The RISKS Digest
Volume 32 Issue 35

Monday, 2nd November 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Defective Panels in Solar Arrays
Ben Heubl via Peter Bernard Ladkin
American Pilots To Reassure Passengers Before MAX Flights
avweb.com
Axios Navigate
Axios
U.S. hatches plan to build a quantum Internet that might be unhackable
WashPost
NASA’s new rocket would be the most powerful ever. But it’s the software that has some officials worried.
WashPost
Elon Musk's SpaceX says it will make its own laws on Mars
Independent
Robot Trained in Simulation Performs Better in Real Life
Chris Stokel-Walker
Using AI to control a camera at a sports event—oops!
IFLScience
Four years since the Mirai-Dyn attack, is the Internet safer?
Techxplore.com
FBI warns of "imminent" ransomware attacks on hospital systems
CBS News
In a first, researchers extract secret key used to encrypt Intel
Dan Goodin
Marriott Hotels fined 18.4m pounds for data breach that hit millions
bbc.com
Two Former eBay Employees Plead Guilty to Aggressive Cyberstalking Campaign Targeting Natick Couple
DoJ
The Unsinkable Maddie Stone, Google's Bug-Hunting Badass
WiReD
Beware a New Google Drive Scam Landing in Inboxes
WiReD
Apple develops alternative to Google search
FT
Senator Brian Schatz of Hawaii calls sec.'s testimony what it really was
Amos Shapir
@Team_Trump45 and the Hazards of Online Sleuthing
WiReD
Wisconsin GOP Lost $2.3 Million in an Email Scam
WiReD
New ‘Media Manipulation Casebook’ from Harvard teaches how to detect misinformation campaigns
WashPost
How a fake persona laid the groundwork for a Hunter Biden conspiracy deluge
NBC News
NSA Pot calling Chinese Kettle Black
Joseph Menn via Henry Baker
Re: How does Google's monopoly hurt you?
Julian Bradfield
Re: Air Force updates code on plane mid-flight
David Alexander
Re: UK national police computer down for 10 hours after engineer pulled the plug
Dick Mills
Re: Censorship or Sensibility?
San Steingold
Re: More on erroneous Alexa/third-party data provider evacuation notices in Boulder County, Colorado
Dan Jacobson
Re: Why cars are more "fragile": more technology has reduced robustness
Martin Ward
Re: F-35s and Teslas?
3daygoaty
Info on RISKS (comp.risks)

Defective Panels in Solar Arrays

Peter Bernard Ladkin <ladkin@causalis.com>
Wed, 28 Oct 2020 07:46:48 +0100
The October issue of IET's E&T magazine has a story by Ben Heubl on problems
with PV panels. It was originally published in July 2020 on-line
https://eandt.theiet.org/content/articles/2020/07/solar-panel-technology-scandal-could-see-millions-of-solar-pv-panels-fail-or-degrade-prematurely

  “In February 2020, the power output plummeted at one of South Africa's
  proudest solar photovoltaic electricity generation sites, the Mulilo
  Sonnedix Prieska solar farm.  .... Usually, PV solar panels last between
  20 and 30 years. So how could this happen after less than four?  Insiders
  claim accelerated backsheet degradation is to blame. The backsheet is part
  of a solar module that seals it from dust and moisture and provides
  electrical insulation. It is also necessary to protect interior components
  from mechanical and environmental stresses.''

... and when a backsheet cracks, the consequences can include electrical
short-circuits and fire. So there are safety issues.

Heubl found it difficult to get anyone to give him information about the
extent of the problem, except that it appears to be significant. It is not
clear that anyone knows where panels most susceptible to early degradation
are installed.

There is surely not just a quality-control problem with newish
panels. Panels have a limited functional lifetime in any case and it seems
to follow from the report that there are few effective systems in place to
identify which ones are faulty, whether after 3 years or 30 years.

What about the panels on the roof of your house? Or built-in roofing panels?


American Pilots To Reassure Passengers Before MAX Flights (avweb.com)

Richard Stein <rmstein@ieee.org>
Wed, 28 Oct 2020 13:06:58 +0800
https://www.avweb.com/aviation-news/american-pilots-to-reassure-passengers-before-max-flights/

"It's not often that passengers hear from the captain days before their
flight but American Airlines is employing those calm, soothing voices to
ease the reintroduction of the Boeing 737 MAX. As we recently reported,
American plans to resume MAX flights starting Dec. 29, assuming all the
regulatory approvals are in place. Its plan to gain customer approval for
the re-launch is to offer customer tours of the aircraft and to have pilots
answer phone and video calls from jittery pax. 'They're the ones that
... really have the credibility to explain the Max,' Alison Taylor,
American's chief customer officer, told an online 'town hall' meeting with
employees in mid-October."

For a business to survive, the brands it sells must project and reliably
demonstrate trust to sustain customer loyalty. Consumer expectations are, in
part, achieved through unbiased and independent evaluations by regulatory
agencies who evaluate these brands. They serve as the last line of defense
for public health and safety. All bets are off when these agencies are
neutered, or their investigatory and enforcement capabilities are
compromised.

How do businesses recover and restore brand trustworthiness after a 'Black
Swan' shatters that expectation?

The Chicago Tylenol murders
(https://en.wikipedia.org/wiki/Chicago_Tylenol_murders retrieved on
28OCT2020) details measures a business can responsibly apply to restore and
rebuild brand reputation following a deadly trust erosion incident.

A "time heals all wounds" approach appears ineffective in the Internet-era
where history is easy to retrieve, if curiosity strikes.

