVID-19 test, and uses those to grant access to public places.

By claiming that blockchain technology is part of a unique solution to the public health crisis we're in, AB 2004 is opportunism at its worst. We are proud to stand with Mozilla and the American Civil Liberties Union's California Center for Advocacy and Policy in opposing this bill. We encourage you to tell your senator to oppose it, too.

Online Voting Company Pushes to Make It Harder for Researchers to Find Security Flaws (Alfred Ng)

ACM TechNews <>
Fri, 4 Sep 2020 12:46:12 -0400 (EDT)

Alfred Ng, CNET, 3 Sep 2020, via ACM TechNews, Friday, September 4, 2020

The Voatz electronic-voting company argued in a brief filed with the U.S. Supreme Court that security researchers should only seek flaws in e-voting systems with companies' permission. Voatz said, “Allowing for unauthorized research taking the form of hacks/attacks on live systems would lead to uncertain and often faulty results and conclusions, [and] makes distinguishing between true researchers and malicious hackers difficult.” Voatz in February disputed Massachusetts Institute of Technology researchers' conclusions that its e-voting platform was rife with vulnerabilities, claiming their findings were “relatively useless” because the investigation was unauthorized. Researchers are pushing for the high court to consider such work shielded from the Computer Fraud and Abuse Act, which deems any intentional, unauthorized access to a computer a federal crime. They warned that malefactors will exploit the knowledge gap created if flaw detection and disclosure are allowed only with companies' explicit consent, rendering security research ineffective. “”

Russian election interference continues (NYTimes)

“Peter G. Neumann” <>
Wed, 2 Sep 2020 15:17:23 PDT

Politico reported (yesterday): Russians Again Targeting Americans With Disinformation, Facebook and Twitter Say <>

The companies said the F.B.I. had warned them that the Kremlin-backed Internet Research Agency set up a network of fake user accounts and a website.

“Vote early, vote often?”

Lauren Weinstein <>
Wed, 2 Sep 2020 13:40:22 -0700

Trump urges supporters to vote by mail AND in person, telling them to commit voter fraud

Happy National Poll Worker Recruitment Day

DrM Rebecca Mercuri <>
Tue, 1 Sep 2020 08:47:43 -0400

1 Sep [was] National Poll Worker Recruitment Day—a national awareness day established by the U.S. Election Assistance Commission to encourage people to help America vote by serving as poll workers. “By encouraging more people to become poll workers in their communities, National Poll Worker Recruitment Day aims to address the critical shortage of poll workers, strengthen democracy, inspire greater civic engagement and volunteerism, and help ensure free and fair elections in November 2020 and beyond.”

To sign up (do it soon) to get a PAID poll worker assignment in your local community, go to <>

Re: For Election Administrators, Death Threats Have Become Part of the Job (ProPublica, RISKS-32.24)

Thu, 03 Sep 2020 21:13:50 -0400

Election officials have been dealing with death threats for a very long time, probably (where democracy existed) for thousands of years.

Over a century ago, New York's Tammany Hall machine hired gang members to intimidate voters, political opponents and election officials. The laws they pushed through to “inadvertently” empower the gangs are still on the books today.

If millions of voters fear or form a distaste for dealing with “correct voting enforcement” at the polls, does that create a RISK of a candidate being elected with only a tiny percentage of the population actually voting?

Court Approves Warrantless Surveillance Rules While Scolding FBI

Monty Solomon <>
Sun, 6 Sep 2020 12:55:06 -0400

The release of a newly declassified ruling follows a separate decision by an appeals court that a defunct National Security Agency program was illegal.

Blanked-Out Spots On China's Maps Helped Us Uncover Xinjiang's Camps (Buzzfeed)

Dan Jacobson <>
Tue, 01 Sep 2020 01:14:43 +0800

“Our breakthrough came when we noticed that there was some sort of issue with satellite imagery tiles loading in the vicinity of one of the known camps while using the Chinese mapping platform Baidu Maps. The satellite imagery was old, but otherwise fine when zoomed out—but at a certain point, plain light gray tiles would appear over the camp location. They disappeared as you zoomed in further, while the satellite imagery was replaced by the standard gray reference tiles, which showed features such as building outlines and roads.”

