The RISKS Digest
Volume 32 Issue 38

Sunday, 22nd November 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

State-sponsored actors ‘very likely’ looking to attack electricity supply, says intelligence agency
CBC
An Engineer Gets 9 Years for Stealing $10M From Microsoft
WiReD
Shoppers warned against buying cheap electronics online
BBC News
Technology To Catch HOV Lane Violators Is Coming To Virginia
Deist
Migration to new CMS can go embarrassingly wrong
BBC
Researchers hacked a robotic vacuum cleaner to record speech and music remotely
Techxplore.com
Microsoft Is Making a Secure PC Chip with Intel and AMD's Help
WiReD
Internet censorship report
Rob Slade
Online password ‘123456’ more popular than ever and easy to crack
CBC
Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs
Applre
Apple to pay $113M to settle state investigation into iPhone Battererygate
WashPost
Privacy labeling for Apple apps
Rob Slade
Indistinguishability Obfuscation
WiReD
Why experts urge caution in using covid risk and tracking tools
WashPost
Functional and assurance requirements and CoVID
Rob Slade
Wrong GPS usual suspects First Responder avoidance
Dan Jacobson
Letter to Consumer Reports magazine
Gabe Goldberg
How the U.S. Military Buys Location Data from Ordinary Apps
Vice
'Bot Battle' Shows What Happens When Two AI Programs Go On a Date
Vice
AI is wrestling with a replication crisis
MIT Tech Review
The iOS Covid App Ecosystem Has Become a Privacy Minefield
WiReD
Metrics and CoVID
Rob Slade
Mac certificate check stokes fears that Apple logs every app you run
Ars Technica
Two-Factor Eggs in One Basket
Kent Borg
'Most Secure' U.S. Election Not Without Problems
Lukas Ropek
Election Security Experts Contradict Trump's Voting Claims
Nicole Perlroth
Blockchain Voting Risks Undetectable Nation-Scale Failures
Stilgherrian
Did you know that Dominion's voting software “Allows staff to adjust tally based on review of scanned ballot images?”
Twitter
What happens when you test TCL TV's
Henry Baker
'Cheating detection' goes full Orwell during pandemic
Henry Baker
Re: How to F Up and Aiport, including What It's Like to Stress-Test Berlin's Brand New Airport
John Levine
Re: Facial recognition used to identify Lafayette Square protester accused of assault
Chuck Jackson
Re: CPU-Heat Sink Thermal Paste Effectiveness
Charles Cazabon
Re: Whale Sculpture Stops Train From Plunge in the Netherlands
Brian Inglis
Re: Did you know that Dominion's voting software “Allows staff to adjust tally based on review of scanned ballot images”?
PGN
Info on RISKS (comp.risks)

State-sponsored actors ‘very likely’ looking to attack electricity supply, says intelligence agency (CBC)

“Matthew Kruk” <mkrukg@gmail.com>
Wed, 18 Nov 2020 19:51:24 -0700

https://www.cbc.ca/news/politics/cse-threat-assesment-1.5806213

State-sponsored actors are “very likely” trying to shore up their cyber capabilities to attack Canada's critical infrastructure - such as the electricity supply - to intimidate or to prepare for future online assaults, a new intelligence assessment warns.

“As physical infrastructure and processes continue to be connected to the Internet, cyber threat activity has followed, leading to increasing risk to the functioning of machinery and the safety of Canadians,” says a new national cyber threat assessment drafted by the Communications Security Establishment.

“We judge that state-sponsored actors are very likely attempting to develop the additional cyber capabilities required to disrupt the supply of electricity in Canada.”


An Engineer Gets 9 Years for Stealing $10M From Microsoft (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 15 Nov 2020 23:15:45 -0500

A former Microsoft software engineer from Ukraine has been sentenced <https://www.justice.gov/usao-wdwa/pr/former-microsoft-software-engineer-sentenced-nine-years-prison-stealing-more-10-million> to nine years in prison for stealing more than $10 million in store credit from Microsoft's <https://www.wired.com/tag/microsoft/> online store. From 2016 to 2018, Volodymyr Kvashuk worked for Microsoft as a tester, placing mock online orders to make sure everything was working smoothly.

The software automatically prevented shipment of physical products to testers like Kvashuk. But in a crucial oversight, it didn't block the purchase of virtual gift cards. So the 26-year-old Kvashuk discovered that he could use his test account to buy real store credit and then use the credit to buy real products. […]

Kvashuk has been ordered to pay $8.3 million in restitution, though it seems unlikely he'll ever be able to do that. The government says he may be deported after serving his time in prison.

https://www.wired.com/story/an-engineer-gets-9-years-for-stealing-dollar10m-from-microsoft/


Shoppers warned against buying cheap electronics online (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Tue, 17 Nov 2020 16:19:38 -0500

A laptop that caught fire after being fitted with a battery bought on Amazon has prompted safety charity Electrical Safety First to warn of the dangers of buying cheap electronics online.