Will a pilot's pre-flight reassurance be sufficient to sooth public anxiety
about the re-engineered MAX's safety? The passenger loyalty consequences
from a 'fit to fly' customer-charm offensive defy prediction. Eventually, I
suspect this engagement 'pitch' will vanish.

For now, that's all the flying public can expect following the Congressional
investigations, FAA investigations, Boeing restructuring, liability
settlements, MCAS revisions, re-certification efforts, etc.

Airlines that offer discount 737-MAX flights will lure passengers and
possibly recover revenue. Sustained airline profits from 737-MAX flights
depends on over-achievement of historical aircraft safety records and
trends.

The flying public MIGHT be best served if, at ticket point-of-purchase, a
government-mandated disclosure states, "This flight powered by a re-tooled
737-MAX. See this link for fleet history."


Axios Navigate (Axios)

Gabe Goldberg <gabe@gabegold.com>
Sun, 1 Nov 2020 17:31:46 -0500
Tesla is beta-testing its latest self-driving technology with a small group
of early adopters, a move that alarms experts and makes every road user --
including other motorists, pedestrians and cyclists—unwitting subjects in
its ongoing safety experiment.

https://www.axios.com/newsletters/axios-navigate-bd1ba2e9-6da7-4c76-91af-2d388ca96ba7.html

CAS Comment on AV TEST Data Collection

https://www.autosafety.org/cas-comment-on-av-test-data-collection/

Dear Deputy Administrator Owens,

The Center for Auto Safety (the Center) appreciates the opportunity to
provide comments on the notice and request for comment regarding the
Automated Vehicle Transparency and Engagement for Safe Testing (AV TEST)
initiative. The Center, founded in 1970, is an independent, member
supported, non-profit consumer advocacy organization dedicated to improving
vehicle safety, quality, and fuel economy. In 2020, we are celebrating 50
years of advocacy for consumer automotive safety and informed choice.

The AV TEST initiative proposes using government resources for the purpose
of providing “information to the public about Automated Driving System
(ADS) testing operations in the U.S. and applicable State and local laws,
regulations, and guidelines.''  Instead, the public would be better off
visiting the promotional website of each AV manufacturer after conducting
their own Google search. At least that way, there would not be any confusion
about the biased nature of the promotion or the lack of government
oversight.

Motor vehicle crashes remain one of the primary causes of premature death,
and the leading cause of death for those under age 30. These crashes cost
the U.S. approximately $1 trillion every year. Sadly, NHTSA has estimated
the first six months of 2020 have resulted in the highest death rate per
vehicle mile traveled in the U.S. in over a decade. The Center firmly
believes ADS technology can play a significant role in a safer
transportation future and is committed to seeing its successful and safe
integration into our transit ecosystem. Yet, NHTSA's refusal to even require
the submission of test data relating to ADS development is an implicit
encouragement of the deployment of unproven technology guided by artificial
intelligence on public roads. These self-described self-driving vehicles are
being unleashed on America in the hope that nothing too horrible will
happen, in the absence of NHTSA analyzing validated engineering data
demonstrating safe ADS performance.


U.S. hatches plan to build a quantum Internet that might be unhackable (WashPost)

Dewayne Hendricks <dewayne@warpspeed.com>
October 28, 2020 5:07:30 JST
  [vis Dave Farber, who notes:
    Typical PR piece. There has been an International activity to
    conceptualize such a network for a while now—Japan , USA, EU, etc. It
    is at the early research stage but advancing at a fast pace. Dave
    Farber
  ]

U.S. hatches plan to build a quantum Internet that might be unhackable

The new network would sit alongside the existing Web, offering a more secure
way to send and process information

Jeanne Whalen, *The Washington Post*, 23 Jul 2020
https://www.washingtonpost.com/technology/2020/07/23/us-plan-quantum-internet/

U.S. officials and scientists unveiled a plan Thursday to pursue what they
called one of the most important technological frontiers of the 21st
century: building a quantum Internet.

Speaking in Chicago, one of the main hubs of the work, they set goals for
forging what they called a second Internet—one that would function
alongside the globe's existing networks, using the laws of quantum mechanics
to share information more securely and to connect a new generation of
computers and sensors.

Quantum technology seeks to harness the distinct properties of atoms,
photons and electrons to build more powerful computers and other tools for
processing information. A quantum Internet relies on photons exhibiting a
quantum state known as entanglement, which allows them to share information
over long distances without having a physical connection.

David Awschalom, a professor at the University of Chicago's Pritzker School
of Molecular Engineering and senior scientist at Argonne National
Laboratory, called the Internet project a pillar of the nation's
quantum-research program.

“It's the birth of a new technology. It's becoming a global competition.
Every major country on earth has launched a quantum program, because it is
becoming clearer and clearer there will be big impacts,'' he said in an
interview.

The United States' top technology rival, China, is investing heavily in
quantum technology, a field that could transform information processing and
confer big economic and national security advantages to countries that
dominate it. Europe is also hotly pursuing the research.

The Energy Department and its 17 national labs will form the backbone of the
project.

How exactly the work will be funded wasn't clear. The Energy Department did
not announce a funding figure for the project Thursday. Speaking to
reporters, Paul Dabbar, the Energy Department's undersecretary for science,
said the federal government invests about $500 to $700 million a year in
quantum information technology, suggesting some of that money would fund the
new Internet.

In an interview, Dabbar said there would probably be further funding
announcements for the project in the future.

Panagiotis Spentzouris, head of quantum science at the Chicago-area Fermi
National Accelerator Laboratory, or Fermilab, said in an interview that more
resources, and a clearer project structure, will be needed to carry out the
blueprint published Thursday.

