Please try the URL privacy information features enabled by clicking the flashlight icon above. They are described in the news page. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Downstream impact from an unavailable system
The automated system had a technical issue preventing a plane change from being passed to downstream systems. Operators noticed the change and manual updates were performed as a workaround. Either the workaround was not complete or did [not?] address all affected systems.
It seems that the Tesla app on iPhone somehow makes an update purchase as the default action, and doesn't require a confirmation password or code.
Full story at: https://www.cnbc.com/2020/10/07/tesla-app-butt-dial-purchases-still-possible-refunds-hard-to-get.html
Some associates of mine have noticed problems with automobiles, often with changes they do not like or want, like forcing the use of a start button (and stepping on the brake) instead of simply turning the key. It means things like the passenger being able to turn on he car just by turning the key have gone the way of the AM-only radio or the crank starter. Now, turning the engine on, even if you're not going to drive, requires getting out of the car, sitting in the driver's seat, stepping on the brake, then pushing the starter. Another problem is that a relatively inexpensive device (like keys) that even in the most expensive cases never reached US$20, are now replaced by transponders or keyfobs costing as much as $1,000.
And the cost of repairs has gone up as the capacity of most people to do anything beyond routine maintenance has gone down. Technology has improved features cars have, but it has come at a cost.
Cars in the past used relays to control functions because it was the least expensive way to provide these functions. As microprocessors became ever cheaper and had more functionality, they became ideal for use to do multiple things in place of relays, programmable logic controllers, and other circuitry. All that they had to do was connect them. Previously they ran one connection (wire) to each thing being controlled. Then they got an idea: create a network (bus) to connect the components. If the components could simply only listen on the bus for commands addressed to them, you only need one wire for everything, to send messages everywhere. This provides lots more flexibility as all you have to do as add new messages with a different command code and you can control a new device, but it makes everything more “fragile.”
Now, when I say “fragile,” I don't mean the comment of Doc Brown in “Back to the Future” in which he says a 1954 Buick crashing into a Delorean would tear through it like tissue paper, i mean the systems are less “robust,” less resistant to failure.
Systems built with centralized or “concentrated” architecture are more fragile, more subject to failure because there are more critical points that if any one point fails, the whole thing fails. On a car from the past, short of the engine or transmission suffering catastrophic damage, the car would continue to operate. Today, if the computer or the bus is damaged, your car is inoperable.
Previously, a failure of the air conditioning didn't mean the car couldn't drive, or if there was a problem with the power steering it doesn't prevent you from putting the car in reverse. But today, so many systems are connected in a very centralized architecture that one system can affect another due to side effects. It also means that where before, just about anyone with ordinary education and skils could repair most things on an automobile with ordinary tools, today it takes a skilled mechanic with a master's degree and $40,000 in equipment.
Distributed architecture increases robustness. Here are two examples.
The development of Blockchain technology has caused other industries to use it beyond cryptocurrency. An example being a bank: crack their mainframe and you can steal just about anything. But, if instead of breaking one computer you have to get, say, all or a majority of all 100 branches to agree, it makes it much harder to almost impossible to create a fraudulent transaction.
During the Gulf War, despite saturation bombing, the coalition forces were unable to shut down Iraq's military Command & Control systems; the messages still got through. The reason being that the systems were built using TCP/IP, the same communications protocol used by the Internet, and was invented specifically for the US military to be able to continue to operate communications infrastructure capable of communicating to troops in the event of nuclear war. We found out under actual battlefield conditions that “the damn stuff actually works.”
These and other examples show that distributed architecture makes systems more robust, while concentrated architecture makes systems more fragile. We have traded increased functionality and cost savings, while sacrificing robustness and less complexity. and the trend is likely to continue, unless people get sick of these failures and demand better, or someone comes up with better systems that are more robust and possibly simpler.
While that would be nice, I don't see that happening any time soon.
In 1978, NASA scientist Donald Kessler warned of a potential catastrophic, cascading chain reaction in outer space. Today known as “Kessler Syndrome,” the theory posited that space above Earth could one day become so crowded, so polluted with both active satellites and the detritus of space explorations past, that it could render future space endeavors more difficult, if not impossible. Last week, the CEO of Rocket Lab, a launch startup, said the company is already beginning to experience the effect of growing congestion in outer space. Rocket Lab CEO Peter Beck said that the sheer number of objects in space right now—a number that is growing quickly thanks in part to SpaceX's satellite Internet constellation, Starlink—is making it more difficult to find a clear path for rockets to launch new satellites. “This has a massive impact on the launch side,” he told CNN Business. Rockets “have to try and weave their way up in between these [satellite] constellations.”
