The RISKS Digest
Volume 32 Issue 26

Sunday, 13th September 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Insecure satellite Internet is threatening ship and plane safety
Ars Technica
The Hubble Space Telescope Still Works Great, Except When It Doesn't
npr.org
SpaceX's Dark Satellites Are Still Too Bright for Astronomers
Scientific American
Man vs. machine: Pentagon plans 2024 dogfight between human pilot, artificial intelligence
WashTimes
Weakened Encryption: The Threat to America's National Security
Third Way
Why Do Voting Machines Break on Election Day?
The Markup
Why human brains are bad at assessing the risks of pandemics
WashPost
First Pandemic, Now Ransomware: Attack Forces Hartford to Postpone School
NYTimes
Website Crashes and Cyberattacks Welcome Students Back to School
NYTimes
44 Square Feet: A School-Reopening Detective Story
WiReD
Creepy Geofence Finds Anyone Who Went Near a Crime Scene
WiReD
Apple postpones iOS 14 privacy update following Facebook uproar
Business Insider
How Big Oil Misled The Public Into Believing Plastic Would Be Recycled
npr.org
New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption
The Hacker News
Ericsson spotlights open RAN security risks
MobileWorldLive
Re: Intel Slips, and a High-Profile Supercomputer Is Delayed
Phil Martel
Re: Humans Take a Step Closer to Flying Car
Amos Shapir
Re: Leap-seconds
John Stockton
Re: Happy National Poll Worker Recruitment Day
Richard A. DeMattia
Info on RISKS (comp.risks)

Insecure satellite Internet is threatening ship and plane safety (Ars Technica)

geoff goodfellow <geoff@iconia.com>
Tue, 8 Sep 2020 15:33:22 -1000

Attacks that worked 10 years ago have only gotten worse despite growing use.

More than a decade has passed since researchers demonstrated serious privacy <https://www.theregister.com/2009/02/17/satellite_tv_hacking/> and security holes <https://www.blackhat.com/presentations/bh-dc-10/Nve_Leonardo/BlackHat-DC-2010-Nve-Playing-with-SAT-1.2-slides.pdf> in satellite-based Internet services. The weaknesses allowed attackers to snoop on and sometimes tamper with data received by millions of users thousands of miles away. You might expect that in 2020—as satellite Internet has grown more popular—providers would have fixed those shortcomings, but you'd be wrong.

In a briefing <https://www.blackhat.com/us-20/briefings/schedule/index.html#whispers-among-the-stars-a-practical-look-at-perpetrating-and-preventing-satellite-eavesdropping-attacks-19391> delivered on Wednesday at the Black Hat security conference online, researcher and Oxford PhD candidate James Pavur presented findings that show that satellite-based Internet is putting millions of people at risk, despite providers adopting new technologies that are supposed to be more advanced.

Over the course of several years, he has used his vantage point in mainland Europe to intercept the signals of 18 satellites beaming Internet data to people, ships, and planes in a 100 million-square-kilometer swath that stretches from the United States, Caribbean, China, and India. What he found is concerning. A small sampling of the things he observed include:

Hacking satellite communications at scale. […] https://arstechnica.com/information-technology/2020/08/insecure-satellite-internet-is-threatening-ship-and-plane-safety/


The Hubble Space Telescope Still Works Great, Except When It Doesn't (npr.org)

Richard Stein <rmstein@ieee.org>
Tue, 8 Sep 2020 11:07:11 +0800

https://www.npr.org/2020/09/07/909199421/the-hubble-space-telescope-still-works-great-except-when-it-doesnt

“This is an aging telescope, after all. Back in 2018, when a gyroscope on Hubble failed, researchers activated one of its on-board spares—the so-called gyroscope 3. It's been glitchy from the get-go.”

A flaky gyroscope causes the Hubble's aim to wander—non-deterministic axial guidance disables reliable observation. Astronomers are forced to roll dice.

The Ace Satellite Repair Company closed in MAY2009. Doubtful a robotic repair attempt would be funded. Unknown if there are available standby gyroscopes on-board to replace the bad actor. Hubble's cupboard may be “empty down to the cat” on that resource.


