Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Targets have ranged from elections to the Olympic Games* Hackers in Iran and China have also been active, report says
Russia-based hackers are responsible for the majority of nation-state attacks on Microsoft customers, according to new data from company.
Microsoft Corp. has issued 13,000 alerts about nation-state hacking attempts to its customers in the last two years, with 52% of incidents between July 2019 and June 2020 related to Russian hackers—whose targets have ranged from elections to the Olympics, according to a report published Tuesday. Iran was responsible for a quarter of the alerts while China was responsible for 12%. The remainder of the nation-state activity observed by Microsoft came from North Korea and other countries.
Russian hackers have targeted elections and political organizations in multiple countries, as well as non-profit groups, professional services and higher education, according to Microsoft. Kremlin-linked hackers also tried to break into 16 sporting and anti-doping organizations on three continents amid doping investigations into Russia athletes.
“We see nation-state actors constantly evolving, trying new techniques,” said Tom Burt, a vice president at Microsoft. “As it stands today the attackers are winning in that they are so well resourced, so determined and so agile.” Foreign hackers have continued to target organizations related to American politics in recent weeks, he said.
Iranian hackers have also been prolific, stepping up the volume of their attacks in the last six months, according to Burt. In August 2019 alone, Iranian hackers attacked 241 Microsoft accounts associated with a U.S. presidential campaign, current and former U.S. officials, political journalists and well-known Iranians living abroad, the report said. While only four of these attacks were successful, Microsoft anticipates an increase activity as the U.S. election approaches.
Hackers based in China have “attempted to gain intelligence on organizations associated with the upcoming U.S. presidential election,” according to Microsoft. Those hackers have also been active in cyber-attacks related to medical research. Among multiple attempts to hack medical research institutions in the U.S. and Asia, China-based hackers attacked an unnamed U.S. university that was researching a coronavirus vaccine in March. […]
https://www.bloomberg.com/news/articles/2020-09-29/microsoft-says-russia-behind-most-nation-state-hacking-attempts -or- https://www.msn.com/en-us/news/world/microsoft-says-russia-behind-most-nation-state-cyber-attacks/ar-BB19xXsj
If convicted, the pair could face up to 24 years in prison each
https://www.washingtonpost.com/politics/2020/10/01/wohl-robocall-michigan/
[Via Dave Farber]
Channel 4 in the UK has released an amazing 20 minute video that is the best explanation I've seen of how Cambridge Analytica used Facebook data to micro-target voters to influence the 2016 US election and the Brexit vote: https://www.youtube.com/embed/KIf5ELaOjOk
There's also another most interesting video from the same project that digs into one guy's Facebook/Cambridge Analytica file https://www.youtube.com/watch?v=5Swqc2NjEXM
This second video shows one particular guy's file, which contains his psychographic profile, including openness, conscientiousness, extroversion, agreeableness and neuroticism scores by percentile.
It “knows” what kind of car the individual has, that he's a gamer, what his investments are, what his diet is, whether he uses coupons, if he writes a blog, how he uses The Internet and social media, whether he has a home office and what charities he gives to. And a bunch of other things.
From these aggregated data, it's easy to imagine how CA could determine things like who he'd vote for and the strength of his commitment to the voting process, and target manipulative ads and messages from “friends” accordingly.
In my humble opinion, both videos are must-watch for all who consider themselves to be technology literate.
Mark Niesse, Atlanta Journal Constitution( <https://www.ajc.com/politics/error-discovered-on-georgia-touchscreens-in-us-senate-race/M7CJDSSZHRDBJFGTHYCPJ4APHM/>
Election officials working to correct issue before early voting begins 12 Oct. Georgia election officials said Saturday they found a programming error on the state's voting touchscreens that caused a row of candidates in the 21-person U.S. Senate special election to disappear at times when flipping back and forth between screens. This will require reprogramming the state's 30,000 new touchscreens. The issue occurred in the U.S. Senate special election, which includes Republican U.S. Sen. Kelly Loeffler and U.S. Rep. Doug Collins, along with Democrats Raphael Warnock, Matt Lieberman and Ed Tarver.