Part of the problem is that outer space remains largely unregulated. The last widely agreed upon international treaty hasn't been updated in five decades, and that's mostly left the commercial space industry to police itself. Rocket Lab set out to create lightweight rockets—far smaller than SpaceX's 230-foot-tall Falcon rockets—that can deliver batches of small satellites to space on a monthly or even weekly basis. Since 2018, Rocket Lab has launched 12 successful missions and a total of 55 satellites to space for a variety of research and commercial purposes. Beck said the in-orbit traffic issues took a turn for the worst over the past 12 months. It was over that time that SpaceX has rapidly built up its Starlink constellation, growing it to include more than 700 Internet-beaming satellites. It's already the largest satellite constellation by far, and the company plans to grow it to include between 12,000 and 40,000 total satellites. That's five times the total number of satellites humans have launched since the dawn of spaceflight in the late 1950s. <https://www.cnn.com/2020/07/02/tech/spacex-starlink-planet-9-x-scn/index.html>
It's not clear if traffic from its own satellites has also caused frustrations for SpaceX. The company did not respond to a request for comment. Orbital junkyards. […] https://www.cnn.com/2020/10/07/business/rocket-lab-debris-launch-traffic-scn/index.html
“The problem is that the PHE developers picked an old file format to do this — known as XLS.”
As a consequence, each template could handle only about 65,000 rows of data rather than the one million-plus rows that Excel is actually capable of.
Asked if it was likely that some people will have got coronavirus due to the IT failure, Work and Pensions Secretary Therese Coffey told Sky News: “There may well be.”
The error is believed to have been caused by a spreadsheet containing lab results reaching its maximum size, and failing to update.
So, the problem hasn't actually been fixed… just pushed down the road a bit for someone else to deal with in the next Pandemic
[danny burstein noted a Twitter item from Max Roser, Univ. of Oxford researcher: https://twitter.com/MaxCRoser/status/1313046638915706880 ah… I had some trouble copying those URLs, but here: https://www.bbc.co.uk/news/uk-54412581 https://www.dailymail.co.uk/news/article-8805697/Furious-blame-game-16-000-Covid-cases-missed-Excel-glitch.html PGN]
Those higher in narcissism are disproportionately taking part in the democratic process, according to new research published in Personality and Social Psychology Bulletin <https://journals.sagepub.com/doi/10.1177/0146167220919212>.
The study found a positive correlation between narcissism and political participation. In other words: The more narcissistic someone is, the more likely they are to contact politicians, sign petitions, donate money, and vote in midterm elections.
“We have entered into an Age of Entitlement and a post-truth world that combine to form an unprecedented cultural movement where large portions of the public pursue self-interest and self-promotion above all things and truth is whatever you want it to be, where alternative facts are given equal standing with credible sources,” said study author Pete Hatemi <https://scholar.google.com/citations?hl=en&user=Ci8Ix08AAAAJ&view_op=list_works&sortby=pubdate>, a distinguished professor at Penn State University.
“It is hard not to notice how much more of me is part of our world — projecting one's status at the cost of others, whether using social media such as Facebook or Instagram or Twitter. Gone are the days when children's goals were to be something or do something important, replaced by the desire to be famous. Tom Wolfe's vision seems to have come to pass.”
“It was hard for my colleague Zoltan Fazekas and I to ignore the rampant narcissism in our elected leaders, and the outcomes of their decisions. And it seemed likely that higher public narcissism has some role in the growing instability of our democracy, and in 2009 we began collecting data to see if those higher in narcissism are taking a greater part in the political process,” Hatemi explained.
The researchers examined data from two nationally representative surveys in the U.S. and in Denmark, with 500 and 2,450 participants in each, respectively, and a web-based U.S. survey with 2,280 participants.
All of the surveys assessed narcissism and eight types of political participation: signing a petition, boycotting or buying products for political reasons, participating in a demonstration, attending political meetings, contacting politicians, donating money, contacting the media, and taking part in political forums and discussion groups.
The surveys also collect information about voting behavior and sociodemographic variables such as gender, age, race, education, and political ideology. […] https://www.psypost.org/2020/09/psychology-study-indicates-that-narcissists-are-more-involved-in-politics-than-the-rest-of-us-58112
Steven H. Horowitz, The Washinton Post
Perspective: “A doctor gave me an inept diagnosis for a neurological problem. I should know: I'm a neurologist.”
“I offered to teach the staff at this medical center, but I got nowhere. I could not have been the first patient so poorly evaluated. Without doubt, I won't be the last.”