How Four Brothers Allegedly Fleeced $19 Million From Amazon (WiReD)

Gabe Goldberg <>
Wed, 2 Sep 2020 20:55:23 -0400

The scheme involved 7,000 $94 toothbrushes, according to law enforcement.

According to the indictment, the brothers swapped ASINs for items Amazon ordered to send large quantities of different goods instead. In one instance, Amazon ordered 12 canisters of disinfectant spray costing $94.03. The defendants allegedly shipped 7,000 toothbrushes costing $94.03 each, using the code for the disinfectant spray, and later billed Amazon for over $650,000.

In another instance, Amazon ordered a single bottle of designer perfume for $289.78. In response, according to the indictment, the defendants sent 927 plastic beard trimmers costing $289.79 each, using the ASIN for the perfume. Prosecutors say the brothers frequently shipped and charged Amazon for more than 10,000 units of an item when it had requested fewer than 100. Once Amazon detected the fraud and shut down their accounts, the brothers allegedly tried to open new ones using fake names, different email addresses, and VPNs to obscure their identity. “Open account under dummy names and they can go look for no one,” Yoel allegedly wrote on WhatsApp in the fall of 2018.

Nobody matches what's received/billed against what's ordered?

A critical flaw is affecting thousands of WordPress sites (WiReD)

Gabe Goldberg <>
Thu, 3 Sep 2020 18:03:24 -0400

Hackers have been exploiting the vulnerability, which is now patched: Users should update to File Manager version 6.9 ASAP.

Is Your Chip Card Secure? Much Depends on Where You Bank (EPAM)

the keyboard of geoff goodfellow <>
Wed, 2 Sep 2020 12:32:25 -1000

Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep. […]

The Brain Implants That Could Change Humanity (NYTimes)

Richard Stein <>
Mon, 31 Aug 2020 14:50:31 +0800

Moises Velasquez-Manoff explores and discusses brain computer interface (BCI) technology, experiments, and ethics. The essay presents a thought-provoking tour de force of active BCI research largely sponsored by corporations to augment future revenue capture. The proverbial “Google cap” may one-day substitute for the mouse and keyboard to facilitate brain read/write operations: brain wave transliteration into digital commands and emotive/intellectual idea stimulus without lifting a finger or batting an eyelid.

Medical justification for neural stimulator implant research is established for patients suffering from paralysis, Parkinson's or Alzheimer's Disease, and certain severe compulsive disorders (drug, alcohol) abuse that have limited or no effective pharmaceutical interventions. Significant risks are attributed to implanted medical devices especially neural stimulators (see for instance).

BCI capabilities become spooky and privacy-invasive when reading (interpolating/extrapolating) and/or writing (injecting/compositing) human brainwaves to facilitate consumer convenience. This sentiment is especially true given myopic corporate leadership that emphasizes casual consumer “user experience” over therapeutic use.

The essay also discusses potential national security implications of this technology, and foresees an BCI-race among superpowers for strategic advantage.

BCI ethics are discussed:

“When I asked Facebook about concerns around the ethics of big tech entering the brain-computer interface space, Mr. Chevillet, of Facebook Reality Labs, highlighted the transparency of its brain-reading project. ‘This is why we've talked openly about our B.C.I. research—so it can be discussed throughout the neuroethics community as we collectively explore what responsible innovation looks like in this field,’ he said in an email.

“Ed Cutrell, a senior principal researcher at Microsoft, which also has a B.C.I. program, emphasized the importance of treating user data carefully. ‘There needs to be clear sense of where that information goes,’ he told me. ‘As we are sensing more and more about people, to what extent is that information I'm collecting about you yours?’”

“Some find all this talk of ethics and rights, if not irrelevant, then at least premature.”

“Medical scientists working to help paralyzed patients, for example, are already governed by HIPAA laws, which protect patient privacy. Any new medical technology has to go through the Food and Drug Administration approval process, which includes ethical considerations.”

HIPAA enforcement measures are ineffective: they neither sufficiently penalize nor deter hyper-sensitive data-trove breach. See for summary enforcement actions through DEC2019.

BCI technology constitutes interdisciplinary work: creative and thrilling, a cutting-edge chance-of-a-lifetime to “make a difference.”