The rush to vote from home this year left Maryland election judges with a burden that plagues no other state in the country: Ballots delivered online cannot be read by the state's scanning machines. To be counted, each of those ballots must instead be hand-copied by election judges onto a cardstock ballot. And each week, more requests for those Web-delivered ballots are rolling into election offices around the state, dramatically increasing the pressure on a system built for a far different type of election.
A month ahead of the deadline, more than 111,000 people have requested Web-delivered blank ballots—nearly twice the volume of the previous election. About 924,000 voters have so far asked for ballots to be mailed to them.
The Web-delivered ballots offer front-end expediency for voters, who can follow a link in their email, enter credentials on a website and download a ballot packet to print at home on regular paper. But on the back end, that plain paper becomes a first draft, and every voter's choices must be transcribed onto oversize cardstock that can be scanned.
For transparency's sake, the transcription is done by a pair of judges — one a Republican, the other a Democrat. One judge reads the ballot choices aloud, and the other marks them down on the ballot. Then the judges switch jobs to check each other's work.
The process takes about five minutes per ballot, election officials said. As of Thursday, that added up to more than 9,000 hours of work just to get the ballots ready to be scanned.
No good deed goes unpunished.
The exchange's operator said it planned to resume trading on Friday after a technical problem left investors unable to place orders.
https://www.nytimes.com/2020/09/30/business/tokyo-stock-market-glitch.html
The president's two August Executive Orders banning the mobile app TikTok <https://www.whitehouse.gov/presidential-actions/executive-order-addressing-threat-posed-tiktok/> and the mobile app WeChat <https://www.whitehouse.gov/presidential-actions/executive-order-addressing-threat-posed-wechat/>, along with the State Department's major foreign policy initiative for a “clean” internet within the United States <https://www.state.gov/the-clean-network-safeguards-americas-assets/> are only the most recent signs that the once open, global Internet is slowly being replaced by 200, nationally-controlled, separate internets. And, while these separate American, Chinese, Russian, Australian, European, British, and other “internets” may decide to have some things in common with each other, the laws of political gravity will slowly pull them further apart as interest groups in each country lobby for their own concerns within their own country. Moreover, we will probably see the emergence of a global alternat[iv]e internet before long.
Some of this nationalistic dis-integration of The Internet has been foreseen <http://www3.weforum.org/docs/WEF_FII_Internet_Fragmentation_An_Overview_2016.pdf> as the 1990s' open/global Internet gradually became a principal domain of war, news, espionage, politics, propaganda, banking, commerce, entertainment, and education since around 2005. The process of creating hundreds of individual, national internets has been slow because the global Internet—the network of networks =94 was never designed to recognize national borders and because the United States had been a forceful opponent of a fragmented set of national internets. Both of these conditions have changed and they are changing rapidly.
To oversimplify, the genesis of the internet, the U.S. Defense Department=99s DARPANET, was designed to allow completely different computer networks (think IBM and UNIVAC, or PC and Mac) to connect with each other by inserting between them a gateway that converts each network=99s computer language into a common internet language, called internet protocols. The genius behind the concept is that not all computer networks needed to use the same computer language they only had to convert to a common language at a gateway, which then routed everyone on every network to everyone on every other network. And—since computer networks do not inherently notice or care which city, province, state or country they=99re in or the nationality of their human user—the technology was not designed to take national borders into account. This contrasts markedly with such media as broadcasting and telecommunications, which basically grew with the permission of national governments from within countries, and then governments allowed the interconnection of their national network to others under government-controlled technical and substantive arrangements.
As background, it's important to recognize that—by almost any measure -4 the global Internet is controlled by businesses and non-profits subject to the jurisdiction of the United States government. Within a roughly 1,000-mile strip of land stretching from San Diego to Seattle lie most major Internet businesses and network control or standards bodies (and those that aren=99t there likely lie elsewhere in the United States). So =94 as the governments of China, Russia and Iran never tire of explaining =94 while Americans constitute around 310 million out of the world=99s 4.3 billion Internet users (around 8 percent) <https://en.wikipedia.org/wiki/List_of_countries_by_number_of_Internet_users>, the U.S. government exercises influence or control over more than 70 percent of the Internet's controls and services.