Air Force, U.S. Special Operations Command fund year-long effort to train a neural net to rank credibility and sort news from misinformation.
For all the U.S. military's technical advantages over adversaries, it still struggles to counter disinformation. A new software tool to be developed for the U.S. Air Force and Special Operations Command, or SOCOM, may help change that.
“If you don't compete in the information space, regardless of how good your operations are, your activities are, you will probably eat a shit sandwich
of disinformation or false reporting later on,” Raymond ‘Tony' Thomas, a former SOCOM chief, said in an interview*.* “We certainly experienced that at the tactical level. That was the epiphany where we would have good raids, good strikes, etc. and the bad guys would spin it so fast that we would be eating collateral damage claims, etc. So the information space in that very tactical space is key.
It even “stretches to the strategic space,” said Thomas, meaning that disinformation can spread until it affects larger geopolitical realities.
Thomas now serves as an advisory board member for Primer, a company that on Thursday announced a Small Business Innovation Research contract to develop software over the next year to help analysts better—and much more quickly—survey the information landscape and hopefully detect false narratives that show up in the public space. […] <https://www.prnewswire.com/news-releases/socom-and-us-air-force-enlist-primer-to-combat-disinformation-301143716.html>
Despite the software vendor's protestations, it appears that facial recognition software is not ready for prime time… https://www.sfchronicle.com/business/article/California-bar-exam-takers-say-facial-recognition-15629617.php
History, Environmental Issues and Policies
Cited as being the most contaminated site in the Western Hemisphere, Mr. Weil will cover the history of Hanford from its beginning as part of the Manhattan Project in 1943. He will discuss the construction and operation of multiple processing facilities for the production of plutonium (for more than 60,000 nuclear weapons). He will also discuss waste management activities from the 1940s to today and current activities at the Hanford Site. The presentation will review major activities including the development and impact of the Hanford Federal Facility Compliance Agreement and Consent Order, the construction and operation of the Environmental Restoration Disposal Facility (a huge landfill on the site receiving remediation waste), the cocooning of production reactors, and the closing and dismantling of large numbers of production facilities on site (including the Plutonium Finishing Plant).
Men accused of taking part in scheme to phish credentials and sell account access.
The class action lawsuit alleges that the video game company hasn't done enough to address a known problem with its controllers.
The risks? Technology, lawyers, greed…
A security flaw in an Internet-connected male chastity device could allow hackers to remotely lock it—leaving users trapped, researchers have warned.
The Cellmate, produced by Chinese firm Qiui, is a cover that clamps on the base of the male genitals with a hardened steel ring, and does not have a physical key or manual override.
The locking mechanism is controlled with a smartphone app via Bluetooth — marketed as both an anti-cheating and a submission sex play device—but security researchers have found multiple flaws that leave it vulnerable to hacking.
“We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no physical unlock,” British security firm Pen Test Partners said Tuesday.
“An angle grinder or other suitable heavy tool would be required to cut the wearer free.”
The firm also found other security flaws in the Cellmate—listed for $189 on Qiui's website—that could expose sensitive user information such as names, phone numbers, birthdays and location data. […] https://sports.yahoo.com/smart-male-chastity-device-vulnerable-053135255.html
This gives new meaning to the WOPR response at the end of the movie WarGames: The only winning strategy is not to play.
Cybersecurity researchers have taken the wraps off a new #botnet that's hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly #DDoS attacks, and illicit #cryptocurrency coin mining.
Cybersecurity researchers have taken the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly DDoS attacks, and illicit cryptocurrency coin mining.
Discovered by Qihoo 360's Netlab security team, the HEH Botnet <https://blog.netlab.360.com/heh-an-iot-p2p-botnet/>—written in Go language and armed with a proprietary peer-to-peer (P2P) protocol, spreads via a brute-force attack of the Telnet service on ports 23/2323 and can execute arbitrary shell commands.
The researchers said the HEH botnet samples discovered so far support a wide variety of CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PowerPC (PPC).
The botnet, despite being in its early stages of development, comes with three functional modules: a propagation module, a local HTTP service module, and a P2P module.
Initially downloaded and executed by a malicious Shell script named “wpqnbw.txt,” the HEH sample then uses the Shell script to download rogue programs for all different CPU architectures from a website (“pomf.cat”), before eventually terminating a number of service processes based on their port numbers. […] https://thehackernews.com/2020/10/p2p-iot-botnet.html
More than a decade in the marking, the Supreme Court may finally decide if application programming interfaces (APIs) can be copyrighted. If the court decides they are, everything you know about making programs will change for the worse.