Despite professional membership and allegiance to ethical codes of conduct, scientists and engineers routinely participate on projects with little concern about product or result end-use. Most appear content to accept the idea that end-use decisions are “above my payscale.”

Regular readers of this forum know that to maintain a secret, don't write it down and save into a computer, especially a cloud-connected one. BCI capabilities bypass manually-engaged interfaces, secrets can be recorded surreptitiously, or ideas imbued without veto. Human wetware read/write occurs with false-negative/positive outcome probability of success or failure.

Widespread introduction of BCIs into the consumer marketplace (entertainment, education, transportation, etc.) WITHOUT regulatory safeguards and strict enforcement of privacy and data protection standards would represent a perfidious act against privacy rights. A BCI license, a safeguard to own/operate, should become mandatory and required via qualifying exam or certification of purpose regardless of read-only or read/write-enabled product capability. A warning label, in big RED text, might also state: “Product use may induce severe physical and emotional harm including, but not limited to: trauma, anxiety, convulsion, compulsiveness, paralysis, orgasm, constipation, incontinence, day dream, nightmare, hunger, thirst,…”

Some earlier submissions that touch on BCI can be found by searching comp.risks for {fMRI, brain wave ai} yields:

  1. (1993)
  2. (1996)

Neuralink: Elon Musk unveils pig he claims has computer implant in brain (The Guardian)

geoff goodfellow <>
Sat, 29 Aug 2020 13:53:07 -1000

Billionare entrepreneur presented animal during a live-stream event to recruit workers for his neuroscience startup

The tech entrepreneur Elon Musk on Friday showed off a pig whose brain he says has been implanted with a small computer.

“We have a healthy and happy pig, initially shy but obviously high energy and, you know, kind of loving life, and she's had the implant for two months,” Musk said of Gertrude, the pig.

The billionaire entrepreneur, whose other companies include Tesla and SpaceX, presented during a live-stream event to recruit employees for his neuroscience startup Neuralink. He described Gertrude's coin-sized implant as Fitbit in your skull with tiny wires.

Musk co-founded Neuralink in 2016 with the goal of creating a wireless brain-machine interface, something scientists hope can help cure neurological conditions and allow people with paralysis to control a computer mouse. […]

New parking technology aims to manage curb space virtually (WashPost)

Gabe Goldberg <>
Sun, 30 Aug 2020 16:36:43 -0400

Washington DC is the first U.S. city to test a system that sends real-time information about curbside parking availability to delivery drivers—a move its developer hopes will make food deliveries more efficient and reduce driver stress.

In addition to telling drivers whether space is available, the system also sends information about the size of available spots so drivers can tell whether their vehicles will fit.

What could go wrong with this? This time it's a real question—thinking of “No good deed goes unpunished” and the Law of Unintended Consequences. I guess we'll find out.

The Pod People Campaign: Driving User Traffic via Social Networks (Courtney Falk)

Gene Spafford <>
Sat, 29 Aug 2020 20:48:16 -0400

This report may be of interest to some. It is by a former student, and provides details of a puzzling threat campaign.

> Date: August 28, 2020 at 21:50:32 EDT
> From: Courtney Falk <>
> Subject: The Pod People Campaign: Driving User Traffic via Social Networks

Today I'm releasing a report that documents independent research I've done over the last two months. I've identified infrastructure used by threat actors across a variety of social network. The actors insert links into legitimate user profiles with the hope of redirecting users to spam websites. Over 70 different social networks appear to be affected to differing degrees.

I'm releasing the report and indicators on GitHub. Hopefully this improves the health and safety of social networks and the Internet at large. Please feel free to share and distribute as you see fit. Courtney Falk

Re: Humans Take a Step Closer to Flying Car

geoff goodfellow <>
Sun, 30 Aug 2020 08:41:19 -1000

In the 1880s, the first automobile was developed and about two decades later, the Wright brothers in North Carolina invented the first successful airplane. Today, the world is closer to combining those two concepts as a Japanese tech company said it completed a manned test flight of a flying car.

The company, SkyDrive, said in a news on Friday that it had release completed a flight test using the world's first manned testing machine, its SD-03 model, an electrical vertical takeoff and landing (eVTOL) vehicle. The flight time was four minutes, the company said. <>

The aircraft has one seat and operates with eight motors and two propellers on each corner. It lifted about 3 meters (or about 10 feet) into the air and was operated by a pilot, the company said.

