The RISKS Digest
Volume 32 Issue 33

Saturday, 24th October 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Air Force updates code on plane mid-flight
The Aviationist
Alexa Causes Evacuation Panic in Boulder County, Colorado
William Kucharski
Experts: Florida Voting Machines Ripe for Foreign Hackers
John Pacenti
FDA Hid Names of Dietary Supplements Linked to Hundreds of Reports of Harm
Consumer Reports
Censorship or Sensibility?
The Intercept
Six Russians Tied to Hacks Aroound Globe
NYTimes
"We've collected tens of millions of posts to underground crime forums
Ross Anderson
Exponential growth in DDoS attack volumes
Google
The Contest to Protect Almost Everything on the Internet
Sara Castellanos
Researchers find huge, sophisticated black market for trade in online 'fingerprints'
techxplore.com
Annoying-as-hell ransomware attack in Finland
mikko
Adblockers installed 300,000 times are malicious and should be removed now
Ars Technica
POTUS Twitter account reportedly hacked by Dutch whitehat
Volkskrant
A shadowy AI service has transformed thousands of women's photos into fake nudes: “Make fantasy a reality''
WashPost
The AI that spots Alzheimer's from cookie drawing
bbc.com
Twitter is currently down, perhaps globally
Lauren Weinstein
How does Google's monopoly hurt you?
WashPost
DHS, USCIS to Modernize, Define the Collection of Biometrics
THomas Kuhn
Sony PS5 enables voice recording
The Verge
Paleontologists See Stars as Software Bleeps Scientific Terms
NYTimes
Ailments in Covid-19 Trials Raise Questions About Vaccine Method
Bloomberg
Networking Theory and Superspreader Events
Rob Slade
Some notes on publishing
Rob Slade
Cochlear and bone conduction implants to mitigate hearing
Richard Stein
'E.T.' 1982 Atari Game: The True Story Behind the Worst Video Game Ever
MelMagazine
Re: Fifth of countries at risk of ecosystem collapse
Richard Stein
Re: Why cars are more "fragile": more technology has reduced robustness
Wol
Re: SpaceX Is Building a Military Rocket to Ship Weapons Anywhere in the World in 1 hour
David Alexander Erling Kristiansen
Re: A different way the news is dividing America
John Levine Richard Stein John R. Levine Steve Bacher
Re: Continuous glucose monitoring/insulin dosing systems
Richard Stein
Info on RISKS (comp.risks)

Air Force updates code on plane mid-flight (The Aviationist)

Steve Klein <steven@klein.us>
Tue, 20 Oct 2020 13:14:38 -0400
U.S. Air Force Performs First Ever Code Change On A Flying U-2 Spyplane
Running Kubernetes

Story: https://theaviationist.com/2020/10/19/u-s-air-force-performs-first-ever-code-change-on-a-flying-u-2-spyplane-running-kubernetes/

Comment: What could possibly go wrong?


Alexa Causes Evacuation Panic in Boulder County, Colorado

William Kucharski <kucharsk@mac.com>
Mon, 19 Oct 2020 03:25:19 -0600
Due to a wildfire, the Boulder County, CO Office of Emergency Management
issued an evacuation order for a region and, to reach people who may have
not had power, they also had the NWS issue a civil evacuation message via
NOAA All Hazards Radio (typically used by NWS for severe weather, but its
charter includes dissemination of all official Government warning messages.)

However, the WRSAME codes used to encode location data on AHR can only be
delineated down to a county or portion of county.

Normally this isn't an issue as the accompanying voice message broadcast on
NOAA AHR gives further information as to the nature of the hazard and the
actions required.

However, third-party services like Amazon's Alexa only parse the geographic
area and the type of alert from the data header. This normally results in
people in the county being alerted there is a Tornado Warning, for example.

However, this time this resulted in Boulder County residents as a whole
being warned by their Alexa devices that they needed to evacuate their
homes, causing confusion, fear and some panic.

It's hard to know how this could be fixed in the future without inserting a
human into the loop to listen to or read the actual message sent and
intervene accordingly.

https://www.boulderoem.com/issue-with-noaa-weather-radio-alert/


Experts: Florida Voting Machines Ripe for Foreign Hackers (John Pacenti)

ACM TechNews <technews-editor@acm.org>
Wed, 21 Oct 2020 12:05:06 -0400 (EDT)
via ACM TechNews, Wednesday, October 21, 2020

Experts: Florida Voting Machines Ripe for Foreign Hackers
Government Technology (10/16/20) John Pacenti

Computer scientists have expressed concerns about the security of voting
machines used in 49 Florida counties. Although election officials claim the
machines are not vulnerable to remote hacking because they are never
connected to the Internet, the DS200 voting tabulator uses a wireless
connection to transmit results. Finnish computer scientist Harri Hursti said
the machine features software that operates like a cellphone and uses
Internet Protocol when connecting to the wireless network. Princeton
University's Andrew Appel said a hacker could penetrate a border router from
the Internet or by walking near a polling place with a Stingray, a portable
device that can capture data by mimicking a cellphone tower.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-279a2x225bc1x066052&


FDA Hid Names of Dietary Supplements Linked to Hundreds of Reports of Harm (Consumer Reports)

geoff goodfellow <geoff@iconia.com>
Sat, 17 Oct 2020 19:44:07 -1000
https://www.consumerreports.org/dietary-supplements/fda-hid-names-of-dietary-supplements-linked-to-hundreds-of-reports-of-harm/