The 38-page document lays out research priorities and milestones to aim for,
but it doesn't assign detailed tasks to particular parties.

Initial users of a quantum Internet could include national security
agencies, financial institutions and health-care companies seeking to send
data more securely, researchers said.

The networks promise to be more secure—some even say unhackable --
because of the nature of photons and other quantum bits, known as qubits.
Any attempt to observe or disrupt these particles would automatically alter
their state and destroy the information being transmitted, scientists say.

A quantum Internet could also be used to connect various quantum computers
with one another, helping boost their total computing power. Quantum
computers are still at an early stage of development and not yet as powerful
as classical computers, but connecting them via an Internet could help
accelerate their use for solving complex problems like finding new
pharmaceuticals or new high-tech materials, Awschalom said.

Eventually consumers might also tap into the quantum Internet, to buy
products with less risk of their credit card details being hacked, or to
send and receive sensitive personal information such as health records or
social security numbers, Spentzouris said. It is possible consumers will
surf seamlessly between the regular and quantum Internets as they make
purchases and send information, without necessarily knowing they are
switching platforms, he said.

In a sign of the potential economic rewards that quantum technology could
bring, Illinois Gov. J.B. Pritzker and Chicago Mayor Lori Lightfoot both
spoke at the announcement Thursday, expressing hope that there would be
spillover effects for the city's tech community.

Universities and labs in the region have established the Chicago Quantum
Exchange to try to accelerate innovation and economic development.  [...]


NASA’s new rocket would be the most powerful ever. But it’s the software that has some officials worried. (WashPost)

Monty Solomon <monty@roscom.com>
Sun, 1 Nov 2020 20:03:09 -0500
As NASA moves towards the SLS's first flight, putting the Orion spacecraft
in orbit around the moon, there are concerns not with the rocket's engines
but rather with the computer software embedded in all its systems.

https://www.washingtonpost.com/technology/2020/10/31/nasa-sls-moon-rocket/


Elon Musk's SpaceX says it will make its own laws on Mars (Independent)

geoff goodfellow <geoff@iconia.com>
Fri, 30 Oct 2020 08:03:59 -1000
*No Earth-based government has authority or sovereignty over Martian
activities, SpaceX claims*

SpaceX will not recognise international law on Mars, according to the Terms
of Service of its Starlink Internet project.

Elon Musk's space company will instead reportedly adhere to a set of
*self-governing principles*" that will be defined at the time of Martian
settlement.  [...]

https://www.independent.co.uk/life-style/gadgets-and-tech/elon-musk-spacex-mars-laws-starlink-b1396023.html


Robot Trained in Simulation Performs Better in Real Life (Chris Stokel-Walker)

ACM TechNews <technews-editor@acm.org>
Wed, 28 Oct 2020 12:59:16 -0400 (EDT)
Chris Stokel-Walker, *New Scientist*, 21 Oct 2020
  via ACM TechNews, Wednesday, October 28, 2020

Researchers at the Swiss Federal Institute of Technology, Zurich (ETH
Zurich) trained a neural network algorithm designed to control a four-legged
robot in a simulated environment resembling a video game. The ETH Zurich
team told the algorithm which direction the simulated robot should be
attempting to move in, and restricted how fast it could turn, in order to
reflect the capabilities of the actual robot. The researchers started with a
neural network preprogrammed with knowledge about the environment so the
algorithm could absorb and recall inputs from virtual sensors, then
transferred this knowledge to a large network controlling the real robot. As
a result, the robot was able to move on uneven, mossy terrain more than
twice as fast as it was able to with its default programming.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-27b91x225f47x066975&

  [As noted in RISKS many times, Flaws in simulations can lead to huge risks
  in the systems that are being modeled.  Here is a case of the tail wagging
  the dog, happily.  Please remember, relevant success stories are always
  welcome here, although they do not show up often enough. PGN]


Using AI to control a camera at a sports event—oops! (IFLScience)

Barry Gold <barrydgold@ca.rr.com>
Fri, 30 Oct 2020 13:36:06 -0700
https://www.iflscience.com/technology/ai-camera-ruins-soccar-game-for-fans-after-mistaking-referees-bald-head-for-ball/

A bald linesman distracts a camera aimed by a computer.

On Beta, we'd have earrings for that. You could buy them in any jewelry
store.  http://www.conchord.org/xeno/bdgsig.html


Four years since the Mirai-Dyn attack, is the Internet safer? (Techxplore.com)

Richard Stein <rmstein@ieee.org>
Sat, 31 Oct 2020 10:19:34 +0800
https://techxplore.com/news/2020-10-years-mirai-dyn-internet-safer.html

"'It seems that the lessons learned from the 2016 Dyn attack have only been
acted upon by a handful of websites that were directly impacted,' says Aqsa
Kashaf, a Ph.D. student in Electrical and Computer Engineering (ECE) and
lead author of the new study.

"The Mirai-Dyn attack in 2016 was successful because of what Kashaf and her
team refer to as critical dependencies. The domains affected by the
Mirai-Dyn attack were critically dependent on Dyn, a third-party DNS. In
other words, they relied solely on Dyn, so when Dyn went down, so did they."

The Mirai-initiated DDoS disabled ~180K domains and inconvenienced 10s of
millions of website users.

The research shows that BAU (business as usual) practices remain in
place. Of the top 100Kwebites, 89% of them rely on a 3rd party DNS
provider. In turn, these DNS providers rely on cloud services to support
their operations. These shared dependencies and inter-dependencies comprise
an attack perimeter that can cripple e-commerce.

Service consumption favors provider availability/uptime over integrity
characteristics that confer assault resilience.