It took China millions—perhaps billions =94 of dollars and well over a decade to demonstrate that the inherently non-nationalistic nature of the internet could be managed through both technical and legal means, sometimes described as “The Great Firewall of China <https://en.wikipedia.org/wiki/Great_Firewall>.” Without listing the wide range of methods that China has used to create an internet within China that is different from the Internet in the U.S. or Europe, suffice it to say that unless someone in China has extraordinary technical means and is willing to risk breaking the rules, the internet in China is noticeably different (e.g. no Google, Facebook or Twitter <https://www.businessinsider.com/major-us-tech-companies-blocked-from-operating-in-china-2019-5#tumblr-6>). China's ability to control the Internet experience within its borders between roughly 2005 and 2018 taught many other countries that doing so, even if costly, is possible. This lesson was not lost on Russia, Iran, Australia, Turkey, Saudi Arabia, the EU and many other countries, which began developing legal (and sometimes technical) means to control Internet content within their borders. This legal/technical nationalization over the past decade was significantly boosted by the realization that it was actually not very difficult for a government to substantially shut down the Internet within a territory. […]
https://thehill.com/opinion/technology/518762-is-the-internet-falling-apart
Is it just me, or do other people find that MacOS keeps their clock 2-3 minutes early?
I noticed that MacOS was several minutes ahead of the opening bell of the NYSE, and started watching over the next several days. It was not a fluke.
I rebooted the machine, which got MacOS to sync with an Apple time server, and it was still 2-3 minutes early.
I didn't see any easy way to change the time server that this machine consults, so it remains early.
Among other things, this time difference is a security risk, because someone might be able to utilize a specific time difference to identify a particular computer.
https://www.bbc.com/news/technology-54327412
The video demonstrates that silicon-device manufacturing techniques can mass produce microscopic mobile robots. The device creators suggest these devices might one day deliver targeted chemotherapy payloads or other substances to treat human diseases.
For size comparison purposes:
a) Human blood cell diameter is ~6 to 8 micrometers (see https://en.wikipedia.org/wiki/Red_blood_cell#Human, retrieved on 29SEP2020).
b) Human hair diameter ranges between ~17 micrometers to ~181 micrometers. Thickness attributed to various genetic factors (see https://hypertextbook.com/facts/1999/BrianLey.shtml
Tablets (with silicon dioxide) are apparently used to treat osteoporosis, heart disease, hair loss, Alzheimer's disease, etc (see https://www.webmd.com/vitamins/ai/ingredientmono-1096/silicon, retrieved on 29SEP2020). Silicon dust, if inhaled, is toxic (see https://en.wikipedia.org/wiki/Silicon#Safety, retrieved on 29SEP2020).
Risk: Unmetabolized silicon robot carcasses (toxic waste), including other minerals used to manufacture the robot, or metabolites from robot interaction with human blood.
Double-blind clinical study needed to determine therapeutic safety.
Steve Ranger, ZDNet, 22 Sep 2020 via the ACM Tech News, 28 Sep 2020
More than $44.75 million in bounties was awarded to hackers worldwide over the past year, up 86% annually, according to HackerOne, which operates bug bounty programs. The average bounty paid for critical vulnerabilities rose 8% over the past year to $3,650, and the average amount paid per vulnerability was $979. To date, more than 181,000 vulnerabilities have been reported, and hackers have been paid more than $100 million. Almost nine out of 10 of the hackers enrolled with HackerOne are under 35, and hacking is the only source of income for one in five of the program's hackers. HackerOne reported that, in less than a decade, nine individual hackers have been paid $1 million in total bounty earnings, more than 200 hackers have earned more than $100,000, and 9,000 hackers have earned “at least something.”