Censorship or Sensibility? (The Intercept)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 19 Oct 2020 11:48:13 PDT
Just weeks before the election, the tech giants unite to block access to
incriminating reporting about their preferred candidate.  [...]

https://theintercept.com/2020/10/15/facebook-and-twitter-cross-a-line-far-more-dangerous-than-what-they-censor/


Six Russians Tied to Hacks Aroound Globe (NYTimes)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 20 Oct 2020 12:52:31 PDT
Michael S. Schmidt and Nicole Perlroth, *The New York Times*, 20 Oct 2020
  (front page, National Edition)

This article consiers the charges that have just been unsealed relating to
"an aggressive worldwide hacking campaign that caused mass disruption and
cost billions of dollars attaching targets like a French presidential
election, the electricity grid in Ukraine and Internet access to the 2018
Winter Olympics."

John Demers (Asst AG for national security) is quoted: "Their cyberattack
combined the emotional maturity of a petulant child with the resources of a
nation-state."


We've collected tens of millions of posts to underground crime forums (Ross Anderson)

geoff goodfellow <geoff@iconia.com>
Fri, 16 Oct 2020 13:32:19 -1000
They're not just an amazing resource for research in cybersecurity and
criminology, but also for natural language processing:
https://www.lightbluetouchpaper.org/2020/10/15/three-paper-thursday-applying-natural-language-processing-to-underground-forums/
via https://twitter.com/rossjanderson/status/1317070576696123393


Exponential growth in DDoS attack volumes (Google)

geoff goodfellow <geoff@iconia.com>
Fri, 16 Oct 2020 13:27:49 -1000
Security threats such as distributed denial-of-service (DDoS) attacks
disrupt businesses of all sizes, leading to outages, and worse, loss of
user trust. These threats are a big reason why at Google we put a premium
on service reliability that's built on the foundation of a rugged network.

To help ensure reliability, we've devised some innovative ways to
defend against advanced attacks. In this post, we'll take a deep
dive into DDoS threats, showing the trends we're seeing and
describing how we prepare for multi-terabit attacks, so your sites stay up
and running.

Taxonomy of attacker capabilities

With a DDoS attack, an adversary hopes to disrupt their victim's service
with a flood of useless traffic. While this attack doesn't expose user data
and doesn't lead to a compromise, it can result in an outage and loss of
user trust if not quickly mitigated.

Attackers are constantly developing new techniques to disrupt systems. They
give their attacks fanciful names, like Smurf, Tsunami, XMAS tree, HULK,
Slowloris, cache bust, TCP amplification, javascript injection, and a dozen
variants of reflected attacks. Meanwhile, the defender must consider every
possible target of a DDoS attack, from the network layer (routers/switches
and link capacity) to the application layer (web, DNS, and mail servers).
Some attacks may not even focus on a specific target, but instead attack
every IP in a network. Multiplying the dozens of attack types by the
diversity of infrastructure that must be defended leads to endless
possibilities.

So, how can we simplify the problem to make it manageable? Rather than
focus on attack methods, Google groups volumetric attacks into a handful of
key metrics:

   - bps network bits per second: attacks targeting network links
   - pps network packets per second: attacks targeting network equipment
     or DNS servers
   - rps HTTP(S) requests per second: attacks targeting application servers

This way, we can focus our efforts on ensuring each system has sufficient
capacity to withstand attacks, as measured by the relevant metrics.  Trends
in DDoS attack volumes.   [...]
https://cloud.google.com/blog/products/identity-security/identifying-and-protecting-against-the-largest-ddos-attacks


The Contest to Protect Almost Everything on the Internet (Sara Castellanos)

ACM TechNews <technews-editor@acm.org>
Mon, 19 Oct 2020 12:04:59 -0400 (EDT)
Sara Castellanos, *The Wall Street Journal(, 7 Oct 2020, via ACM TechNews,
19 Oct 2020

Hundreds of the world's leading cryptographers are participating in a
competition overseen by the U.S. National Institute of Standards and
Technology to develop new encryption standards for protecting online data
against classical and quantum-computing cyberattacks. The contest aims to
replace commonly used public-key cryptography methods by 2023, including the
popular RSA approach, whose basis on integer factorization makes it
vulnerable to quantum computers. Cryptographers warn that hackers could
already be harvesting massive amounts of data to decrypt, in anticipation of
quantum computers. Among the most promising contest submissions are
algorithms based on mathematical lattices, which can resemble geometric
shapes with more than 1,000 dimensions.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-27924x225a4fx066851&


Researchers find huge, sophisticated black market for trade in online 'fingerprints' (techxplore.com)

Richard Stein <rmstein@ieee.org>
Sat, 24 Oct 2020 09:28:14 +0800
https://techxplore.com/news/2020-10-huge-sophisticated-black-online-fingerprints.html

"Impersonation-as-a-Service: Characterizing the Emerging Criminal
Infrastructure for User Impersonation at Scale" @
https://arxiv.org/pdf/2009.04344.pdf details "evidence of an emerging
criminal infrastructure enabling impersonation attacks at
scale. Impersonation-as-a-Service (IMPaaS) allows attackers to
systematically collect and enforce user profiles (consisting of user
credentials, cookies, device and behavioural fingerprints, and other
metadata) to circumvent risk-based authentication system and effectively
bypass multi-factor authentication mechanisms."

The authors attribute leaked credentials, phishing kits, and malware as key
attack strategies contributing to IMPaaS operations.