Core service providers (DNS, Content Delivery, Certification Authorities)
should be required to disclose site hardening qualification results. That
information can assist procurement decisions to improve industry readiness
that helps deter the next meltdown.


FBI warns of "imminent" ransomware attacks on hospital systems (CBS News)

geoff goodfellow <geoff@iconia.com>
Thu, 29 Oct 2020 09:26:09 -1000
Federal agencies warned that cybercriminals are unleashing a wave of
data-scrambling extortion attempts against the U.S. healthcare system
designed to lock up hospital information systems, which could hurt patient
care just as nationwide cases of COVID-19.
<https://www.cbsnews.com/feature/coronavirus> are spiking.

In a joint alert Wednesday, the FBI and two federal agencies warned that
they had "credible information of an increased and imminent cybercrime
threat to U.S. hospitals and healthcare providers." The alert said malicious
groups are targeting the sector with attacks that produce "data theft and
disruption of healthcare services."

The cyberattacks involve ransomware, which scrambles data into gibberish
that can only be unlocked with software keys provided once targets pay up.
Independent security experts say it has already hobbled at least five U.S.
hospitals this week and could impact hundreds more.  [...]
https://www.cbsnews.com/news/fbi-warns-ransomware-attack-us-healthcare-system-hospitals/


In a first, researchers extract secret key used to encrypt Intel (Dan Goodin)

Monty Solomon <monty@roscom.com>
Thu, 29 Oct 2020 12:00:45 -0400
Hackers can now reverse-engineer updates or write their own custom firmware.

Dan Goodin, 28 Oct 2020 [PGN-enhanced: added middle para]

Researchers have extracted the secret key that encrypts updates to an
assortment of Intel CPUs, a feat that could have wide-ranging consequences
for the way the chips are used and, possibly, the way they're secured.

An independent researcher, working with two researchers from security firm
Positive Technologies, extracted the secret key that encrypts updates to
Intel central processing units (CPUs). Hackers who got their hands on the
key would be able to decrypt updates Intel issues to plug security holes or
update other aspects of chip operation. Independent researcher Maxim
Goryachy said, "At the moment, it is quite difficult to assess the security
impact" of being able to obtain such a key. Added Positive Technologies'
Mark Ermolov, "For now, there's only one but very important consequence:
independent analysis of a microcode patch that was impossible until now."

The key makes it possible to decrypt the microcode updates Intel provides to
fix security vulnerabilities and other types of bugs. Having a decrypted
copy of an update may allow hackers to reverse-engineer it and learn
precisely how to exploit the hole it’s patching. The key may also allow
parties other than Intel—say a malicious hacker or a hobbyist—to
update chips with their own microcode, although that customized version
wouldn't survive a reboot.  [...]

https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/


Marriott Hotels fined 18.4m pounds for data breach that hit millions (bbc.com)

Richard Stein <rmstein@ieee.org>
Sat, 31 Oct 2020 10:35:56 +0800
https://www.bbc.com/news/technology-54748843

"In some ways you can feel sorry for Marriott.

"In all the boardroom discussions about the company's takeover of Starwood,
I bet it never realised that a hacker was already lurking inside the
valuable databases they were buying.

"The cyber-criminals had been in the systems for years, and were effectively
thrown into the merger deal without Marriott having a clue."

https://catless.ncl.ac.uk/Risks/30/93#subj5.1 reports this incident.

Lesson learned: Do not neglect an IT infrastructure audit, and incident
review/mitigation effort, before acquisition acceptance.


Two Former eBay Employees Plead Guilty to Aggressive Cyberstalking Campaign Targeting Natick Couple (DoJ)

Monty Solomon <monty@roscom.com>
Sat, 31 Oct 2020 19:34:37 -0400
https://www.justice.gov/usao-ma/pr/two-former-ebay-employees-plead-guilty-aggressive-cyberstalking-campaign-targeting-nati-0

Department of Justice, U.S. Attorney's Office, District of Massachusetts
Thursday, October 29, 2020

Two Former eBay Employees Plead Guilty to Aggressive Cyberstalking Campaign
Targeting Natick Couple

BOSTON “ Two former employees of eBay, Inc. pleaded guilty today to their
roles in a cyberstalking campaign targeting the editor and publisher of a
newsletter that eBay executives viewed as critical of the company.

Brian Gilbert, 52, of San Jose, Calif., a former Senior Manager of Special
Operations for eBay's Global Security Team, and Stephanie Stockwell, 26, of
Redwood City, Calif., the former manager of eBay's Global Intelligence
Center, pleaded guilty to conspiracy to commit cyberstalking and conspiracy
to tamper with witnesses. U.S. District Court Judge William G. Young
scheduled sentencing for Stockwell on March 11, 2021, and for Gilbert on May
6, 2021.

On Oct. 8, 2020, co-defendants Stephanie Popp, 32, and Veronica Zea, 26,
pleaded guilty to the same charges and are scheduled to be sentenced on
Feb. 25, 2021. On Oct. 27, 2020, co-conspirator Philip Cooke, 55, pleaded
guilty and is scheduled to be sentenced on Feb. 24, 2021.

Former eBay executives, James Baugh, 45, and David Harville, 48, were
arrested and charged on June 15, 2020.

According to the charging documents, the victims of the cyberstalking
campaign were a Natick couple who are the editor and publisher of an online
newsletter that covers ecommerce companies, including eBay. Members of
eBay's executive leadership team followed the newsletter's posts, often
taking issue with its content and the anonymous comments underneath the
editor's stories.