It said that it had found “some extremely dangerous items” for sale on Amazon, eBay and Wish.

The warnings were echoed by watchdog Which? and the Trading Standards Institute.

The charity wants to see government legislation on the issue.

https://www.bbc.com/news/technology-54973538


Technology To Catch HOV Lane Violators Is Coming To Virginia (Deist)

Gabe Goldberg <gabe@gabegold.com>
Tue, 17 Nov 2020 17:00:09 -0500

https://dcist.com/story/20/11/17/technology-hov-lane-violators-cameras-virginia/

New Technology Allows Virginia To Verify That HOV Drivers Have The Right Number Of Passengers

[Comment already there: Nowadays dolls can be so convincing. The good new is, you only need the top half to simulate a passenger; the bottom half can be reserved for other uses.]

I hope cameras can detect objects as large as trucks which don't belong in Express Lanes! They're frequently there cheating and only rarely do I see one stopped by police.


Migration to new CMS can go embarrassingly wrong (BBC)

Anthony Thorn <anthony.thorn@atss.ch>
Wed, 18 Nov 2020 07:54:52 +0100

On 15 Nov 2020, Radio France International (RFI) published the obituaries of “about 100” personages who were (are) still alive.

Including: the Queen, Clint Eastwood, Pele, Brigitte Bardot. Ayatollah Ali Khamenei, Jimmy Carter, Raul Castro, Bernard Tapie…

https://www.bbc.com/news/world-europe-54965098 https://nypost.com/2020/11/17/french-radio-accidentally-publishes-obits-for-still-alive-celebs/

(I hope the Queen was amused ;-)


Researchers hacked a robotic vacuum cleaner to record speech and music remotely (Techxplore.com)

Richard Stein <rmstein@ieee.org>
Wed, 18 Nov 2020 16:42:27 +0800

https://techxplore.com/news/2020-11-hacked-robotic-vacuum-cleaner-speech.html

“We welcome these devices into our homes, and we don't think anything about it,” said Roy, who holds a joint appointment in the University of Maryland Institute for Advanced Computer Studies (UMIACS). “But we have shown that even though these devices don't have microphones, we can repurpose the systems they use for navigation to spy on conversations and potentially reveal private information.”

What could be the next household device hack target for surveillance? Perhaps that IoT-enabled dental floss dispenser?


Microsoft Is Making a Secure PC Chip with Intel and AMD's Help (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Thu, 19 Nov 2020 02:04:05 -0500

The Pluton security processor will give the software giant an even more prominent role in locking down Windows hardware.

https://www.wired.com/story/microsoft-pluton-secure-processor/


Internet censorship report

Rob Slade <rslade@gmail.com>
Thu, 19 Nov 2020 09:10:55 -0800

The University of Michigan has created an automated censorship measuring tool, Censored Planet, and has now released a report from the collected data. https://news.umich.edu/extremely-aggressive-internet-censorship-spreads-in-the-worlds-democracies/

The tool uses public Internet servers, and measures, and reports, when access to Websites is blocked. Billions of measurements are taken automatically, and further filters analyze the data.

The findings, presented at the 2020 ACM Conference on Computer and Communications Security, demonstrate that even democracies are doing considerable censorship, and that tools are in place for much more.


Online password ‘123456’ more popular than ever and easy to crack (CBC)

“Matthew Kruk” <mkrukg@gmail.com>
Wed, 18 Nov 2020 19:48:15 -0700

Maker of password manager app details worst passwords of 2020

https://www.cbc.ca/news/business/nordpass-list-of-most-common-and-worst-passwords-1.5807089

People are still using the most basic of Internet passwords that can be easily cracked, according to a database analysis by password manager NordPass.

Its list of the 200 most common passwords for online accounts in 2020 was released after a review of nearly 275.7 million passwords.

Coming in first was “123456,” used by 2.5 million people, after landing in second place last year. NordPass said it has been breached more than 23.5 million times.

The data shows many people stubbornly cling to using weak passwords, even though they're the worst in terms of security.


Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs

“Peter G. Neumann” <neumann@csl.sri.com>
Wed, 18 Nov 2020 12:36:23 PST

[via Geoff Goodfellow]

Apple is facing the heat for a new feature in macOS Big Sur that allows many of its own apps to bypass firewalls and VPNs, thereby potentially allowing malware to exploit the same shortcoming to access sensitive data stored on users' systems and transmit them to remote servers.