Excellent detective and research reveals the scope and sophistication of
this criminal enterprise, a worrisome synthesis of technical skills and
motivation to rake profit from targeted individuals. The IMPaaS business
model and life cycle is explored in substantial detail.


Annoying-as-hell ransomware attack in Finland (mikko)

danny burstein <dannyb@panix.com>
Sat, 24 Oct 2020 19:09:29 +0000 ()
Highly unusual ransom case underway here in Finland: a private psychotherapy
clinic was hacked, and the therapist notes for maybe even 40,000 patients
were stolen. Now the attacker has emailed the victims, asking each for 200
[euro's] ransom in Bitcoin.

rest (thread, some in Finnish):
https://twitter.com/mikko/status/1320061214647439360


Adblockers installed 300,000 times are malicious and should be removed now (Ars Technica)

Monty Solomon <monty@roscom.com>
Tue, 20 Oct 2020 20:44:23 -0400
https://arstechnica.com/information-technology/2020/10/popular-chromium-ad-blockers-caught-stealing-user-data-and-accessing-accounts/


POTUS Twitter account reportedly hacked by Dutch whitehat (Volkskrant)

Richard Forno <rforno@infowarrior.org>
Thu, 22 Oct 2020 11:10:58 -0400
Dutch Ethical Hacker Logs into Trump's Twitter Account
https://www.volkskrant.nl/nieuws-achtergrond/dutch-ethical-hacker-logs-into-trump-s-twitter-account~badaa815/

Last week a Dutch security researcher succeeded in logging into the Twitter
account of the American President Donald Trump. Trump, an active Twitterer
with 87 million followers, had an extremely weak and easy to guess password
and had according to the researcher, not applied two-step verification.

On Friday morning, almost absentmindedly, Gevers tries a number of passwords
and their variations. On the fifth attempt: bingo! He tries `maga2020'
(short for make America great again) and suddenly finds himself in the
Twitter account of the American President. He is flabbergasted. Gevers: “I
expected to be blocked after four failed attempts. Or at least would be
asked to provide additional information.''  None of that.

On that Friday morning, Gevers has access to what is perhaps the most
important Twitter account in the world and is in a position to send a
message to 87 million people, the attentive world press, and government
leaders. Gevers: “I did think: Here we go again.''

  [This item needs some verification.  A screenshot is provided.]


A shadowy AI service has transformed thousands of women's photos into fake nudes: “Make fantasy a reality'' (WashPost)

Monty Solomon <monty@roscom.com>
Tue, 20 Oct 2020 17:46:39 -0400
More than 100,000 photos of women have had their clothing removed by the
software, including of girls younger than 18.  “Would a lab not
dominated by men have been so cavalier and so careless about the
risks?â''

https://www.washingtonpost.com/technology/2020/10/20/deep-fake-nudes/


The AI that spots Alzheimer's from cookie drawing (bbc.com)

Richard Stein <rmstein@ieee.org>
Fri, 23 Oct 2020 10:34:22 +0800
https://www.bbc.com/news/technology-54538228

"The AI model, developed by IBM Research and pharmaceutical giant Pfizer,
uses natural language processing to analyse short excerpts of speech taken
from the Cookie Theft cognitive test. The test, used for many years in the
diagnosis of dementia and other cognitive illnesses, asks people to describe
what they see in the picture.

"The AI spotted subtle changes to language, such as grammatical errors and
different sentence structure, which indicate cognitive decline."

https://www.researchgate.net/publication/332061806_Describing_the_Cookie_Theft_picture_Sources_of_breakdown_in_Alzheimer's_dementia
explains Cookie Theft test merit and apparent success: "Speech-language
pathologists routinely use picture description tasks to assess expository
discourse in clients with disorders such as aphasia and dementia."

https://catless.ncl.ac.uk/Risks/search?query=speech+recognition&evol=1&lvol=32
reveals 37 prior comp.risks submission and replies.

Speech can be used as a bio-marker to assist neurological health
assessment. See https://en.wikipedia.org/wiki/Speech_disorder.

Automated speech recognition has at least a 5% false positive/false negative
conversion-to-text error rate.

Applying this technology to indicate dementia or Alzheimer's risks appears
convenient, especially if there's a deficit of specialized and qualified
personnel. As a definitive diagnostic tool, there's much to improve. The
essay acknowledges deficiencies.


Twitter is currently down, perhaps globally

Lauren Weinstein <lauren@vortex.com>
Thu, 15 Oct 2020 15:04:13 -0700
Twitter is currently down, perhaps globally


How does Google's monopoly hurt you? (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Tue, 20 Oct 2020 01:17:52 -0400
Right under our noses, the Internet's most-used website has been getting
worse.

https://www.washingtonpost.com/technology/2020/10/19/google-search-results-monopoly/


DHS, USCIS to Modernize, Define the Collection of Biometrics

Thomson Kuhn <tmk000@gmail.com>
Sat, 17 Oct 2020 15:05:02 -0400
  [Unfortunately, the comment period has closed.]