It is alleged that in August 2019, the defendants executed a three-part
harassment campaign against the Natick couple, which included the defendants
sending anonymous and disturbing deliveries to the victims' home; sending
private Twitter messages and public tweets criticizing the newsletter's
content and threatening to visit the victims in Natick; and traveling to
Natick to surveil the victims and install a GPS tracking device on their
car.

In connection with his plea today, Gilbert admitted to drafting threatening
Twitter messages for Popp to send and planning the surveillance trip with
various co-defendants. Gilbert also proposed bringing a dossier of documents
to the Natick Police Department (NPD)—whom the victims had involved --
that would make the victims *look crazy* and contacting the victims to offer
help with the threatening messages that the defendants had sent. Lastly,
Gilbert made false statements to the NPD about Zea and Harville's reason for
being in Boston.

Stockwell admitted to, at Baugh’s direction, purchasing a laptop for use in
harassing the victims, and using an anonymous email account to order online
live spiders and a prepaid debit card to purchase a late-night pizza
delivery to the victims' home. Stockwell also prepared an eBay `Person of
Interest' report for the Bay Area—a fictions list of potential suspects
to provide to the NPD to deflect the police from suspecting that eBay
employees were actually harassing the victims.

The charges of conspiracy to commit cyberstalking and conspiracy to tamper
with witnesses each carry a sentence of up to five years in prison, three
years of supervised release, a fine of up to $250,000 and
restitution. Sentences are imposed by a federal district court judge based
upon the U.S. Sentencing Guidelines and other statutory factors.

United States Attorney Andrew E. Lelling; Joseph R. Bonavolonta, Special
Agent in Charge of the Federal Bureau of Investigation, Boston Field
Division; and Natick Chief of Police James G. Hicks made the announcement
today. eBay provided valuable assistance and cooperation with the federal
investigation. Assistant U.S. Attorney Seth B. Kosto, Deputy Chief of
Lelling's Securities, Financial & Cyber Fraud Unit is prosecuting the case.

The details contained in charging documents are allegations. The remaining
defendants are presumed innocent unless and until proven guilty beyond a
reasonable doubt in a court of law.


The Unsinkable Maddie Stone, Google's Bug-Hunting Badass (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 2 Nov 2020 00:18:01 -0500
The Project Zero reverse engineer shuts down some of the world's most
dangerous exploits—along with antiquated hacker stereotypes.

https://www.wired.com/story/maddie-stone-project-zero-reverse-engineering/


Beware a New Google Drive Scam Landing in Inboxes (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 1 Nov 2020 23:54:43 -0500
Scammers are luring people into Google Docs in an attempt to get them to
visit potentially malicious websites.

https://www.wired.com/story/beware-a-new-google-drive-scam-landing-in-inboxes/


Apple develops alternative to Google search (FT)

geoff goodfellow <geoff@iconia.com>
Wed, 28 Oct 2020 08:01:52 -1000
*iPhone maker pushes to build its own search tools as ties to Google come
under antitrust scrutiny*

Apple is stepping up efforts to develop its own search technology as US
antitrust authorities threaten multibillion-dollar payments that Google
makes to secure prime placement of its engine on the iPhone.

In a little-noticed change to the latest version of the iPhone operating
system, iOS 14, Apple has begun to show its own search results and link
directly to websites when users type queries from its home screen.

That web search capability marks an important advance in Apple's in-house
development and could form the foundation of a fuller attack on Google,
according to several people in the industry.

The Silicon Valley company is notoriously secretive about its internal
projects, but the move adds to growing evidence that it is working to build
a rival to Google's search engine.  [...]

https://www.ft.com/content/fd311801-e863-41fe-82cf-3d98c4c47e26


Senator Brian Schatz of Hawaii calls sec.'s testimony what it really was (YouTube)

Amos Shapir <amos083@gmail.com>
Sat, 31 Oct 2020 17:29:17 +0200
A very clear explanation of how Section 230 had become a Republican
political tool:
https://www.youtube.com/watch?v=kc-hh_uhEOA

(It's a bit funny how he criticizes Republicans for turning a Congressional
hearing into political campaigning, while actually doing the same...)

  [On the eve of a highly political event in the U.S., we generally eschew
  political items.  This is one on truthiness vs truthfulness, which is
  a long-time consideration in RISKS, irrespective of politics.  PGN]


@Team_Trump45 and the Hazards of Online Sleuthing (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 2 Nov 2020 00:06:25 -0500
A pro-Trump Twitter troll posted fundraising pleas for a child he said had
cancer. Debunking-Twitter pounced. A tale of collateral damage in the
disinformation age.

https://www.wired.com/story/team-trump45-twitter-hazards-online-sleuthing/


Wisconsin GOP Lost $2.3 Million in an Email Scam (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 1 Nov 2020 23:46:57 -0500
The Wisconsin Republican party this week revealed that they had been
swindled out of $2.3 million, money that had been earmarked for Donald
Trump's reelection campaign. Rather than a sophisticated hack of a bank
account, the incident appears to be yet another case of business email
compromise, a category of scam that has netted billions of dollars for
attackers over the past few years alone. The attackers apparently sent
invoices to GOP officials that looked like they were from official vendors,
but with banking information that routed the money to the schemers instead.
It's the kind of mistake that could happen to anyone—but is especially
inconvenient coming so close to the election.