Tomohiro Fukuzawa, SkyDrive's chief executive, said on Saturday that five years ago there were various prototypes of flying cars, usually with fixed wings. SkyDrive's product, he said, was one of the most compact in size and was lighter compared with other designs. […]

Re: Driverless cars are coming soon followup (Bacon, RISKS-32.24)

Martin Ward <>
Tue, 1 Sep 2020 15:41:00 +0100

Much more common than applying the handbrake while moving at a substantial speed (in my personal driving style at least) is the use of engine braking: reducing speed by changing down to a lower gear. I regularly do this when approaching junctions and traffic lights to avoid wear on the brake pads. When changing down, however, I also touch the brake pedal to cause the brake lights to illuminate and indicate to any drivers behind me that I am reducing speed.

Re: Tesla with Autopilot hits cop car; driver admits he was watching a movie (RISKS-32.24)

Barry Gold <>
Mon, 31 Aug 2020 08:16:47 -0700

From the Ars Technica article: Tesla could learn from Cadillac<>, whose Super Cruise technology includes an eye-tracking camera that verifies that the driver is looking at the road. An eye-tracking system like this would likely prevent incidents like Wednesday's crash in North Carolina. If the driver had tried to watch a movie while Autopilot was engaged, the system would have detected that he was not watching the road, warned the driver, and eventually deactivated itself.

I wonder how well that works if the driver is wearing sunglasses.

Re: Date and time synchronization (RISKS-32.24)

“David E. Ross” <>
Sat, 29 Aug 2020 20:19:31 -0700

John Harper asked three questions.

All three were answered in a very large (for that era) software system developed some 50+ years ago for the U.S. Air Force for operating space satellites. That software system remained in use more than 10 years beyond its expected life time, into the 1990s. Internally, date and time were represented as elapsed TAI (atomic) minutes—a single floating-point value combining date and time—from a base date, which was database settable.

In the TAI time scale, there are no leap-seconds. Neither daylight savings time nor time zones exist. For display purposes, the date-time minutes value was converted to UTC, again without daylight savings time or time zones. The reverse conversion was also implemented for accepting user input of date and time.

Leap-seconds are announced about 30 days in advance. We would enter the date of a pending leap-second into the system's database before it actually occurred so that the TAI>UTC and UTC>TAI conversions would remain correct.

(Preferably, leap-seconds occur at the end of the day on either 30 June or 31 December. The standard also allows for leap-seconds at the end of the day on 31 March or 30 September, but I do not think those two options have ever been used. The standard limits the occurrence of leap-seconds to those four instances.)

No one at IBM understood any of this. That was unfortunate because IBM had the contract to replace that software system in the 1990s.

Re: Date and time synchronization (RISKS-32.24)

Terje Mathisen <>
Sun, 30 Aug 2020 15:45:50 +0200

The 0200—0300 change is pretty much standard everywhere that uses daylight savings adjustments.

I have been a member of the NTP Hackers (Network Time Protocol) team for the last 25 years, I have probably spent more time pondering these issues than most comp.risks regulars. :-)

First, all computers should of course maintain internal time in UTC, or even better, in TAI.

That is, daylight savings and/or time zones are irrelevant to time stamps.

However, if you do have to take time stamps in local time, then you also need to record the current time zone, which includes (at least indirectly) the current number of leap seconds which is a proxy for the TAI-UTC offset. So effectively you need to convert back to either UTC or TAI at the point of measurement.

Systems that do this wrong, like the default for Windows, seem to magically change all time stamps for file modification when you change time zones and/or enter/leave a daylight savings period.

All of these issues occur after the original post about taking a glitch-free sample of a multi-element counter.

Re: Dicekeys, an additional risk (Lederman, RISKS-32.24)

“Craig S. Cottingham” <>
Sun, 30 Aug 2020 10:41:56 -0500

There seems to be quite a bit of misinformation in play with regards to how Dicekeys work and are intended to be used. I'm not sure if that misunderstanding is on the part of previous correspondents or mine, so I welcome corrections if I'm not describing Dicekeys correctly below.