*The proposed rule would authorize biometrics collection for identity
verification in addition to new techniques. Voice, iris and facial
recognition technologies are fast, accurate ways to confirm the identity of
an applicant that don't require physical contact.  The proposed rule also
authorizes DHS to collect DNA or DNA test results to verify a claimed
genetic relationship when the applicant or petitioner is unable to provide
sufficient documentary evidence to establish the claimed relationship. Using
DNA or DNA test results to help establish *family units* would help
petitioners and DHS verify claims of genetic relationships and keep adults
who are in custody from misrepresenting themselves as biological parents of
minors who are not related to them. By using DNA or DNA tests to establish
bona-fide genetic relationship between adults and minors in DHS custody, DHS
can better protect the well-being of children.*

https://www.dhs.gov/news/2020/09/01/dhs-uscis-modernize-define-collection-biometrics


Sony PS5 enables voice recording (The Verge)

Henry Baker <hbaker1@pipeline.com>
Sat, 17 Oct 2020 14:44:56 -0700
  "Anything you say in a voice chat *could* be sent to Sony without your
  explicit consent"
  "It doesn't seem as if Sony is actively listening to *all* of your
  conversations you're having with your pals"

Is it just me, or do others think that this 'feature' may run afoul of many
*state laws* regarding the consents necessary for the recording of
conversations?

Jay Peters@jaypeters, *The Verge*,  14 Oct 2020
Sony will let PS5 owners record their voice chats and snitch on fellow players
The perhaps unwelcome feature arrived as part of the PS4's 8.0 update
https://www.theverge.com/2020/10/14/21516928/sony-ps5-playstation-5-owners-record-listen-voice-chats-moderation-4-8-0-software-update

Some PlayStation 4 users who downloaded the latest 8.0 update got an
unwelcome surprise this morning: their console informed them that Sony had
the right to record their voice for moderation purposes.

Here are some examples:

Not only did sony break every ps4 due to how bad the update was,
they're even recording us #PS4 pic.twitter.com/006eQznRdf

-- Mini (@_Minii17) October 14, 2020

So apparently, in case y'all didn't know this beforehand. But
apparently the newest Sony update to the PS4 and will continue onto 5
will be recording your voice while in party chat. pic.twitter.com/T0VIbwIpZe

-- TSN | Ittarra BooOda : Still recovering (@IttarraOda) October 14, 2020

Initially, the update's release notes contained no mention of voice
recordings. But at some point today, Sony clarified what the messages meant
in an update to its official blog post.

Here is Sony's exact language:

Following this update, users are seeing a notification about Party Safety
and that voice chats in parties may be recorded. Voice chat recording for
moderation is a feature that will be available on PS5 when it launches, and
will enable users to record their voice chats on PS5 and submit them for
moderation review. The pop up you're seeing on PS4 right now is to let you
know that when you participate in a chat with a PS5 user (post-launch), they
may submit those recordings from their PS5 console to SIE.

To translate that statement, it seems that by joining a voice chat, even
with the older PlayStation 4, your voice can be recorded and submitted to
Sony for moderation by another user. This could certainly be invasive—in
theory, anything you say in a voice chat could be sent to Sony without your
explicit consent. But the feature could also be a useful tool to help people
report bad party members that may be harassing them.

Based on Sony's language, it doesn't seem as if Sony is actively listening
to all of your conversations you're having with your pals during your latest
rounds of Fall Guys.

The 8.0 software also changes the way parties and messages work and adds new
avatars, parental communication controls, and support for authenticator apps
for two-factor authentication.

And in another move to prepare for the PS5's launch, Sony has rebranded the
PS4 Remote Play mobile, Mac, and PC apps to PS Remote Play, and you'll be
able to use the app to connect to a PlayStation 5 when the new console
launches next month.


Paleontologists See Stars as Software Bleeps Scientific Terms (NYTimes)

Jan Wolitzky <jan.wolitzky@gmail.com>
Mon, 19 Oct 2020 05:42:34 -0400
https://www.nytimes.com/2020/10/18/science/paleontology-banned-words-convey.html


Ailments in Covid-19 Trials Raise Questions About Vaccine Method (Bloomberg)

geoff goodfellow <geoff@iconia.com>
Sat, 17 Oct 2020 19:43:23 -1000
https://www.bloomberg.com/news/articles/2020-10-17/ailments-in-covid-19-trials-raise-questions-about-vaccine-method
   or
https://www.msn.com/en-us/health/medical/ailments-in-covid-19-trials-raise-questions-about-vaccine-method/ar-BB1a7yuE


Networking Theory and Superspreader Events

Rob Slade <rmslade@shaw.ca>
Sat, 17 Oct 2020 11:23:18 -0700
Recently there has been a great deal of concern about the exact
interpretation of rules about how many people you can have at your dinner
party, or wedding, or funeral, or school classroom (or funeral following a
dinner party).  Journalists are tasking medical experts for precise numbers.
People are saying they won't follow *the rules* because they aren't clear.
That's kind of like saying that you won't wear warm clothes when you go out
because the weather forecast is predicting five to thirty millimetres of
rain, and that isn't explicit enough.

Very few people understand formal, mathematical, networking theory,
including many of those who work in the field of networking.  This seems to
be the basis of a great deal of the misunderstanding or objection to
limitations on gathering numbers.

First of all, the more people you are in contact with, the greater your risk
of getting this (or any other communicable) disease.  The closer the
contact, the greater the risk.  The longer the contact, the greater the
risk.  This is basic.  Location, duration, relation.