The issue was first spotted last month by a Twitter user named Maxwell in a beta version of the operating system.

“Some Apple apps bypass some network extensions and VPN Apps,” Maxwell tweeted <https://twitter.com/mxswd/status/1318305284524183552>. “Maps for example can directly access the Internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running.”

But now that the iPhone maker has released the latest version of macOS to the public on November 12, the behavior has been left unchanged, prompting concerns from security researchers, who say the change is ripe for abuse.

Of particular note is the possibility that the bypass can leave macOS systems open to attack, not to mention the inability to limit or block network traffic at users' discretion. According to Jamf security researcher Patrick Wardle <https://twitter.com/patrickwardle/status/1327726496203476992>, the company's 50 Apple-specific apps and processes have been exempted from firewalls like Little Snitch and Lulu.

The change in behavior comes as Apple deprecated support <https://developer.apple.com/support/kernel-extensions/> for Network Kernel Extensions last year in favor of Network Extensions Framework […] https://thehackernews.com/2020/11/apple-lets-some-of-its-big-sur-macos.html


Apple to pay $113M to settle state investigation into iPhone Battererygate (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Thu, 19 Nov 2020 02:13:10 -0500

Apple will pay $113 million to settle an investigation by nearly three dozen states into the tech giant’s past practice of slowing custome' old iPhones in an attempt to preserve their batteries.

https://www.washingtonpost.com/technology/2020/11/18/apple-fine-battery/

I think I filed claims for two affected phones; I also had batteries replaced in them for $29/each when Apple was doing that for penance.

I have to say that this…

That December, Apple acknowledged the practice, explaining that it had tweaked its technology starting a year earlier so that some older models, including the iPhone 6S, did not shut down unexpectedly or experience other malfunctions due to excessive demands on their dated batteries. The widespread blowback also prompted Apple to issue a public apology—a rarity for the image-conscious tech giant—and to begin offering battery-replacement discounts for consumers.

…doesn't sound entirely malign—would shutdowns or other malfunctions really have been better than slowdowns?—except it was done secretly. And given the huge set of Settings options, adding battery controls wouldn't have been burdensome. Now, at least, battery health can be user determined (though apparently there are more comprehensive battery tests only Apple can run). And, weirdly, iPadOS doesn't display iPad battery health; you need nifty/free PC/Mac utility iMazing for that).


Privacy labeling for Apple apps

Rob Slade <rmslade@shaw.ca>
Mon, 16 Nov 2020 11:30:07 -0800

Apple will, as of December 8th, start requiring standardized summaries of information gathering and privacy behaviour for new and updated apps in the app store. https://www.theregister.com/2020/11/06/apple_privacy_advice/ In the announcement, Apple referred to the summaries as being like nutritional labels on food, which phrase seems to have caught the media's imagination.

Details of the requirements are given at https://developer.apple.com/app-store/app-privacy-details/ The “labels” don't seem to be that far removed from the “permissions” that Android apps list, and don't give that much more information about collection.

Having recently created a presentation on differential privacy, it strikes me that this is one of the first outcomes of Apple's grand announcement of its commitment to the technology in 2016. Differential privacy does allow for some version of metrics for privacy, but so far it has been a rather academic exercise.

This announcement doesn't push it much further.


Indistinguishability Obfuscation (WiReD)

Rob Slade <rmslade@shaw.ca>
Mon, 16 Nov 2020 11:47:19 -0800

https://www.wired.com/story/computer-scientists-achieve-the-crown-jewel-of- cryptography/

First reaction: this sounds very much like trying to build a Bell and LaPadula [Multilevel-secure] computer. It sounds like the type of formal and theoretical abstraction that is useful as an exercise, but seldom results in an actual, useful, working device. I am, again, reminded of differential privacy: some great ideas, but the outcomes that people tend to actually present are less than earth-shattering, in reality.

Second reaction: although the article seems to be reasonably detailed, there simply isn't enough information on iO in there to make any real assessment.


Why experts urge caution in using covid risk and tracking tools (WashPost)

Richard Stein <rmstein@ieee.org>
Tue, 17 Nov 2020 11:28:09 +0800

https://www.washingtonpost.com/lifestyle/wellness/understanding-risk-covid-tracker-tools/2020/11/13/95adb654-2504-11eb-952e-0c475972cfc0_story.html

“Instead of relying on any one tool, Landon recommended people use multiple data sources to help with decisions and reference community and federal resources. The CDC recently updated its guidance for Thanksgiving gatherings, suggesting many ways for people to celebrate the holiday without putting themselves or their loved ones at increased risk.”