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-27364x225229x065996&
https://www.theverge.com/2020/9/25/21455655/microsoft-windows-xp-source-code-leak
https://www.bbc.co.uk/news/uk-england-oxfordshire-54310800
If this story is true it appears that the alcohol mist is automatic—and so is the sensor to detect alcohol in the driver's breath. But surely it must have been tested …
Alex Scroxton, Computer Weekly, 24 Sep 2020 via ACM TechNews, 28 Sep 2020
Security teams at Check Point and Facebook reported a third-party remote code execution flaw in the Instagram photo-sharing platform, which could have enabled malefactors to hijack accounts and use victims' devices for surveillance. Facebook calls the bug an integer overflow leading to a heap buffer overflow, and was present in Mozjpeg, an open source, third-party JPEG decoder that Instagram uses to upload images to the application. Check Point's Yaniv Balmas highlighted the risks of using third-party code libraries to build app infrastructures without checking for flaws. Although patched six months ago, the Mozjpeg bug is only being disclosed now in the hope that a sufficient number of users have updated their apps to ameliorate its impact.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-27364x225232x065996&
Scientists from MIT have found a way to implant ideas on the minds of people as they fall asleep to create bizarre and abstract dreams. The researchers used the targeted dream incubation to guide people's dreams towards particular themes by repeating information during the first stage of sleep. That stage is called hypnagogia, which is responsible for dreams about psychedelic phenomena.
The technology consists of a wrist-worn electronic device that tracks sleep, called Dormio, connected to an app that delivers audio prompts during hypnagogia.
The researchers influenced the dreams of most of its study participants to dream about a tree during the earliest stage of sleep during the trials. An MIT computer scientist also used the Dormio system to make himself dream about the chocolate fountain seen in the classic 1971 film 'Willy Wonka and the Chocolate Factory.' Dreams in the Hypnagogia Stage. […] <https://www.media.mit.edu/projects/sleep-creativity/overview/>
https://www.sciencetimes.com/articles/27501/20200929/mit-sleep-alter-dreams-creativity.htm
CBP failed to protect 184,000 facial images of cross-border travelers before massive data breach last year, according to report […] https://www.rollcall.com/2020/09/29/privacy-of-biometric-data-in-dhs-hands-in-doubt-inspector-general-says/
Weak laws leave thousands vulnerable, former privacy commissioner says.
The message came out of the blue for Taylor Fornell. A stranger told her he had complete control over the home security system in her new house in Stony Plain, Alta., and could prove it.
As she stood alone in her front hall, she watched in disbelief as the man unarmed the system, unlocked doors and windows and told her he could track when she left the house - all with a few clicks on the security company's app. “I felt a little sick to my stomach . It's just really creepy and a breach of trust,” Fornell told Go Public, referring to Vivint, the security company that installed and ran the system.
Fornell was lucky. The stranger who connected with her on Facebook was the former owner of the house.
https://www.cbc.ca/news/business/security-system-app-homeowner-stranger-1.5733444
https://www.cbc.ca/news/business/security-system-app-homeowner-stranger-1.5733444
“They're applying on-campus rules to these children, even though they're learning virtually in their own homes,”said the family's attorney, Chelsea Cusimano.
https://www.washingtonpost.com/nation/2020/09/25/louisiana-student-bbgun-expulsion/
https://techxplore.com/news/2020-09-deep-unconsciousness-patients-anesthetic-state.html
“Essentially, Schamberg and his colleagues developed a deep neural network and trained it to control anesthetic dosing using reinforcement learning within a simulated environment. They specifically focused on the dosage of Propofol, a medication that decreases people's level of consciousness and is commonly used to perform general anesthesia or sedation on patients who are undergoing medical procedures.”
The report concludes with this text:
“So far, our approach outperformed the commonly used proportional-integral-derivative controller and was robust across a variety of patient variations in drug metabolism and effect,” Schamberg said. “We would now love to test the proposed paradigm on humans in controlled clinical settings.”
Modern anesthesia practice demonstrates dramatically low patient injury or mortality. See https://pubs.asahq.org/anesthesiology/article/110/4/759/10557/Epidemiology-of-Anesthesia-related-Mortality-in (retrieved 28SEP2020) which estimates 1 death per 100000 anesthesia procedures since ~2000.
General anesthesia application encompasses a procedural life cycle. Patient sedation comprises one life cycle phase (see https://my.clevelandclinic.org/health/treatments/15286-anesthesiology, retrieved on 28SEP2020).
Numerous devices, depending on surgical procedure, are used to administer sedation and for post-operative recovery: Needles, catheters, sedative injections, gas mixtures, etc. Several instruments are applied to measure patient sedation and overall vitality while under the knife: blood oxygen level, blood pressure, sedative flow, patient pulse, respiration rate, etc.