In regard to numbers, *the rules* are different in different places.  And
they are *best guess* advice.  Nobody can say that a dinner party of six is
safe, but a dinner party of seven will result in someone getting CoVID.
However, let's take six as an example.  You can have a dinner party with
five other people.  That's probably OK.  But if you then have another five
people over for dinner the next night, and then five more over the night
after that, by the end of two weeks (which is a good period to consider
because it is widely acknowledged as the rough estimate of when most people
will be infectious) you will have had dinner with seventy people.  Six
people might be relatively safe.  Seventy people is definitely getting
dangerous.  Keeping your individual party small is not terribly safe if you
keep having a lot of different parties.

And that's just basic numbers, even before we start to add in the real
networking aspects.  If you have five people over for dinner, were each of
them out to dinner with five other people the night before?  You now have
indirect contact with twenty-five people with your small dinner party.  And
if we go back to the day before that, you then have third-party contact with
one hundred and twenty-five people.  (By the time we get back two weeks, you
are almost exceeding the population of the planet.)  In terms of sexually
transmitted infections, it is often said that whenever you have sex with
someone, you have sex with everyone they ever had sex with.  That is the way
to think about how safe your small party is.

And that's just dinner.  If anyone in any of those circles plays football,
that adds contact with twenty-five more people, closely, and breathing very
heavily, for every practice, and fifty for every game.  Where do any of
those people work?  And, if still working, does their work environment
involve people/not many people, masks/no masks, partitions/no partitions?

And then there are the *bubbles*.  Originally, bubbles referred to your
household, and the people you couldn't avoid having contact with.  Then
people started to talk about expanding the bubbles, so that you could pick
one other family, or household, to bubble with, to safely (and even that's
questionable) expand your social circle.  After all, if you are taking
precautions, and the one other family is taking precautions, then it should
be reasonably safe.

The thing is, when talking about expanding the bubbles, people immediately
forgot that *one other* aspect.  One other family might be safe.  It's
manageable.  You know what's going on in that one other family.  But as soon
as you get beyond one other, all bets are off.  If you bubble with only two
other bubbles, and each of them bubbles with two others, then indirectly you
are connected with four other bubbles.  And if each of them is doing two
bubbles, then at third hand ...

Most of us humans aren't good at numbers.  We can usually “see” seven
items.  Anything more than that is just “a lot,” and we have only a
vague idea of how big anything is beyond that.  By dint of practice, we
learn arithmetic, but, aside from a relative few, it never really comes
naturally to us.  And exponential growth in numbers is something that seems
to be beyond our immediate comprehension.  This becomes very dangerous when
we are faced with having to make decisions, literally life and death
decisions, about how big of a network, and how many contacts, are safe, when
every additional contact increases the risk.  That is why public health
agencies try to provides rules with specific numbers.  The thing is, those
numbers are estimates.  They are not perfect.  That's why there is so little
agreement between them.  And each jurisdiction has slight differences in
environment and situation, which also modifies the numbers.  So many people
think that, if the numbers don't agree, then you can just ignore the rules.

The thing is, the public health agencies, and their calculations, may not be
perfect.  But they are based on work, and facts, and study, and expertise
that the agencies have, and you don't.  Their guesses may be guesses, but
they are better than yours.  Follow the rules.  Look for accommodation, not
loopholes.

Now go wash your hands.


Some notes on publishing

Rob Slade <rmslade@shaw.ca>
Wed, 21 Oct 2020 12:25:33 -0700
Well, I finished and turned in the text of my latest book at the end of
August.  (As I always say to those who want advice on getting published,
that's the easy part done.)  It won't actually be available in hard copy for
about another four months now, but. shortly thereafter, I did a search on
Amazon (using the title, "Cybersecurity Lessons from CoVID-19") and found
that the publisher had already announced it, and even given it an ISBN.  It
was (unsurprisingly) the first item that popped up when I searched using the
title.

(A note on titles: the title is not my fault.  It's the publisher who gets
the final say on titles.)

So, in the ongoing process of getting to print, I got the galley proofs
yesterday.  (I have to answer questions, check that they haven't added any
errors, and do the index.)  An error reminded me to check on Amazon again,
and see if the error was reproduced there.

I searched on the title again, and the results were quite different.  A
number of titles have had SEO (Search Engine Optimization) done on them in
the month or so since I first checked, and a number of titles having nothing
to do with security and CoVID popped up, even before mine.  In addition,
someone has produced a pamphlet entitled "Cybersecurity Lessons From the
COVID-19 Pandemic," which seems to be merely a "stay safe online" article.

There's more than one type of plagiarism in the publishing world these days ...


Cochlear and bone conduction implants to mitigate hearing

Richard Stein <rmstein@ieee.org>
Fri, 16 Oct 2020 11:34:12 +0800
This RISKS submission summarizes product problems and patient medical device
reports for cochlear and bone conduction implants extracted from the FDA's
Total Product Lifecycle (TPLC) reporting system.

Cochlear hearing-assist devices are implanted in a patient's middle ear,
connecting amplified audio output to the ear's bone structure. Battery
powered, they require periodic servicing. An overview of these devices can
found here: https://en.wikipedia.org/wiki/Cochlear_implant. Digital signal
processors comprise part of these devices.

CI reprogramming via telehealth engagement:
https://www.yalemedicine.org/stories/remote-cochlear-implants/
Bone-conduction implantation:
https://www.earscience.org.au/clinic/hearing-implants/bone-conduction-implants

The FDA product code classification scheme allocates several product codes
to categorize hearing assist devices. The product codes classify device
regulatory scope, and are used for reporting purposes (recalls, premarket
approvals, device reports, etc.).