“’If you unknowingly spread covid to higher-risk individuals in your family, there's no do-over for that,’ Landon said.”

Confronting a go/no-go choice based on imperfect information is an age-old problem.

Second opinions can be helpful, but if their recommendations differ? Choose a 3rd, and accept a “best two-out-of-three” result?

A deficit of civil forbearance appears to sustain COVID-19 pandemic waves in the US. A commonsense vaccine to replenish diminished public trust is urgently needed.


Functional and assurance requirements and CoVID

Rob Slade <rmslade@shaw.ca>
Tue, 17 Nov 2020 08:12:18 -0800

With the recent surges in CoVID-19 cases (pretty much everywhere), parents have become (understandably) concerned about the welfare and safety of their children, particularly at school. There have been widespread calls for school closures, or, at the very least, mandatory mask wearing for all staff and students. However, looking at the situation in terms of both functional and assurance requirements demonstrates that these concerns are unnecessary, or, at least, misplaced.

First lets look at the functional requirements. For the most part, controls against the pandemic are still basic and widely known. But they are problematic in regard to schools. Isolation is the most effective. However, classrooms are too few, and too small, for completely effective isolation. Desktop and other barrier systems are possibly expensive and time-consuming to construct and install in many places, and, in any case, are limited at best. Distance learning carries its own set of problems. Handwashing is good, and, particularly in the younger grades, you can really get students to buy into it. But it's not complete. (And forget trying to get teenagers to do it regularly.) And any teacher knows that telling kids, especially in the primary grades, to keep physically distant from each other is just not going to work. (Actually, if you tell students in the primary grades that it's a game, that their friends are radioactive, and that if they get close enough for their outstretched hand to touch their friends' outstretched hands they'll both explode, it'd probably work. It's the teenagers who seem to think that social distancing means six inches.) And I've written elsewhere about masks, but it is difficult to get kids, particularly younger kids, to wear them consistently and properly.

However, when we look at assurance requirements, we find a much different picture. One of the assurance requirements is detailed contact tracing, looking at where, how, and in what situations the infection actually (as opposed to theoretically) does spread. Part of this, of course, gives us information about which controls actually do work. But often it just gives us information about risk levels. And, even in these “resurgent” times, schools are not dangerous places.

Detailed contact tracing has demonstrated that the number of actual transmissions of the infection in schools is startlingly small, given the problems we have just looked at with functional requirements and controls. In British Columbia, while general case numbers jumped from 5,000 to over 20,000, there were only three outbreaks in schools, and, in those outbreaks, it seems to be impossible to prove that any infections actually took place at school. Schools do seem to reflect the prevalence of the case numbers, and, during this surge, exposure events at schools have increased, but cases of actual transmission seem to be vanishingly small.

Unfortunately, we do not yet have enough data to know exactly why this is the case. It may be that children, particularly young children, have differences in their immune systems that make them less susceptible to the coronavirus, but that would not explain why there are almost no cases of student to teacher transmission. It may be that, despite the problematic nature of the functional controls, the fact that children are better at “sticking to the rules” means that the layered defence works better than in adults (who often seem to think that wearing a mask means you can neglect all the other safeguards). At this point we still don't know enough to explain it.

There are other things that the assurance requirement of detailed contact tracing can demonstrate, but not explain. We have seen that transmission in restaurants is low, but transmission in bars is very much higher. Why is that the case? The two situations are very similar. Bars do the same level of cleaning as restaurants, and often have the same capacity limitations. Alcohol is served at restaurants as well as bars. But bars have higher transmission rates. In fact, the data even shows that transmission rates, in both bars and restaurants, is higher after 10 pm than before. Why? Is it just because patrons are drunker (and drunk people make worse decisions about sticking to the rules)? We can't yet explain why, but we do know that it is the case.

In security, we often pursue functional requirements and neglect assurance. After all, it is functional requirements that direct us to technologies and systems and processes that keep us safe. But it is assurance requirements that tell us whether the technologies and systems and processes actually do keep us safe, or whether we are wasting resources on controls that don't actually do anything for us. We need that assurance.


Wrong GPS usual suspects First Responder avoidance

Dan Jacobson <jidanni@jidanni.org>
Mon, 16 Nov 2020 23:15:43 +0800

Today I noticed that my friends' cell phones' GPS all show the same wrong place when not fully warmed up. Year in and year out.

So that got me thinking, there must be about one of these points every few kilometers.

So all rescue departments need to do is keep a list of them. Then, say, someone calls in “Help me, I'm at xxx.xxx,yyy.yyy,” the First Responders could reply, “Give your GPS a few more minutes to warm up, then call us back.”