SpaceX's Dark Satellites Are Still Too Bright for Astronomers (Scientific American)

Richard Stein <rmstein@ieee.org>
Fri, 11 Sep 2020 10:16:36 +0800

https://www.scientificamerican.com/article/spacexs-dark-satellites-are-still-too-bright-for-astronomers/

“These results show that DarkSat is essentially a dead end, says Jonathan McDowell, a researcher at the Center for Astrophysics at Harvard University and the Smithsonian Institution, who has run computer simulations of megaconstellation effects on astronomical observations. Nevertheless, he says, the investigation by Tregloan-Reed's team is an important step. ‘This study is notable as one of the first significant observational studies of a Starlink satellite, something that the community is now organizing to do on a much bigger scale,’ McDowell adds. He cautions that if the satellites continue to be launched without a fix, ‘the impact would be huge.’”

Prior comp.risks submissions on Starlink and satellite megaconstellations impact on astronomical observations:

  1. https://catless.ncl.ac.uk/Risks/31/28#subj1.1
  2. https://catless.ncl.ac.uk/Risks/31/51#subj4.1
  3. https://catless.ncl.ac.uk/Risks/31/57#subj18.1

Man vs. machine: Pentagon plans 2024 dogfight between human pilot, artificial intelligence (WashTimes)

geoff goodfellow <geoff@iconia.com>
Thu, 10 Sep 2020 16:03:14 -1000

AI programs have bested human pilots so far in flight simulations

The Pentagon is planning a 2024 showdown between an F-16 piloted by a human and one controlled by artificial intelligence, a man versus machine matchup that military officials believe could represent a key turning point in technological development.

Defense Secretary Mark Esper announced the 2024 contest during a speech on AI development Wednesday at the Pentagon. The Defense Advanced Research Projects Agency, or DARPA, already has held numerous combat simulations between human pilots and machines.

In the most recent round, officials said the AI-controlled system easily defeated the human. […] https://www.washingtontimes.com/news/2020/sep/10/pentagon-2024-fight-pilot-artificial-intelligence/


Weakened Encryption: The Threat to America's National Security (Third Way)

“Peter G. Neumann” <neumann@csl.sri.com>
Thu, 10 Sep 2020 10:03:55 PDT

https://www.thirdway.org/report/weakened-encryption-the-threat-to-americas-national-security


Why Do Voting Machines Break on Election Day? (The Markup)

“Fleming, Cody [M E]” <flemingc@iastate.edu>
Fri, 11 Sep 2020 16:57:13 +0000

https://themarkup.org/ask-the-markup/2020/09/10/broken-voting-machines-election-day

I guess one problem is figuring out how just many risks there are now with respect to elections. Too many to count?


Why human brains are bad at assessing the risks of pandemics (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Sun, 13 Sep 2020 00:18:31 -0400

https://www.washingtonpost.com/lifestyle/magazine/why-human-brains-are-bad-at-assessing-the-risks-of-pandemics/2020/09/03/7395321c-dd9d-11ea-b205-ff838e15a9a6_story.html

Cause or effect, beliefs are tribal.


First Pandemic, Now Ransomware: Attack Forces Hartford to Postpone School (NYTimes)

Jan Wolitzky <jan.wolitzky@gmail.com>
Tue, 8 Sep 2020 17:48:50 -0400

https://www.nytimes.com/2020/09/08/nyregion/hartford-schools-ransomware.html


Website Crashes and Cyberattacks Welcome Students Back to School (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 8 Sep 2020 20:29:24 -0400

With many districts across the country opting for online learning, a range of technical issues marred the first day of classes.

https://www.nytimes.com/2020/09/08/us/school-districts-cyberattacks-glitches.html


44 Square Feet: A School-Reopening Detective Story (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Sep 2020 22:30:07 -0400

Author writes:

Schools—but not public health officials—across the US are making it a rule: Every student needs to have 44 sq. ft. of space. I tried to find out why. […] Two days later I was on the phone with Mary Filardo, executive director of the NCSF, a nonprofit that supports K-12 school facilities officials in more than 25 states. I walked her through the mystery at hand — the school plan, the consultant, the Education Week guide, and, finally, the diagram credit pointing back to her. My knee was bouncing, fingers at the ready at my keyboard for transcription. At last, the enigma would be no more. But before I could even finish asking the question, she interrupted in a tone that was equal parts alarm, annoyance, and puzzlement. “That's way off!” she cried. “No wonder you're confused.”