These seven (7) hearing-assist device product codes yield comparatively few
retrieved TPLC records: OSM, PLK, QDD, EWD, EWE, OAF, and PGQ. The product
codes yielding the largest record counts of product device issues and
medical device reports (MDRs) extracted from TPLC are: MCM—cochlear
implants, and MAH, LXB—bone conduction implant devices.

To learn the apparent advantages/disadvantages of each:
https://www.aarp.org/health/conditions-treatments/info-2015/implanted-hearing-devices.html

Product device problems and MDRs comprise two TPLC categories. Both
categories, and their TPLC search yield, are directly correlated. The MDRs
linked to the TPLC Patient Problem tabulations are extracted from FDAs MAUDE
platform. Refer to the MAUDE page for significant disclaimers about MDRs @
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/search.cfm.

An MDR can be filed for a benign reasons: a chipped knob, worn package
label, or blurred device marking, etc. MDRs usually originate from
patient-device interactions that may result for an EVENT TYPE: Injury,
Malfunction, or Death. An EVENT TYPE for "Other" is allocated for device
EVENT TYPE that neither cause injury or death or from malfunction. MAUDE
also sponsors an EVENT TYPE for "No Answer Provided" category.

For example,
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/results.cfm?start_search=1&searchyear=&productcode=MCM&productproblem=2993&devicename=&knumber=k&pmanumber=p&manufacturer=&brandname=&eventtype=&reportdatefrom=01/1/2015&reportdateto=&pagenum=10
gives an TPLC URL that says "Adverse Event Without Identified Device or Use
Problem (2993)." Accessing that link shows all (up to 500) contributing
MAUDE MDRs to the TPLC device problem category.

What did the patient experience with this device to merit an MDR submission?
For an example, see
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/detail.cfm?mdrfoi__id=10609891&pc=MCM.
Observe this MDR text: Patient Problem Therapeutic Response, Decreased
(2271), and then read the Event Type (Malfunction) and Event Description.

MDRs are often, but not exclusively, written by manufacturer representatives
consulting with the physician who performed the implant procedure and/or
reported the patient event. MDR content can be challenging to interpret:
significant medical and device subject matter expertise are often required.

Consider a consumer who might become a patient/device recipient. Before
surgery, they may desire to know which device will likely yield the best
outcome, and satisfy their quality of life expectations.

How can a consumer make a good choice, other than considering the price tag
of the device implant, procedure expense, convalescent period, etc.  if they
can't understand what the device has or hasn't achieved based on historical
outcomes? There's no "Consumer Reports" article to study on cochlear or bone
conduction implants.

One wonders if physicians read, or are required to read, the historical
MAUDE MDRs before deciding on what device to consider. What motivates their
device selection? What weight do physicians allocate to device track record?

https://www.nidcd.nih.gov/health/statistics/hearing-charts-tables#hearing-aids-adults
reveals several charts on hearing impairment by population segments: loss of
hearing in adults by age and gender, cochlear implants by 1,000 population
and age, etc.

Using
https://www.healthypeople.gov/2020/data/Chart/4410?category=1&by=Total&fips=-1,
for people aged 70+ in the calendar year 2013, the rate of cochlear implant
per 1,000 population is 323. That's ~32% of that cohort.

The US Census 2019 estimated total for persons aged 70-85+ years is
35.431M:
https://www2.census.gov/programs-surveys/demo/tables/age-and-sex/2019/age-sex-composition/2019gender_table1.xlsx

The estimated number of cochlear implants in this cohort, using 2013 NIH
implant data, is 0.323*35.431M ~= 11.44M.

SUMMARY

The tabulations indicate, given the comparatively low device problem report
and MDR densities in light of eligible recipient population, that the
devices in these product codes appear broadly successful.

Recipients that experience an unfortunate device problem may require
additional medical care to ameliorate these unfortunate outcomes. It is
these untoward and often unexpected events, though proportionately rare,
which device suppliers must minimize to reduce frequency.

DEVICE PROBLEM AND PATIENT PROBLEM TABULATIONS

For product code MCM, from 01JAN2015 to 30SEP2020
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=1694&min_report_year=2015,
the Top-10 TPLC Device Problems (in CSV format):

Device Problems,MDRs with this Device Problem,Events in those MDRs
Appropriate Term/Code Not Available,5444,5444
Device Operates Differently Than Expected,3297,3297
Output Problem,2264,2264
Adverse Event Without Identified Device or Use Problem,1530,1530
Receiver Stimulator Unit,1255,1255
No Device Output,1220,1220
Insufficient Information,1083,1083
Migration or Expulsion of Device,745,745
Electrode,731,731
Migration,510,510

The same report yields medical device reports (MDR) originating with
patients.  Here's the Top-10:

Patient Problems,MDRs with this Patient Problem,Events in those MDRs
Failure of Implant,4495,4495
No Code Available,2830,2830
Hearing Impairment,2660,2660
No Known Impact Or Consequence To Patient,1496,1496
Unspecified Infection,1319,1319
Pain,1252,1252
No Information,1031,1031
Patient Problem/Medical Problem,668,668
Bacterial Infection,666,666
Deafness,543,543

For product code MCM, from 01JAN2015 to 30SEP2020
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=1640&min_report_year=2015,
the Top-10 TPLC Device Problems (in CSV format):