Actually they don't need a full list. All they need is the algorithms of how those points are arrived at. Yes, they are like 12.000 for 12.345, but “binary”. Sure, different chips have different algorithms. And maybe AGPS is involved, etc. OK, now generate a list for your local area.

So next time somebody calls in with one of those suspect coordinate pairs, right down to the millimeter, just tell them to take a deep breath…


Letter to Consumer Reports magazine

Gabe Goldberg <gabe@gabegold.com>
Sun, 15 Nov 2020 15:28:06 -0500

Your December TV ratings data includes “Data privacy” and “Data security” columns not mentioned in text. Those deserve explanation, along with advice for enhancing privacy/security. Such as not connecting “smart” TVs to the Internet. I don't, and my large-screen TV works just fine, handling cable, DVD, and Roku content. I avoid the TV snooping or compromising anything and don't miss the TV's remote voice control feature since I use a universal remote to control ALL devices. The TV whines occasionally that it longs to go online but I don't let it—thus also avoiding problems with unneeded software updates. TVs should be TVs, not computers.


How the U.S. Military Buys Location Data from Ordinary Apps

geoff goodfellow <geoff@iconia.com>
Mon, 16 Nov 2020 12:44:23 -1000

A Muslim prayer app with over 98 million downloads is one of the apps connected to a wide-ranging supply chain that sends ordinary people's personal data to brokers, contractors, and the military. […] https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x


'Bot Battle' Shows What Happens When Two AI Programs Go On a Date (Vice)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 16 Nov 2020 12:55:11 -1000

To test its superiority, one AI company put out a call for tech firms to challenge their AI bot head-to-head.

What happens when two AI programs go on a date? Well, apparently, a few stumbles, a lot of flattery, and one, “It is exciting that I get to kill people” comment.

AI company Pandorabots, Inc. and Facebook AI have gone head-to-head in a “Bot Battle” for the ages. Streamed on Twitch, the two programs interacted with each other for three weeks straight. Viewers were able to vote on which company's mascot they believe held conversation the best. Pandorabot's Kuki, a female embodied agent sporting a neon bob haircut, won in a landslide victory picking up 78 percent of the vote. Her opponent was Facebook's Blenderbot, who sports a “Make Facebook Great Again” hat in true Zucker-bro style.

Pandorabots created the competition to put their program on display, a Medium post by Kuki's creator, Steve Worswick, explains. “We are planning to get more bots—and some humans! —into the arena to hang with Kuki. We will also continue to iterate and update the avatars,” he wrote.

During the battle, which drew more than 400,000 views during the three-week stream, the bots talked about everything from the election to an in-depth history of Pac-Man. The two even gave an attempt at making jokes. Remember, the conversation was completely autonomous from human involvement and the bots are running day and night. Still, at best the conversation was followable and somewhat complex. At times it turned into a staring contest where nothing was said. Many of the silences were awkward. And other times the conversation completely derailed into a splurge of courteous compliments. […]

https://www.vice.com/en/article/5dpbaz/bot-battle-shows-what-happens-when-two-ai-programs-go-on-a-date


AI is wrestling with a replication crisis (MIT Tech Review)

geoff goodfellow <geoff@iconia.com>
Sun, 15 Nov 2020 11:00:02 -1000

Tech giants dominate research but the line between real breakthrough and product showcase can be fuzzy. Some scientists have had enough.

Last month Nature published a damning response <https://www.nature.com/articles/s41586-020-2766-y> written by 31 scientists to a study from Google Health <https://www.nature.com/articles/s41586-019-1799-6> that had appeared in the journal earlier this year. Google was describing successful trials of an AI that looked for signs of breast cancer in medical images. But according to its critics, the Google team provided so little information about its code and how it was tested that the study amounted to nothing more than a promotion of proprietary tech.

“We couldn't take it anymore,” says Benjamin Haibe-Kains, the lead author of the response, who studies computational genomics at the University of Toronto. “It's not about this study in particular—it's a trend we've been witnessing for multiple years now that has started to really bother us.”

Haibe-Kains and his colleagues are among a growing number of scientists pushing back against a perceived lack of transparency in AI research. “When we saw that paper from Google, we realized that it was yet another example of a very high-profile journal publishing a very exciting study that has nothing to do with science,” he says. “It's more an advertisement for cool technology. We can't really do anything with it.”

Science is built on a bedrock of trust, which typically involves sharing enough details about how research is carried out to enable others to replicate it, verifying results for themselves. This is how science self-corrects and weeds out results that don't stand up. Replication also allows others to build on those results, helping to advance the field. Science that can't be replicated falls by the wayside.