A team of five security researchers analyzed several Apple online services for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity.
The flaws—including 29 high severity, 13 medium severity, and 2 low severity vulnerabilities—could have allowed an attacker to “fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”
The flaws meant a bad actor could easily hijack a user's iCloud account and steal all the photos, calendar information, videos, and documents, in addition to forwarding the same exploit to all of their contacts.
The findings were reported by Sam Curry, along with Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes over a three month period between July and September. <https://samcurry.net/hacking-apple/>
After they were responsibly disclosed to Apple, the iPhone maker took steps to patch the flaws within 1-2 business days, with a few others fixed within a short span of 4-6 hours.
So far, Apple has processed about 28 of the vulnerabilities with a total payout of $288,500 as part of its bug bounty program. […]
As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important.
Now according to the latest research, two security flaws in Microsoft's Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF <https://portswigger.net/web-security/ssrf>) attacks or execute arbitrary code and take over the administration server.
“This enables an attacker to quietly take over the App Service's git server, or implant malicious phishing pages accessible through Azure Portal to target system administrators,” cybersecurity firm Intezer said in a report published today and shared with The Hacker News. <https://www.intezer.com/blog/cloud-security/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/>
Discovered by Paul Litvak <https://twitter.com/polarply> of Intezer Labs, the flaws were reported to Microsoft in June, after which the company subsequently addressed them.
Azure App Service is a cloud computing-based platform <https://azure.microsoft.com/en-us/services/app-service/> that's used as a hosting web service for building web apps and mobile backends.
When an App Service is created via Azure, a new Docker environment is created with two container nodes—a manager node and the application node — along with registering two domains that point to the app's HTTP web server and the app service's administration page, which in turn leverages Kudu <https://github.com/projectkudu/kudu> for continuous deployment of the app from source control providers such as GitHub or Bitbucket. […] <https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment>
Yes, Office 365, Outlook, and all the rest of Microsoft's Software-as-a-Services are down yet again.
The risks? Software, Microsoft, cloud computing, software-as-a-“service”
The botnet is often used to drop ransomware, which officials fear could snarl voter registration.
In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world's largest botnet - one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.
U.S. CyberCommand's campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter's sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.
The effort is part of what Gen. Paul Nakasone, the head of CyberCommand, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom's activities to help protect the election against foreign threats, officials said.
“Right now, my top priority is for a safe, secure, and legitimate 2020 election,” Nakasone said in August in a set of written responses to Washington Post questions. “The Department of Defense, and CyberCommand specifically, are supporting a broader ‘whole-of-government’ approach to secure our elections.”
Trickbot is malware that can steal financial data and drop other malicious software onto infected systems. Cyber-criminals have used it to install ransomware, a particularly nasty form of malware that encrypts users' data and for which the criminals then demand payment - usually in cryptocurrency - to unlock. […] https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html -or- https://www.chron.com/news/article/Cyber-Command-has-sought-to-disrupt-the-world-s-15635373.php
Pennsylvania's online system for registering to vote and applying for and tracking mail ballots crashed over the weekend, triggering an outage that stretched for more than 40 hours and prompted frustration from voters weeks before critical election deadlines.
State officials managed to restore the site Monday morning and blamed the problem on an equipment failure at a data center run by an outside contractor. They did not believe any data had been lost or that malicious physical or cyber activity was behind the outage.
Nicole Perlroth, The New York Times, 3 Oct 2020, via ACM TechNews, 5 Oct 2020
Philadelphia-based software provider eResearch Technology (ERT) was hit two weeks ago by a ransomware attack that has slowed clinical trials. The exploit started when ERT workers learned that they were locked out of their data, and clients said this forced researchers to move certain clinical trials to pen and paper. ERT's Drew Bustos on Friday verified that ransomware had hijacked company systems on Sept. 20, when the firm took its systems offline, called in outside cybersecurity experts, and alerted the U.S. Federal Bureau of Investigation. Affected customers included IQVIA, the contract research organization helping manage AstraZeneca's Covid-19 vaccine trial, and drug maker Bristol Myers Squibb, which is leading a consortium in developing a rapid test for coronavirus.
Thomas Macaulay, The Next Web, 29 Sep 2020
Human Rights Watch warns a flawed algorithm for calculating monthly social security benefits in Britain is causing hunger, debt, and psychological distress. The model measures changes in their earnings to dole out payments, but the non-governmental organization said the algorithm only analyzes wages people receive within a calendar month, and ignores frequency of payment. This means people who get multiple monthly paychecks can have their earnings overestimated, with their welfare payments dramatically reduced as a result. Human Rights Watch's Amos Toh said, "The government's bid to automate the benefits system—no matter the human cost—is pushing people to the brink of poverty.”