Device Problems,MDRs with this Device Problem,Events in those MDRs
Appropriate Term/Code Not Available,1593,1593
Loss of Osseointegration,434,434
Failure to Osseointegrate,394,394
Adverse Event Without Identified Device or Use Problem,274,274
Insufficient Information,39,39
Osseointegration Problem,17,17
Extrusion,9,9
Patient-Device Incompatibility,7,7
Biocompatibility,6,6
Loosening of Implant Not Related to Bone-Ingrowth,6,6

The same report yields medical device reports (MDR) originating with
patients. Here's the Top-10:

Patient Problems,MDRs with this Patient Problem,Events in those MDRs
Unspecified Infection,525,525
No Code Available,522,522
Host-Tissue Reaction,399,399
Bacterial Infection,382,382
Inadequate Osseointegration,373,373
Patient Problem/Medical Problem,309,309
Pain,206,206
Head Injury,71,71
Inflammation,64,64
Skin Irritation,55,55
Swelling,53,53

For product code LXB, from 01JAN2015 to 30SEP2020
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=1635&min_report_year=2015,
the Top-10 TPLC Device Problems (in CSV format):

Device Problems,MDRs with this Device Problem,Events in those MDRs
Appropriate Term/Code Not Available,2157,2157
Loss of Osseointegration,505,505
Adverse Event Without Identified Device or Use Problem,185,185
Insufficient Information,124,124
Failure to Osseointegrate,34,34
Magnet,31,31
Patient Device Interaction Problem,22,22
Biocompatibility,20,20
Extrusion,17,17
Patient-Device Incompatibility,17,17
Osseointegration Problem,10,10

The same report yields medical device reports (MDR) originating with
patients. Here's the Top-10:

Patient Problems,MDRs with this Patient Problem,Events in those MDRs
No Code Available,671,671
Unspecified Infection,458,458
Bacterial Infection,455,455
No Information,371,371
Patient Problem/Medical Problem,359,359
Pain,304,304
Host-Tissue Reaction,240,240
Hearing Impairment,104,104
Swelling,75,75
Head Injury,65,65


'E.T.' 1982 Atari Game: The True Story Behind the Worst Video Game Ever (MelMagazine)x

Gabe Goldberg <gabe@gabegold.com>
Fri, 16 Oct 2020 14:59:16 -0400
Atari's 1982 E.T. game was so disastrous it's been blamed for the company's
downfall and the crash of the entire industry. The man responsible for the
game, however, has taken it surprisingly well.  [...]

Warshaw agrees that the pits were a problem he didn't foresee.
Unfortunately, he was in such a rush to finish the game he never got to the
*first playable* stage, which is when a game is tested by users to work out
any design kinks and flaws.

https://melmagazine.com/en-us/story/et-1982-atari-game

What could go wrong with toxic compressed schedule without time for testing?


Re: Fifth of countries at risk of ecosystem collapse (RISKS-32.32)

Richard Stein <rmstein@ieee.org>
Fri, 16 Oct 2020 10:47:57 +0800
With ecosystems at risk globally, economies will also experience knock-on
effects.

Corbin Hiar, Natural Disasters May Push Global Finances to the Brink,
concisely summarizes anthropogenic climate forcing impact on sovereign
economies.
https://www.scientificamerican.com/article/natural-disasters-may-push-global-finances-to-the-brink/

See "Climate Change and Sovereign Risk":
https://www.eenews.net/assets/2020/10/13/document_cw_01.pdf for details.


Re: Why cars are more "fragile": more technology has reduced robustness (Drewe, RISKS-32.32)

Wols Lists <antlists@youngman.org.uk>
Fri, 16 Oct 2020 09:52:34 +0100
aiui, UK law defines a "historic vehicle" as one over 25 years old (it was
originally one made before a certain date, but that was never updated as the
years went by).

That explains the surge in old vehicles on UK roads, as these cars are
exempt from tax, they're now exempt from the MOT, and I believe they are
also exempt from the congestion charge and low emission zones.


Re: SpaceX Is Building a Military Rocket to Ship Weapons Anywhere in the World in 1 hour (RISKS-32.32)

David Alexander <davidalexander440@btinternet.com>
Fri, 16 Oct 2020 13:16:09 +0100 (BST)
The SpaceX initiative to build a rocket to deliver good anywhere in the
world in less than an hour is not a novel idea.

In January 1956 the (UK) BBC radio comedy The Goons had a show on this very
subject, called the Jet-propelled NAAFI
<https://www.youtube.com/watch?v=tmCZ9BIeX5c>


Re: SpaceX Is Building a Military Rocket to Ship Weapons Anywhere in the World, in 1 hour (RISKS-32.32)

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Fri, 16 Oct 2020 21:10:04 +0200
The distance from the launch site to its antipode (the point on the Earth
exactly opposite) is roughly 20,000 km or 12,500 miles. At 7,500 mph that
will take 1 hour 40 minutes. And you have to add the extra time spent in the
acceleration and deceleration phases where the speed is a lot lower. So
something like 2 1/2 to 3 hours is probably about the best one can dream of
doing.

And what about the time to fuel the rocket and prepare it for launch?
Typically takes days if everything goes smoothly.


Re: A different way the news is dividing America (Stein, RISKS-31.32)

"John Levine" <johnl@iecc.com>
16 Oct 2020 13:40:42 -0400
While it is absolutely true that we have a crisis in the news business,
calling it "redlining" is gratuitous and pretty offensive.