After we hung up, I placed what seemed to be the final pin on my crazy wall <https://www.google.com/search?q="crazy wall"&sxsrf=ALeKk03MaqGoIw-zgkFZ5LmZg0KNujChTA:1597692369425&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjb947x-6LrAhWNc98KHVm5BkEQ_AUoAXoECA4QAw&biw=1382&bih=766>: My school district had gotten the all-important number 44 from a consultant who'd found it in an /Education Week/ article that had somehow bungled the advice from an educational nonprofit. But there was still another layer below. It wasn't clear, from talking to Filardo, how the NCSF came up with 44 square feet as the lower-bound approximation. The depth of my rabbit hole was approaching the Earth's mantle. I could feel the heat of magma burbling just beyond.

https://www.wired.com/story/44-square-feet-a-school-reopening-detective-story/

…thus transmuting questionable assumptions and math into nonsense.


Creepy Geofence Finds Anyone Who Went Near a Crime Scene (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Tue, 8 Sep 2020 00:37:43 -0400

Police increasingly ask Google and other tech firms for data about who was where, when. Two judges ruled the investigative tool invalid in a Chicago case.

https://www.wired.com/story/creepy-geofence-finds-anyone-near-crime-scene/


Apple postpones iOS 14 privacy update following Facebook uproar (Business Insider)

Gabe Goldberg <gabe@gabegold.com>
Wed, 9 Sep 2020 13:52:28 -0400

Apple is giving developers some breathing space to get ready for an update to iOS 14 that will let users opt out of being tracked for advertising purposes.

The update was supposed to be released as part of iOS 14, which is expected to roll out this month. In a statement on Thursday, however, Apple said it was delaying this particular part of the update until 2021.

“We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year,” Apple said in blog post on Thursday.

When Apple announced the privacy update, it drew the rancor of developers who said it could wreak havoc on their ad-revenue streams. Facebook said the update could slash revenues from its Audience Network by up to 50%. The company added that the change might even lead it to stop developing its Audience Network for iOS altogether.

https://www.businessinsider.com/apple-ios-14-update-postponed-14-2020-9

What a shame that wouldn't be—hurting Facebook revenue in the interest of privacy.


How Big Oil Misled The Public Into Believing Plastic Would Be Recycled (npr.org)

Richard Stein <rmstein@ieee.org>
Sat, 12 Sep 2020 10:49:40 +0800

[Not computer-related; an environmental life cycle issue impacting Earth's ecosystem.]

https://www.npr.org/2020/09/11/897692090/how-big-oil-misled-the-public-into-believing-plastic-would-be-recycled

“We found that the industry sold the public on an idea it knew wouldn't work — that the majority of plastic could be, and would be, recycled—all while making billions of dollars selling the world new plastic.”

Epidemic plastic pollution threatens the environment, food chain and public health. A serious global problem in search of an urgent, effective solution.

How to proactively mitigate pervasive plastic pollution? Let nature take its course? Earthworms or bacteria partially digest certain plastics. Does this effluent enhance the environment and diminish the pollution risk?

Would a master settlement agreement compel industry to act on a clean up? Recall the Tobacco MSA https://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agreement to compensate US States for medical expenses. An agreement of this scope would likely motivate a industrial regulatory arbitrage exercise—shift operations to a lower-cost jurisdiction, and export products.

https://en.wikipedia.org/wiki/Plastic_pollution#Effects_on_humans identifies plastic pollution impact on human thyroid and reproductive hormones from BPA (bisphenol A).

See https://catless.ncl.ac.uk/Risks/31/08#subj22 by Goodfellow.

Risk: Groupthink. Carbon-extraction industrial interests conspire to misinform regulatory oversight and political leadership about product risk. Again.