Cryptocurrency Scammers Hack Donald Trump's Campaign Website

In other "Republicans compromised by avoidable scam" news, hackers managed
to alter Donald Trump's campaign website, albeit for less than 30 minutes.
The hackers made the dubious claim that they had accessed "internal and
secret conversations" relating to Trump, along with links to send them
Monero cryptocurrency. Defacing a website is a far cry from actually hacking
a candidate, though, and it seems unlikely that this amounts to anything
more than an act of digital vandalism.

https://www.wired.com/story/wisconsin-gop-email-scam-ransomware-security-news/


New 'Media Manipulation Casebook' from Harvard teaches how to detect misinformation campaigns (WashPost)

Monty Solomon <monty@roscom.com>
Sun, 1 Nov 2020 19:54:06 -0500
And other lessons on spotting fake news from the News Literacy Project.

https://www.washingtonpost.com/education/2020/10/28/new-media-manipulation-casebook-harvard-teaches-how-detect-misinformation-campaigns/


How a fake persona laid the groundwork for a Hunter Biden conspiracy deluge (NBC News)

Lauren Weinstein <lauren@vortex.com>
Fri, 30 Oct 2020 08:44:07 -0700
https://www.nbcnews.com/tech/security/how-fake-persona-laid-groundwork-hunter-biden-conspiracy-deluge-n1245387?cid=sm_npd_nn_tw_ma


NSA Pot calling Chinese Kettle Black ()

Henry Baker <hbaker1@pipeline.com>
Fri, 30 Oct 2020 15:39:30 -0700
No way the NSA would do that! Huawei?
Black ops matter!

Do we really want unelected NSA spooks to be purposely sabotaging our
cybersecurity? And with code that *will* be repurposed by other state actors
and criminals into weapons and ransomware used against U.S.  companies and
citizens?

The NSA deliberately inserting vulnerabilities into U.S. products is
completely equivalent to the so-called "gain-of-function" virus research
(Google it) that the U.S. accuses China of performing, because there is no
way to control the "blowback" against both friends and enemies.

"NSA now requires that before a back door is sought, the agency must weigh
the potential fallout and arrange for some kind of *warning* if the back
door gets discovered and manipulated by adversaries."

Ha!  Both the CIA and NSA have already had their "Oh Shit!" moments due to
their cyberweapons being exposed and repurposed against the U.S.

A mere "warning" won't be sufficient.

https://www.reuters.com/article/uk-usa-security-congress-insight/spy-agency-ducks-questions-about-back-doors-in-tech-products-idINKBN27D1DP

https://www.cnbc.com/2020/10/28/spy-agency-ducks-questions-about-back-doors-in-tech-products.html

Joseph Menn, Reuters
Spy agency ducks questions about 'back doors' in tech products

SAN FRANCISCO (Reuters) - The U.S. National Security Agency is rebuffing
efforts by a leading Congressional critic to determine whether it is
continuing to place so-called back doors into commercial technology
products, in a controversial practice that critics say damages both
U.S. industry and national security.

The NSA has long sought agreements with technology companies under which
they would build special access for the spy agency into their products,
according to disclosures by former NSA contractor Edward Snowden and
reporting by Reuters and others.

These so-called back doors enable the NSA and other agencies to scan large
amounts of traffic without a warrant. Agency advocates say the practice has
eased collection of vital intelligence in other countries, including
interception of terrorist communications.

The agency developed new rules for such practices after the Snowden leaks in
order to reduce the chances of exposure and compromise, three former
intelligence officials told Reuters. But aides to Senator Ron Wyden, a
leading Democrat on the Senate Intelligence Committee, say the NSA has
stonewalled on providing even the gist of the new guidelines.

"Secret encryption back doors are a threat to national security and the
safety of our families—it's only a matter of time before foreign hackers
or criminals exploit them in ways that undermine American national
security," Wyden told Reuters. "The government shouldn't have any role in
planting secret back doors in encryption technology used by Americans."

The agency declined to say how it had updated its policies on obtaining
special access to commercial products. NSA officials said the agency has
been rebuilding trust with the private sector through such measures as
offering warnings about software flaws.

"At NSA, it's common practice to constantly assess processes to identify and
determine best practices," said Anne Neuberger, who heads NSA's year-old
Cybersecurity Directorate. "We don't share specific processes and
procedures."

Three former senior intelligence agency figures told Reuters that the NSA
now requires that before a back door is sought, the agency must weigh the
potential fallout and arrange for some kind of warning if the back door gets
discovered and manipulated by adversaries.

The continuing quest for hidden access comes as governments in the United
States, the United Kingdom and elsewhere seek laws that would require tech
companies to let governments see unencrypted traffic.  Defenders of strong
encryption say the NSA's sometimes-botched efforts to install back doors in
commercial products show the dangers of such requirements.

Critics of the NSA's practices say they create targets for adversaries,
undermine trust in U.S. technology and compromise efforts to persuade allies
to reject Chinese technology that could be used for espionage, since
U.S. gear can also be turned to such purposes.

In at least one instance, a foreign adversary was able to take advantage of
a back door invented by U.S. intelligence, according to Juniper Networks
Inc, which said in 2015 its equipment had been compromised. In a previously
unreported statement to members of Congress in July seen by Reuters, Juniper
said an unnamed national government had converted the mechanism first
created by the NSA. The NSA told Wyden staffers in 2018 that there was a
"lessons learned" report about the Juniper incident and others, according to
Wyden spokesman Keith Chu.

"NSA now asserts that it cannot locate this document," Chu told Reuters. NSA
and Juniper declined to comment on the matter.

JUNIPER'S COMPROMISE

The NSA has pursued many means for getting inside equipment, sometimes
striking commercial deals to induce companies to insert back doors, and in
other cases manipulating standards - namely by setting processes so that
companies unknowingly adopt software that NSA experts can break, according
to reports from Reuters and other media outlets.

The tactics drew widespread attention starting in 2013, when Snowden
leaked documents referencing these practices.