1. The dice are intended to be randomized only once, after which they are placed in a box which is sealed shut and only ever read in the future. I don't know that the box is tamper-proof, but I suspect it is designed to be at least tamper-evident.

2. The software which turns the state of the randomized dice into a cryptographic secret is open source. While it can use an image of the dice in the box to generate the secret, it's not required. You can supply the position, orientation, and exposed faces of the dice manually.

3. One of the advisors to the team is Bruce Schneier, who should need no introduction to RISKS readers. I assume that he was involved in designing Dicekeys, or at least that by being associated with Dicekeys he is indicating his confidence in its security. I do not feel qualified to vet the security of Dicekeys myself, but I am comfortable that he is.

Re: Dicekeys, an additional risk (Lederman, RISKS-32.24)

Bob Wilson <>
Sun, 30 Aug 2020 21:27:26 -0500

For non-techies, physical randomization may seem more secure than computer-generated. But if the dice are not extremely well made, they'll be a bit less random than theory suggests.

No matter how well made the dice are, as they are used they will collide with each other and slowly (or quickly, depending upon the material) become more and more deformed. This means they will become less random, and each set of dice will become less random in a different way.

It is not so easy as that. “Random” is a very tricky word or concept. (See how much space the Bible according to Don Knuth devotes to it!) Unless you can say what it means and use that to decide about what actually makes the dicekeys result random, you can't be sure the wear might not make the results MORE random, whatever that might mean! The world seems to have gotten away from software verification these days, but verbal claims need similar calibration.

Re: Greenland glacier melt (RISKS-32.24)

Amos Shapir <>
Mon, 31 Aug 2020 01:06:13 +0300

(Following is my opinion as a qualified forecaster and former meteorologist.)

> And recently, the Jakobshavn Glacier has been found to be growing again.

Read articles, not headlines. This article notes “This photo of a dog sled team going through some meltwater on ice in Greenland has made headlines, but it's just a snapshot of one place”, and then brings up details of a glacier which is recently expanding.

But the Jakobshavn glacier is also just one place, which is evident from what the article itself lists as the main reason for its expansion: Unusually cold water off Greenland west coast. Cold water which is the result of all other glaciers in Greenland melting away (which the article does not mention).

It is also true that the melting ice in Greenland is not very significant globally, as it contributes to ocean rising of less than 1mm per year; but keep in mind that Greenland is not the problem, only its symptom.

Re: Greenland glacier melt (Newbury, RISKS-32.24)

David Damerell <>
Tue, 01 Sep 2020 13:44:50 +0100

[Eschenbach, 3 Aug 2019?]

Willis Eschenbach wrote much the same article in 2010 (for the same site, which is not remotely reliable). Why, we ask, do we look at the average from 1981 to 2010 - especially in the 2019 version?

Because it neatly elides the increase. In 2009, the figure was 286 billion tonnes, over twice the 2002 figure (itself more than this average). Depending on whether the increase is linear or not, the blithe conclusion that it'll last forever is distinctly dubious.

The rest of the submission is the usual dodges where we find one particular glacier that's growing and conclude there's no overall problem.

The risks of using a site whose operator is dependent on conspiracy theories for his income should be obvious.

Re: Grading by algorithm results in UK debacle

John Murrell <>
Mon, 31 Aug 2020 11:50:39 +0100

While the downgrading of students O-Levels got all the publicity, there were also significant upgrades.

In the Italian exam in one exam centre, there were two different cohorts of students. One included those who had English as a first language and who were learning Italian as a 2nd or 3rd foreign language. The teacher and local moderation graded these mostly as grade 4 or 5 passes.

However, due to local demographics, a lot of students who speak Italian as their first language but are living in the part of England covered by the exam centre also sit the Italian exams to get another GCSE of hopefully high grade. As Italian is their first language, they find the exam quite easy and in normal years get what are now grades 8 & 9.

As a result of this, the algorithm decided that the cohort of English as a first language students had been under-graded and raised their grades by around 4 or 5 to meet the results of the Italian students at the centre.

As the higher of the algorithm or teacher awarded grades stands, there are now a group of students who are apparently brilliant at Italian but in reality are weak as they did not even complete all the syllabus.

Please report problems with the web pages to the maintainer