Actual redlining was a policy of not selling real estate to minorities,
regardless of their income or ability to pay. Newspaper web sites don't
charge because they want to keep poor people out, they charge because print
advertising has collapsed, online advertising pays very little*, and they
have to pay the reporters and keep the lights on. As I'm sure we all
remember, they tried free web sites with online ads and it didn't
work. Where is all this high quality free news supposed to come from?

For a much better analysis, see "Ghosting the News: Local Journalism and the
Crisis of American Democracy" by Margaret Sullivan, published in August by
Columbia Global Reports. She looks primarily at the growing local news
deserts and the not great options for fixing them.

https://globalreports.columbia.edu/books/ghosting-the-news/

*—unless you are gatekeeper Google or Facebook.


Re: A different way the news is dividing America (Levine, RISKS-32.32)

Richard Stein <rmstein@ieee.org>
Sun, 18 Oct 2020 11:29:59 +0800
John—Thank you for a civil critique and rebuttal. It was not my intent to
promote offense.

What word might best encapsulate societal division based on preference to
consume freely available, misleading and false news reports versus those who
purchase professionally authored, edited, and published news reports?
Infolining? No such word exists.

The definition of redlining @
https://www.merriam-webster.com/legal/redlining states, "the illegal
practice of refusing to offer credit or insurance in a particular community
on a discriminatory basis (as because of the race or ethnicity of its
residents)." The definition does not incorporate poverty or encompass
affordable access to information or news.

As you note, government policies/regulations have promoted business
redlining policies and practices, an immoral betrayal of the democratic idea
that "all men are created equal." See
https://www.nytimes.com/2020/01/20/opinion/fair-housing-act-trump.html, for
a historical perspective.

Choosing to believe that fictional news stories are real and merit
re-circulation confounds explanation. A captive audience that endorses
falsehoods and conspiracy theories characterizes the allure and
effectiveness of weaponized free speech.
https://www.nytimes.com/2020/10/13/magazine/free-speech.html

I certainly agree that professional news writing, editing, and reporting
requires revenue that funds deserving publication businesses. The access
price to premium factual information is exclusionary: disposable income is
needed to procure this modest, daily essential.

Viable reporting holds governments accountable, and promotes economy
development, public health, education, civil discourse, and enriches culture
-- all subjects of historical and immediate social merit.

"News is the first rough draft of history" per Philip Graham
(https://www.forbes.com/quotes/7446/). Mr. Graham's quote applies to factual
and meretricious news, not the pink stuff.


Re: A different way the news is dividing America (RISKS-32.32)

"John R. Levine" <johnl@iecc.com>
18 Oct 2020 11:31:25 -0400
> Infolining? No such word exists. ...

The phrase people use is "news desert" but that is more for places with no
newspapers at all, not ones that people can't afford.  It's news as luxury
good, not the snappiest of terms.

But that's not at issue—what I object to is the misuse of the term
redlining, and the author's airy assertion that if the greedy capitalists
would just tear down the paywalls everything would be fine.  The particular
evil of redlining was that it was pure bigotry with no economic rationale --
real estate agents sell property and banks make loans the same way they
always had, only now to the full set of buyers rather than just to one race.
This is nothing like that.

For several centuries the news business had an economic model where
advertisers paid to have their messages included with the news, first in
newspapers, then magazines, then radio, then TV.  This let the publishers
provide the news below cost, for a few cents for newspapers and free for
radio and TV.  The Internet totally destroyed that economic model.  The
costs of distribution dropped and are shared with consumers, which allowed
competing marketplaces to handle ads for cheap, or as at Craigslist mostly
for free.  Advertising revenue isn't going back to newsrooms, reporters have
to eat, and saying everyone should have a pony doesn't help.

  [PS: Insert obvious snark here about an academic who never had to worry about
  where his next paycheck was coming from.]


Re: A different way the news is dividing America (RISKS-32.32)

Steve Bacher <sebmb1@verizon.net>
Fri, 23 Oct 2020 16:35:45 +0000 (UTC)
This article seems somewhat specious to me.  If putting the content of some
news sources behind a paywall constitutes creating an "information have"
vs. "information have-not" class system, then in the pre-Internet world
where people had to actually purchase papers, was there a divide between
those who could afford the handful of change for the day's news vs. those
who couldn't?  Or between those who went to the trouble of subscribing and
those who just dug into their pockets each day?

And FWIW, there are numerous ways to access content from most of those
online journalistic sites while bypassing the paywalls.


Re: Continuous glucose monitoring/insulin dosing systems (RISKS-32.32)

Richard Stein <rmstein@ieee.org>
Mon, 19 Oct 2020 09:18:40 +0800
FOLLOW UP FROM ADA

I received this email message in response to my inquiry on glucose
monitoring/insulin dosing device deployment from a representative of the
American Diabetes Association:

  "Hi Richard;

  "I assume you mean traditional insulin pumps and CGMs, not implantable.
  There are no implanted pumps on the market, and just one CGM that's
  implanted subcutaneously, with what I assume is a very small share of the
  market.

  "Regardless, unfortunately, ADA doesn't have any data other than what one
  can find by googling for the results. The companies are guarded with their
  sales and usage data, and what I find online is both speculative and
  dated. I wish I could give a more substantive answer--this is a question I
  get a lot and I never have a very good answer."

  Matt Petersen
  Vice President, Medical Information and Professional Engagement
  2451 Crystal Dr. | Arlington | VA | 22202
  Phone:  +1 (703) 299-2071
  diabetes.org
  1-800-DIABETES (800-342-2383)

Please report problems with the web pages to the maintainer

x
Top