Tech companies that were later exposed for having cut deals that allowed
backdoor access, including security pioneer RSA, lost credibility and
customers. Other U.S. firms lost business overseas as customers grew wary of
the NSA's reach.

All of that prompted a White House policy review.

"There were all sorts of 'lessons learned' processes," said former White
House cybersecurity coordinator Michael Daniel, who was advising
then-president Barack Obama when the Snowden files erupted. A special
commission appointed by Obama said the government should never "subvert" or
"weaken" tech products or compromise standards.

The White House did not publicly embrace that recommendation, instead
beefing up review procedures for whether to use newly discovered software
flaws for offensive cyber-operations or get them fixed to improve defense,
Daniel and others said.

The secret government contracts for special access remained outside of the
formal review.

"The NSA had contracts with companies across the board to help them out, but
that's extremely protected," said an intelligence community lawyer.

The starkest example of the risks inherent in the NSA's approach involved an
encryption-system component known as Dual Elliptic Curve, or Dual EC. The
intelligence agency worked with the Commerce Department to get the
technology accepted as a global standard, but cryptographers later showed
that the NSA could exploit Dual EC to access encrypted data.

RSA accepted a $10 million contract to incorporate Dual EC into a widely
used web security system, Reuters reported in 2013. RSA said publicly that
it would not have knowingly installed a back door, but its reputation was
tarnished and the company was sold.

Juniper Networks got into hot water over Dual EC two years later. At the end
of 2015, the maker of Internet switches disclosed that it had detected
malicious code in some firewall products. Researchers later determined that
hackers had turned the firewalls into their own spy tool by altering
Juniper's version of Dual EC.

Juniper said little about the incident. But the company acknowledged to
security researcher Andy Isaacson in 2016 that it had installed Dual EC as
part of a "customer requirement," according to a previously undisclosed
contemporaneous message seen by Reuters. Isaacson and other researchers
believe that customer was a U.S. government agency, since only the U.S. is
known to have insisted on Dual EC elsewhere.

Juniper has never identified the customer, and declined to comment for this
story.

Likewise, the company never identified the hackers. But two people familiar
with the case told Reuters that investigators concluded the Chinese
government was behind it. They declined to detail the evidence they used.

The Chinese government has long denied involvement in hacking of any
kind. In a statement to Reuters, the Chinese foreign ministry said
that cyberspace is "highly virtual and difficult to trace. It is
extremely irresponsible to make accusations of hacker attacks without
complete and conclusive evidence. At the same time, we also noticed
that the report mentioned that it was the U.S. intelligence agency -
the National Security Agency - that created this backdoor technology."

NERVOUS COMPANIES

Wyden remains determined to find out exactly what happened at Juniper and
what has changed since as the encryption wars heat up.

This July, in previously unreported responses to questions from Wyden and
allies in Congress, Juniper said that an unidentified nation was believed to
be behind the hack into its firewall code but that it had never investigated
why it installed Dual EC in the first place.

"We understand that there is a vigorous policy debate about whether and how
to provide government access to encrypted content," it said in a July
letter. "Juniper does not and will not insert back doors into its products
and we oppose any legislation mandating back doors."

A former senior NSA official told Reuters that many tech companies remain
nervous about working covertly with the government. But the agencies'
efforts continue, the person said, because special access is seen as too
valuable to give up.

Reporting by Joseph Menn; editing by Jonathan Weber and Edward Tobin


Re: How does Google's monopoly hurt you? (RISKS-32.34)

Julian Bradfield <jcb@inf.ed.ac.uk>
Wed, 28 Oct 2020 08:42:14 +0000
  Back in
> 2008, Brent Simmons published That New Sound, about The Clash's London
> Calling. Here's a challenge: Can you find either of these with Google?
> Even if you read them first and can carefully conjure up exact-match
> strings, and then use the site: prefix? I can't.  [...]

Google    t bray lou reed animal
and you are taken straight to the review.

Google   "Brent Simmons" "That New Sound"
and you are taken straight to the review.

There, that wasn't hard, was it?

Whether Bray's complaint was ever true, it isn't now.


Re: Air Force updates code on plane mid-flight (Baker, RISKS-32.34))

David Alexander <davidalexander440@btinternet.com>
Wed, 28 Oct 2020 15:00:34 +0000 (GMT)
Henry Baker wonders what code could be updated on an airframe dating back to
the 1950s when computers wouldn't fit into an aircraft, especially one as
small as a U2. It's quite simple, newsflash—they updated it, and more
than once. Aircraft receive modifications periodically, some for safety
reasons (e.g., Boeing 737 Max) and some for performance improvement—for
flight, fighting, longevity, sensing or survival.

When I signed the F700 for an RAF airframe before strapping it on back in
the late 70s and 80s they regularly had an entry documenting an
update/upgrade of some sort that the 'driver, airframe' needed to be aware
of. When I got back and signed the airframe in I had to make note of
anything I thought needed attention before anyone else took it skywards
("don't worry Chiefy, you can buff that out...").

Sensors packages get better, computers get smaller and lighter and
technology moves on. Making those changes and integrating technology brings
benefits but also might create all sorts of risks that have been discussed
many times before on this list. I won't repeat the list or approaches for
treating them when you can search the archive.

It's not just built-in computing power either. There is a (long) interview
<https://www.youtube.com/watch?v=4o4XJystc_8> with a U2 pilot on Youtube
where he describes the use of an iPad for navigational purposes, using
Foreflight and checking the weather.

  [I'm sure Peter Ladkin will have much more to say on the subject.]