New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Thu, 10 Sep 2020 15:57:43 -1000

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions.

Dubbed “Raccoon Attack <https://raccoon-attack.com/>,” the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties.

“The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret,” the researchers explained their findings in a paper. “If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem.”

However, the academics stated that the vulnerability is hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable.

A Timing Attack to Leak Secret Keys […]

https://thehackernews.com/2020/09/raccoon-ssl-tls-encryption.html


Ericsson spotlights open RAN security risks (MobileWorldLive)

geoff goodfellow <geoff@iconia.com>
Fri, 11 Sep 2020 08:21:22 -1000

Ericsson dampened open RAN enthusiasm, arguing more work needs to be done to address key security risks associated with the technology.

In a blog, head of security for network product solutions Jason Boswell highlighted several areas of vulnerability, including new and expanded risks from the use of fresh interfaces and third-party network applications.

Added security measures are also needed to address new threats presented by the decoupling of hardware and software functions, and vendors should carefully scrutinise open source code they plan to use, he said.

Boswell stressed “security cannot be an afterthought,” advocating the importance of a risk-based approach. […] https://www.mobileworldlive.com/featured-content/top-three/ericsson-spotlights-open-ran-security-risks


Re: Intel Slips, and a High-Profile Supercomputer Is Delayed (Stein, RISKS-32.25)

Phil Martel <pomartel@comcast.net>
Mon, 7 Sep 2020 22:15:06 -0400
> The exascale computer: 1E9 GFLOP == 10^15 FLOPs, or 1 exaFLOP (1 EFLOP?),
> double-precision FLOPS @ 64-bit per IEEE-754-2008.

Of course, 1E9 GFLOP = 1E18 FLOP

[Also noted by Eric Sosman, who seems to be about three orders of magnitude off. FLOP inflation, maybe? Or G deflation? Or exa-sensory deception? ES]

Re: Humans Take a Step Closer to Flying Car (RISKS-32.25)

Amos Shapir <amos083@gmail.com>
Fri, 11 Sep 2020 13:23:47 +0300

Flying cars have appeared in almost all future technology predictions since the early 20th century; yet despite many other predictions since then having materialized, flying cars never actually took off (excuse the pun).

The reason for that becomes evident when one considers what could an actual flying car be used for: the only benefit is not having to switch vehicles when reaching an airport—and even that is greatly diminished by some flying car models which require configuration changes at the airport, or VTOL models which do not require driving to an airport anyway.

OTOH, a flying car would always have to lug around a lot of unused hardware, whether traveling on a road or flying; it could never become as efficient as a single-purpose car nor as an airplane.


Re: Leap-seconds (Ross, RISKS-32.25)

John Stockton <dr.j.r.stockton@gmail.com>
Tue, 8 Sep 2020 14:10:43 +0100
> “Leap-seconds are announced about 30 days in advance.”

My observations indicate that the announcement is normally over 5.5 months in advance, not 30 days. For example, see the current issue of Bulletin C at https://hpiers.obspm.fr/eoppc/bul/bulc/bulletinc.dat.

Terje Mathisen, following, wrote “The 0200—0300 change is pretty much standard everywhere that uses daylight savings adjustments.” The EU rules, which apply also in other nearby Western European countries, are that all the clocks should be altered simultaneously at 01:00 UTC on the chosen Sundays, Brussels Time, whatever the local time might be. My present understanding is that in the USA the clocks are altered, one way or the other, on reaching 02:00 local time. Canadian provinces in the past have altered their clocks at varied times of day; I don't know whether that is still the case. In Lord Howe Island, the clocks are altered by only half an hour - Wikipedia, and https://www.timeanddate.com/time/zone/australia/lord-howe-island .


Re: Happy National Poll Worker Recruitment Day (RISKS-32.25)

“Richard A. DeMattia” <rademattia@sbcglobal.net>
Mon, 7 Sep 2020 17:28:26 -0400

Poll worker recruitment might be a bit more effective if half-day shifts were permitted, unlike in Ohio where the work shift is from before 6am to probably 8pm or later, and no partial-shift volunteers accepted.

Please report problems with the web pages to the maintainer

x
Top