At least, that's the idea. In practice, few studies are fully replicated because most researchers are more interested in producing new results than reproducing old ones. But in fields like biology and physics—and computer science overall—researchers are typically expected to provide the information needed to rerun experiments, even if those reruns are rare.

Ambitious noob…

[…] https://www.technologyreview.com/2020/11/12/1011944/artificial-intelligence-replication-crisis-science-big-tech-google-deepmind-facebook-openai/


The iOS Covid App Ecosystem Has Become a Privacy Minefield (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 13 Nov 2020 18:29:40 -0500

An analysis of nearly 500 Covid-related apps worldwide shows major differences in how much data they expect you to give up.

The results show that only 47 of that subset of 359 apps use Google and Apple's more privacy-friendly exposure-notification system, which restricts apps to only Bluetooth data collection. More than six out of seven Covid-focused iOS apps worldwide are free to request whatever privacy permissions they want, with 59 percent asking for a user's location when in use and 43 percent tracking location at all times. Albright found that 44 percent of Covid apps on iOS asked for access to the phone's camera, 22 percent of apps asked for access to the user's microphone, 32 percent asked for access to their photos, and 11 percent asked for access to their contacts.

https://www.wired.com/story/covid-19-ios-apps-privacy/

I guess it wants to check whether your photo has been near photo of someone with Covid.


Metrics and CoVID

Rob Slade <rmslade@shaw.ca>
Tue, 17 Nov 2020 06:01:53 -0800

Another security lesson from CoVID is in regard to metrics. Those who have tried to create security metrics will know, all too well, how difficult it is to choose those that are actually useful, rather than just being collections of numbers. (Brotby and Hinson's PRAGMATIC acronym is very helpful in providing guidance.)

Among the various statistics that CoVID has generated, such as case rates, new cases, doubling time of cases, hospitalization rates, et cetera, one single number that has been consistently useful is the positivity rate. This is the number of cases confirmed, divided by the total tests done. Donald Trump to the contrary, while there are a number of additional factors to consider, it seems to be generally felt that a positivity rate of about two percent is probably reasonable. Any lower, and it is likely that you are testing too many people too indiscriminately, and wasting money and resources. Any higher, and it is likely that you aren't testing enough, and that cases are, or shortly will be, increasing. Positivity has proven itself “Relevant” from the PRAGMATIC list.

Recently, in British Columbia, we have seen how difficult it may be to keep such metrics “Meaningful” and “Accurate.”

BC, often known as “Hollywood North,” is home to a thriving and active film industry. If you are a fan of Hallmark romances and mysteries, and other such “made for TV” fare, chances are very good that they were shot here. (When Gloria and I watch them, it is often as much to play “spot the location” as to follow the plots.) This is especially true now during the pandemic, when BC has been a relatively safe place to do film shoots. There are, of course, a number of restrictions to keep filmmaking safe, some imposed by local health authorities, and some required by unions, particularly from the US and places where the case rates have been much higher, demanding fairly stringent precautions. CoVID testing, in particular, is done regularly, and often very frequently, regardless of how many cases turn up.

Testing for the movie industry is done at private labs, so as not to affect lab capacity for the public health system. However, even so, the testing is “reportable,” and thus the numbers make their way into public figures. The demands of the movie industry are such that 4-5,000 tests may be done daily, at a time when the public testing capacity is about 16,000 tests per day. Since the movie industry definitely “overtests,” the movie numbers artificially depress the overall positivity rate. Our positivity rate in BC may actually be twice what the published figures show.


Mac certificate check stokes fears that Apple logs every app you run (Ars Technica)

Monty Solomon <monty@roscom.com>
Mon, 16 Nov 2020 17:01:11 -0500

Amid concern that macOS logs app usage in real time, Apple issues assurances.

https://arstechnica.com/gadgets/2020/11/mac-certificate-check-stokes-fears-apple-logs-every-app-you-run/


Two-Factor Eggs in One Basket

Kent Borg <kentborg@borg.org>
Mon, 16 Nov 2020 15:42:54 -0800

A friend of mine got the newest Iphone. Being latest and greatest he wants it to be all 5G-est, too, and that part isn't working right. Word is he needed a different SIM, and I don't follow all the details.

Anyway, at this point some Verizon person probably needs to walk through network settings to fix something set wrong. Okay.

But my friend takes covid-19 seriously and doesn't want to go to the store. Okay, smart.

I'm sure he could go through the settings by phone call.