Scientists 3D-printed sea turtle eggs and stuffed transmitters inside. When poachers pulled them out of nests, the devices tracked their every move.
It's true that the list of jobs that were once manual but which are now done by machines with just a small amount of human oversight, or none at all, grows ever longer.
’When these robots are good enough, you don't necessarily want them to be remote-controlled, you want them to be automatic,’ he says. ‘That's when you cut out the workers.’
Where staff shortages for certain roles are chronic and increasingly acute, a robot substitute may be an optimal replacement choice. Robot life cycle economics, like all machine v. human business investment decisions (employment), augurs against people engaged to perform routine and repetitive tasks.
I recall the Scientific American from Sep 1982 entitled, “The Mechanization of Work”, where robotic integration into manufacturing processing, and other industries, was described. This issue also raised economic dislocation prospects as a result of robotic substitution for human participation. https://www.scientificamerican.com/magazine/sa/1982/09-01/
Risks: Malicious tele-hack (remote or insider), computer crash, mechanical malfunction, stock damage, economic disenfranchisement.
> Accepted new job in March. Didn't quit old job. Apparently does both > jobs at home in 55 hours/week. Neither company knows yet. Might have > reversed the [companies], not sure. I have so many thoughts on this.
Huston says the Internet is a 'gigantic vanity-reinforcing distorted TikTok selfie' and web security is 'the punchline to some demented sick joke'. But Australia's first Privacy Commissioner thinks he's being optimistic. […]
Psychographics are back in the news as part of the US election cycle, four years after the Cambridge Analytica scandal made the term mainstream.
This week, CB Insights published a useful primer on psychographics, which they describe as one of the dark arts of social media and Internet marketing.
Let me get this straight: “The process takes about five minutes per ballot” — so it can be converted to a form that can be counted by a machine in 0.001 second? Hasn't it occurred to anyone there that the ballots could just be counted manually?
Someone there must be nominated for the next Ig-Nobel Prize for political sciences…
Henry Baker reported that his Mac's clock was 2-3 minutes slow, and that he couldn't see how to change the time server.
I administer a fleet of Macs, and they all use Apple time servers. Most use time.apple.com; our Macs in China use time.asia.apple.com.
Three Macs chosen at random all have clocks matching the time displayed at https://time.gov (to within 1 second).
That website, operated by the NIST (National Institute of Standards and Technology), displays the official US time. NIST also offers NTP (Network Time Protocol) servers available at nist.time.gov
Apple has three default time servers depending on your location:
Changing the time server on a Mac is incredibly easy:
Hope this helps Henry, and anyone else facing similar issues.
> Is it just me, or do other people find that MacOS keeps their clock 2-3 > minutes early?
It's just you.
I'm typing this on a Macbook running MacOS Catalina, and its time agrees with my NTP synced FreeBSD server to the second.
The MacOS date and time preferences menu has an option to NTP sync to one of Apple's servers. It's turned on by default but you might check to see if somehow you turned it off.
I've thankfully never had this issue, which is just as well since I do two weekly radio shows for an Internet radio station, as well as occasional online DJ shows.
I'm based in the UK, so my iMac is set to take its time signal from Apple's European time server. I'm also still on macOS Mojave, as I've been put off by the reports of issues with Catalina.
As for what might be causing the issue that Henry is seeing, I can think of a few possible causes:
1. A problem with whichever Apple time server Henry's Mac defaults to.
2. A problem in the time synchronisation code in the version of macOS that Henry's Mac is running.
3. Henry's ISP perhaps intercepting NTP traffic and making it go to their time server, which is running fast.
I'll admit, the last one seems unlikely, but it's not as if ISPs have much compunction against fiddling with their customer's traffic in the past. My gut instinct, however, is that this is more likely to be a problem at Apple's end.
> I didn't see any easy way to change the time server that this machine > consults, so it remains early.
System Preferences -> Date & Time -> Date & Time tab.
Unlock (using the icon in the bottom-left corner) if necessary.
The field labeled Set date and time automatically looks like a simple dropdown with a set selection of options, but you can actually type in any domain name you wish.
For what it's worth, my laptop syncs with time.apple.com and has the same time as my cell phone (which receives its date and time from my carrier) and the master clock time reported by the US Naval Observatory at https://www.usno.navy.mil/USNO.
Please report problems with the web pages to the maintainer