Re: UK national police computer down for 10 hours after engineer pulled the plug (RISKS-32.34)

Dick Mills <dickandlibbymills@gmail.com>
Wed, 28 Oct 2020 18:07:30 -0400
  "it is at once hard and easy to believe that such a critical system could
  be vulnerable to total failure through the action of one person "switching
  it off"."

I can easily imagine an even bigger outcry if other certain systems were
found to be impossible to switch off by the actions of a single person.


Re: Censorship or Sensibility? (Gold, RISKS-32.34)

Sam Steingold <sds@gnu.org>
Wed, 28 Oct 2020 18:59:08 -0400
> If a company owns newspaper delivery trucks doesn't want to deliver
> newspapers with a story its owners don't like, that's their privilege.
> And the newspapers can decide not to use that company any more.

Alas, today all the newspaper delivery trucks are owned by Facebook, Twitter
and Google. In this oligopoly environment, your argument does not apply.

> "Freedom of the press belongs to the man who owns the press." Same
> with the delivery company.

Precisely.

> "unique legal benefits": those same legal benefits protect Reddit and 4chan
> and Tumbler, and a BBS that I help moderate and several "furry" that I use,
> all of which include some sexually-oriented material. I think section 230 of
> the Communications Decency Act is the greatest boon to free speech ever
> passed by Congress. (And to think it appeared in a law that attempted to
> impose censorship on the Internet...)

I think the exact opposite.

CDA230 created a 3rd option for communications providers: in addition to
"wire providers" (think ATT: no control over content, no responsibility for
it) and "information providers" (think CNN: full control over content, full
responsibility), we now have FB/Twitter/Google who have full control and no
responsibility.

How about applying CDA230 only to _small_ players?
If you have more than 10% of all US users, you cannot censor content.
If you want to censor content, split up the company.

>> Facebook outright “has monopoly power in the market for social
>> networking,'' and that power is “firmly entrenched and unlikely to be
>> eroded by competitive pressure'' from anyone at all due to `high entry
>> barriers' including strong network effects, high switching costs, and
>> Facebook's significant data advantage—that discourage direct
>> competition by other firms to offer new products and services.
>
> Okay, so FB has a lot of economic power. Why? Because they have been highly
> successful in satisfying consumer demand for a place to talk to each other.
>
> I should note that there are a lot of very rich Republicans. I would guess
> that over 75% of billionaires lean Conservative in their views.  Let them
> take some of their money and start right-slanted competitors to Facebook and
> Twitter. It's not cheap, but it's well within the reach of any ten
> billionaires, and if they do it right they might get even richer in the
> process.

Gab tried, and is being suppressed by the existing infrastructure.

In a marketplace ruled by monopolies, the standard libertarian free
market arguments do not apply.

> That's what the competition in the marketplace is supposed to be about.  If
> the "barrier to entry" is simply that you need to invest some money, that is
> no barrier in an age when the the US alone has over 500 billionaires, over
> 2,000 worldwide.

No, the barrier to entry is "preferential attachment" (as in random
graph theory).
In the computer communication space the marginal cost of an additional
user is 0, and the benefit for a user of an existing user base is huge
("everyone is on twitter, so who will I talk to on gab?")
This leads to monopolies: Google, FB, Twitter have no
competitors in their respective core spaces.
(The only competition is in the area of AI personal assistants and the
political message of all the offerings is virtually identical).


Re: More on erroneous Alexa/third-party data provider evacuation notices in Boulder County, Colorado (RISKS-32.34)

Dan Jacobson <jidanni@jidanni.org>
Thu, 29 Oct 2020 02:44:14 +0800
My case is I am at home in Firstburg, with my cellphone connected to a tower
in Secondburg, and I am getting warnings meant for Thirdsburg.

Because that part of Thirdsburg is too far away from Thirdsburg Town Hall,
all those addresses have been, by the government, by "temporary arraignment"
changed to Secondburg. Yup, within that remote part of Thirdsburg all the
house addresses say Secondburg in their names, not Thirdsburg.

However actually changing the boundaries is too scary for the elected
officials. So the informal arraignment persists, despite my protests to them
that those boring boundaries stored in geographical information systems do
affect real life.

And there is no way to disable (Taiwan) "Presidential level" cellphone
warnings, beyond "airplane mode".

OK, let's say one day they fix the situation, and I start getting the
Secondburg warnings that I deserve.

But house is in Firstburg in the first place.

OK, then they should be sending me messages for where my house is
registered, not what cell tower I am connected to.

But wait, what if today I am at a friends home in Secondburg, and a
disaster is approaching?

OK, (automatically) subscribe me to warnings for both where I am and
where I live. And be sure to say the area name in the warning.


Re: Why cars are more "fragile": more technology has reduced robustness (Drewe, RISKS-32.32)

Martin Ward <martin@gkc.org.uk>
Thu, 29 Oct 2020 18:29:09 +0000
Wols Lists <antlists@youngman.org.uk>
> aiui, UK law defines a "historic vehicle" as one over 25 years old
> ... these cars are exempt from tax, they're now exempt from the MOT

Actually it is over *40* years old, and there has to be no "substantial
changes" made to the vehicle in the last 30 years, for example replacing the
chassis, body, axles or engine to change the way the vehicle works:

https://www.gov.uk/historic-vehicles


Re: F-35s and Teslas? (Re: RISKS-32.34)

3daygoaty <threedaygoaty@gmail.com>
Wed, 28 Oct 2020 13:26:21 +1100
F-35 crashes and Tesla self-drive deployed?

It's perhaps a risk that Teslas don't have an eject feature when the CPU is
overloaded?

Please report problems with the web pages to the maintainer

Top