Nope: My friend hopped on the two-factor bandwagon and Verizon won't talk to him without texting him aboard their two-factor ritual, and he says that doesn't work with the new SIM. Sure, he could put in the old SIM where it does work, but he needs to debug the 5G SIM…

I've always thought two-factor was a great idea for really high value accounts, with lots of talented high end support at the ready, but I don't understand why people think it scales to everyone for everything.


'Most Secure' U.S. Election Not Without Problems

ACM TechNews <technews-editor@acm.org>
Wed, 18 Nov 2020 12:19:16 -0500 (EST)

Lucas Ropek, Government Technology, 16 Nov 2020 via ACM TechNews, Wednesday, November 18, 2020

Although federal officials declared the 2020 presidential election the “most secure in American history,” there were still technical problems. Alleged software glitches caused mistakes in vote tabulation for both presidential and local races in certain counties, while some communities suffered temporary miscounts due to clerical errors. Threats of foreign interference appear to have been countered by greater vigilance and stronger cyberdefenses by watchdogs like the Cybersecurity and Infrastructure Security Agency, and multi-stakeholder collaboration and information sharing. However, disinformation and misinformation have continued to fuel polarization of the electorate. Former ACM president Barbara Simons urges greater transparency and committed investment in auditable machinery as top priorities, along with curtailing the use of paperless voting machines.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28148x226823x070792&


Election Security Experts Contradict Trump's Voting Claims (Nicole Perlroth)

“Peter G. Neumann” <neumann@csl.sri.com>
Tue, 17 Nov 2020 15:43:35 PST

Nicole Perlroth, The New York Times, 16 Nov 2020 Election Security Experts Contradict Trump's Voting Claims https://www.nytimes.com/2020/11/16/business/election-security-letter-trump.html

Fifty-nine of the country's top computer scientists and election security experts rebuked President Trump's baseless claims of voter fraud and hacking on Monday, writing that such assertions are “unsubstantiated or are technically incoherent.”

The rebuttal, in a letter to be published on various websites, did not mention Mr. Trump by name but amounted to another forceful corrective to the torrents of disinformation that he has posted on Twitter. “Anyone asserting that a U.S. election was rigged is making an extraordinary claim, one that must be supported by persuasive and verifiable evidence.” In the absence of evidence, they added, it is simply ‘speculation'. “To our collective knowledge, no credible evidence has been put forth that supports a conclusion that the 2020 election outcome in any state has been altered through technical compromise,” they wrote. […]


Blockchain Voting Risks Undetectable Nation-Scale Failures (Stilgherrian)

ACM TechNews <technews-editor@acm.org>
Mon, 16 Nov 2020 12:18:26 -0500 (EST)

Stilgherrian, ZDNet, 16 Nov 2020 via ACM TechNews, Monday, November 16, 2020

A study by Massachusetts Institute of Technology (MIT) researchers labeled assertions that Internet- and blockchain-based voting would boost election security “misleading,” adding that they would “greatly increase the risk of undetectable, nation-scale election failures.” The MIT team analyzed previous research on the security risks of online and offline voting systems, and found blockchain solutions are vulnerable to scenarios where election results might have been erroneously or deliberately changed. The MIT researchers proposed five minimal election security mandates: ballot secrecy to deter intimidation or vote-buying; software independence to verify results with something like a paper trail; voter-verifiable ballots, where voters themselves witness that their vote has been correctly recorded; contestability, where someone who spots an error can persuade others that the error is real; and an auditing process. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28090x22672ex070514&


Did you know that Dominion's voting software “Allows staff to adjust tally based on review of scanned ballot images?” (Twitter)

the keyboard of geoff goodfellow <geoff@iconia.com>
Tue, 17 Nov 2020 07:22:00 -1000
> 4https://twitter.com/CodeMonkeyZ/status/1328342166007992323
> So there would be a record if anything was changed.

PGN Response:

If you believe audit records cannot be hacked, we are still offering the Brooklyn Bridge at a huge discount.

On the other hand, the DREs of a decade ago when we were fighting the lack of an audit trail did not even pretend to have a meaningful audit trail.


What happens when you test TCL TV's

Henry Baker <hbaker1@pipeline.com>
Fri, 13 Nov 2020 14:39:51 -0800

The Chinese have us by their Ten TCL's :-)

You really have to read this TCL ‘Smart’ TV vulnerability report all the way through; you don't have to be a Linux wizard to start laughing, and it gets better and better as you read!

I don't know which is scarier: the vulnerabilities themselves, or the lack of response from TCL together with a sneaky ‘silent’ update to ‘fix’ these (wink, wink) ‘bugs’.

I knew there was a reason why I never enabled the Internet connection on my ‘smart’ TV; I allow HDMI only.