The FDA's Total Product Life Cycle reporting system reveals product codes representing widely deployed commercial anesthesia delivery systems and kits.
This query yields 28 product codes. Individual medical device reports (MDR) attributed to the three-letter product code, and the commercial anesthesia devices it classifies, can be accessed: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cftplc/tplc.cfm?start_search=1&devicename=anesthesia&productcode=&deviceclass=®ulationnumber=&min_report_year=2015&pagenum=50
Since 2015, the product codes with the biggest MDR density appear to be: BSZ and OGE. BSZ applies to “gas machine, anesthesia” devices; OGE applies to “anesthesia, epidural kit” devices.
It is notable that the top 3 MDR problems for each product code indicate device or component issue that DID NOT impact the patient. The events run the gamut: contaminated syringe, stuck catheter, leak, system shutdown, foreign body in patient, broken knob, kink in suction line, etc. Fortunately, a skilled professional intervened to mitigate.
The Top-10 Patient Problems for BSZ:
Patient Problems,MDRs with this Patient Problem,Events in those MDRs No Patient Involvement,7245,7245 No Consequences Or Impact To Patient,3203,3203 No Known Impact Or Consequence To Patient,633,633 Low Oxygen Saturation,55,55 No Information,33,33 Death,31,31 Awareness during Anaesthesia,22,22 No Code Available,14,14 Cardiac Arrest,11,11 Hypoxia,9,9
The Top-10 Patient for OGE:
Patient Problems,MDRs with this Patient Problem,Events in those MDRs No Consequences Or Impact To Patient,260,260 No Information,148,148 No Known Impact Or Consequence To Patient,115,115 Foreign Body In Patient,66,66 Device Embedded In Tissue or Plaque,29,29 Cerebrospinal Fluid Leakage,18,18 No Patient Involvement,15,15 Needle Stick/Puncture,10,10 Pain,9,9 No Code Available,6,6
Basically, the Tesla Autopilot replaces a good driver by a poor driver. (If you are a poorer driver than Tesla Autopilot, then you should not be allowed to drive!). But, Tesla might argue, its OK because the good driver has to continuously watch over the poor driver and take control the moment the poor driver makes a mistake.
This makes driving much more tiring for the human driver: having to concentrate all the time without being in control is much more work than actually driving. It also makes the journey less safe: the good driver is now having to react to mistakes made by the autopilot instead of being proactive in anticipating and avoiding potentially dangerous situations. Advanced driving is all about anticipation and avoidance to reduce the possibility that a dangerous situation occurs, it is not about lightning reflexes to get out of trouble.
Some examples:
In each case, instead of just instinctively avoiding the possible danger, you also have to decide if and when to take over from the autopilot, and then manage the transition while avoiding the danger.
I disagree that this is the fault of the WaPo staff.
First off, journalists are paid to be inquisitive, so clicking on links should be fine.
Second, they probably didn't particularly believe the email anyway but wanted to see more to understand what was going on. I've been subject to this kind of test and it is bad enough to be shown a red flashing page saying ‘FAILED’ or the like. Pointed content of the kind the WaPo used is guaranteed to get a very negative response—and from people you are actually trying to help!
Third, what we all need (and not just journalists) is to have our email pre-filtered in a sandbox environment. Load the email, test the links and see what comes back. Dodgy javascript and dodgy websites can be flagged.
An automated test of that sort is never going to be 100% accurate; the end user would still need to take some care. But adding checks would help greatly. End users are not solely responsible for damage due to following bad links in emails!
And how many of those numbers are “allocated but unused”?
Many years ago, they upgraded the numbers in the town where I worked from 5 digits to 6. In the process, they allocated our company the number 36nnnn for DDI (Direct Dial-In). In other words, each phone in the office had a normal phone number - the local exchange routed all numbers starting with 36 to the company PABX for it to process the rest.
That's 10,000 numbers allocated to just one customer …
This item fails to observe that in the case of Sullivan (and likely Taibbi as well), what's pushing them out is not the pandemic but the amount of interference (aka censorship) being imposed by the publishing organizations they work for, since these writers often espouse views not in keeping with the mainstream. So it's more cancel culture than COVID-19 cultures.
Please report problems with the web pages to the maintainer