Previews:

“Port 22 open and allowing SSH access as root:root out of the box”

“When in the history of your career… Have you ever needed to serve the entire filesystem… over http?”

TCL me, Elmo!!

https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/

Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World's 3rd Largest TV Manufacturer.


'Cheating detection' goes full Orwell during pandemic

Henry Baker <hbaker1@pipeline.com>
Mon, 16 Nov 2020 09:03:04 -0800

I've heard of the ‘school-to-prison pipeline’, but I had no idea how short this pipeline had become…

I think they may possibly have misspelled “proctoring” when they referred to contacting a back door into your computer. :-)

Drew Harwell, The Washington Post Cheating-detection companies made millions during the pandemic. Now students are fighting back. […]

https://www.msn.com/en-us/news/us/cheating-detection-companies-made-millions-during-the-pandemic-now-students-are-fighting-back/ar-BB1aX8Qa


Re: How to F Up and Aiport, including What It's Like to Stress-Test Berlin's Brand New Airport (Goldberg)

“John Levine” <johnl@iecc.com>
13 Nov 2020 20:04:19 -0500

The Radio Spätkauf podcast has a five part series called “How to F* Up an Airport” on the bizarre and sad history of the new Berlin airport.

Many of the failures were due to political interference and a staggering level of arrogance and incompetence, but a certain amount is technical, such as the fact that physics tells us that if you increase the size of the terminal, the ventilation requirements and particularly the emergency smoke removal ventilation do not scale linearly. Or that it is not a good idea to cram power and signal wires into the same undersized pipe.

It includes a segment about the dress rehearsal described in the Atlas Obscura page. They said it included plenty of very bad coffee.

https://player.fm/series/how-to-feuk-up-an-airport


Re: Facial recognition used to identify Lafayette Square protester accused of assault (Levine, RISKS-32.37)

Chuck Jackson <clj@jacksons.net>
Fri, 13 Nov 2020 21:46:10 -0500

Here's a quote (emphasis added) from The Washington Post article on this event:

After the demonstration, Park Police tracked him through Twitter and sent the image to the Maryland-National Capital Park Police in Prince George's County, which ran it through NCRFRILS, returning Michael Joseph Peterson Jr. as a possible match, the court documents state. Authorities said they also found a backpack at the scene of the protests containing Peterson's ID.

Apparently, he took off leaving his driver's license behind.


Re: CPU-Heat Sink Thermal Paste Effectiveness (Stein, RISKS-32.37)

Charles Cazabon <charlesc-risks-digest@pyropus.ca>
Fri, 13 Nov 2020 21:23:14 -0600
  1. No AMD Ryzen processor from the Ryzen 5, Ryzen 7, or Ryzen 9 families, whether from the 1st-gen 1000 series, 2nd-gen 2000-series, 3rd-gen 3000 series, or the new 5000 series requires liquid cooling. All are perfectly capable of working at their full specified speeds with a quality air cooler; all but the most recent top-spec versions shipped with such a cooler. They can typically be overclocked, and they will overclock better with liquid cooling, but it is by no means necessary.
  2. Pretty much any substance with a significant amount of water in it will transfer heat effectively from a CPU to its heatsink (*); CPU cooling is simply not a particularly demanding application. The advantages in quality heatsink thermal compounds are not in efficacy, but in other areas - less “creep” out of the joints, easier application, longer life without drying out, etc.

(*) Dan Rutter of dansdata.com famously did a comparison in 2002 of various thermal compounds, from cheap white zinc-based thermal paste to fancy silver-loaded silicone formulations, to toothpaste (!) and vegemite (!!). http://www.dansdata.com/goop.htm


Re: Whale Sculpture Stops Train From Plunge in the Netherlands (RISKS-32.37)

Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
Mon, 16 Nov 2020 22:32:18 -0700
> It was only a fluke that the driver wasn't killed.
>  [But “a fluke“ is also a fish, which the whale is not.  PGN]

It was just a fluke it landed on a fluke, which is a tail of a whale, and nobody was killed, so it's a whale of a tale about “Whale Tails”, which is named a fluke as well as called a fluke.


Re: Did you know that Dominion's voting software “Allows staff to adjust tally based on review of scanned ballot images”? (RISKS-32.38)

“Peter G. Neumann” <neumann@csl.sri.com>
Wed, 18 Nov 2020 13:43:53 PST
> So there would be a record if anything was changed.

If you believe audit records cannot be hacked, we are still offering the Brooklyn Bridge at a huge discount.

On the other hand, the DREs of a decade ago when we were fighting the lack of an audit trail did not even pretend to have a meaningful audit trail.

Please report problems with the web pages to the maintainer

x
Top