Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Fixing the critical vulnerability isn't s straightforward and com with its own risks.
Dozens of radiology products from GE Healthcare contain a critical vulnerability that threatens the networks of hospitals and other health providers that use the devices, officials from the US government and a private security firm said on Tuesday.
The devices”used for CT scans, MRIs, X-Rays, mammograms, ultrasounds, and positron emission tomography”use a default password to receive regular maintenance. The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare. Attackers can exploit these shortcomings by abusing the maintenance protocols to access the devices. >From there, the attackers can execute malicious code or view or modify patient data stored on the device or the hospital or healthcare provider servers.
Aggravating matters, customers can’t fix the vulnerability themselves. Instead, they must request that the GE Healthcare support team change the credentials. Customers who don’t make such a request will continue to rely on the default password. Eventually, the device manufacturer will provide patches and additional information.
Not only does the whole state share one password, but it's posted publicly.
Florida police said a raid they conducted Monday <https://arstechnica.com/tech-policy/2020/12/florida-police-raid-home-of-former-state-coronavirus-data-manager/> on the Tallahassee home of Rebekah Jones, a data scientist the state fired from her job in May, was part of an investigation into an unauthorized access of a state emergency-responder system. It turns out, however, that not only do all state employees with access to that system share a single username and password, but also those credentials are publicly available on the Internet for anyone to read.
So Rebekah Jones was a state data scientist [in] Florida until she got fired from her Dept. of Health job in May for posting COVID stats that made Governer Ronald DeSantis mad.
She had further upset deSantis by privately continuing to post COVID stats for FL.
She got raided by Florida Dept of Law Enforcement agents a few days ago. The basis for the warrant was the allegation she had posted a message to the DOH mailing list.
Now ARS has reported that not only does the DOH system with the list have only one login & password for all 1700 users, but it's also posted on-line.
So besides the question of if she did post that message, one wonders if is it [il]legal to use a system with published login/PW data?
Cybersecurity researchers disclosed a dozen new flaws in multiple widely-used embedded TCP/IP stacks impacting millions of devices ranging from networking equipment and medical devices to industrial control systems that could be exploited by an attacker to take control of a vulnerable system.
Collectively called “AMNESIA:33 <https://www.forescout.com/research-labs/amnesia33/>” by Forescout researchers, it is a set of 33 vulnerabilities that impact four open-source TCP/IP protocol stacks—uIP, FNET, picoTCP, and Nut/Net—that are commonly used in Internet-of-Things (IoT) and embedded devices.
As a consequence of improper memory management, successful exploitation <https://kb.cert.org/vuls/id/815128> of these flaws could cause memory corruption, allowing attackers to compromise devices, execute malicious code, performing denial-of-service (DoS) attacks, steal sensitive information, and even poison DNS cache.
In the real world, these attacks could play out in various ways: disrupting the functioning of a power station to result in a blackout or taking smoke alarm and temperature monitor systems offline by using any of the DoS vulnerabilities.
The flaws, which will be detailed today at the Black Hat Europe Security Conference <https://www.blackhat.com/eu-20/briefings/schedule/index.html#how-embedded-tcpip-stacks-breed-critical-vulnerabilities-21503>, were discovered as part of Forescout's Project Memoria initiative to study the security of TCP/IP stacks. […] https://thehackernews.com/2020/12/amnesia33-critical-tcpip-flaws-affect.html
https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html
This “Galactic Federation” has supposedly been in contact with Israel and the US for years, but are keeping themselves a secret to prevent hysteria until humanity is ready.
Has the State of Israel made contact with aliens?
According to retired Israeli general and current professor Haim Eshed, the answer is yes, but this has been kept a secret because “humanity isn't ready.”
Speaking in an interview to Yediot Aharonot, Eshed—who served as the head of Israel's space security program for nearly 30 years and is a three-time recipient of the Israel Security Award—explained that Israel and the US have both been dealing with aliens for years.
And this by no means refers to immigrants, with Eshed clarifying the existence of a “Galactic Federation.”
The 87-year-old former space security chief gave further descriptions about exactly what sort of agreements have been made between the aliens and the US, which ostensibly have been made because they wish to research and understand “the fabric of the universe.” This cooperation includes a secret underground base on Mars, where there are American and alien representatives. […] https://www.jpost.com/omg/former-israeli-space-security-chief-says-aliens-exist-humanity-not-ready-651405
The Trump administration is requiring states to submit personal information of people vaccinated against Covid-19—including names, birth dates, ethnicities and addresses—raising alarms among state officials who fear that a federal vaccine registry could be misused.
The Centers for Disease Control and Prevention is instructing states to sign so-called data use agreements that commit them for the first time to sharing personal information in existing registries with the federal government. Some states, such as New York, are pushing back, either refusing to sign or signing while refusing to share the information. <https://www.cdc.gov/vaccines/covid-19/reporting/downloads/vaccine-administration-data-agreement.pdf>
Gov. Andrew M. Cuomo of New York warned that the collection of personal data could dissuade undocumented people from participating in the vaccination program. He called it “another example of them trying to extort the State of New York to get information that they can use at the Department of Homeland Security and ICE that they'll use to deport people.”
Administration officials say that the information will not be shared with other federal agencies and that it is needed for several reasons: to ensure that people who move across state lines receive their follow-up doses; to track adverse reactions and address safety issues; and to assess the effectiveness of the vaccine among different demographic groups. […] https://dnyuz.com/2020/12/08/c-d-c-call-for-data-on-vaccine-recipients-raises-alarm-over-privacy/
For your amusement (?), from someone in our lab.
Hollywood version:
Imagine that Ethan Hunt (or Ilsa Faust) walked up to chat with you, and the conversation lasted for several minutes. (to satisfy covid-safety reqt, all people involved worn a mask in this scene) he (or she) thanked you and walked away. you might think that this was your lucky day, but then you remembered this Ian Beer's ios attack, and you hadn't had time to patch your iphone … needless to say, the secrets stored in your phone were now in the hands of Hunt (or Faust).
geek version:
if you'd like to challenge yourselves with hardcore details, here's Ian Beer's blog post: https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html
“Estimated global losses from cybercrime are projected to hit just under a record $1 trillion for 2020 as the coronavirus pandemic provided new opportunities for hackers to target consumers and businesses.”
“The projection of $945 billion in losses, from a new report out today from the Center for Strategic and International Studies and computer security company McAfee, is almost double the monetary loss from cybercrime than the $500 billion in 2018.”
“The report underscores the growing dangers that ransomware attacks by foreign criminal enterprises posed to American industries. Lawmakers have been deeply concerned about the impact of such attacks, including on the financial and health-care sectors, in the pandemic.”
https://en.wikipedia.org/wiki/World_economy#World_economy_by_country_groups (retrieved on 08DEC2020) estimates annual global economic output @ ~US$ 87.5T. US$ 0.945T/US$ 87T ~= 1.1% of output skimmed via cybertheft of various flavors.
Cyberinsurance premiums will rise. Businesses that cannot afford the expense for insurance and proactive measures to secure their personnel, processes, and infrastructure might close or be bought out by competitors.
“Cybercrime-whackamole-control” is impossible without coordinated international and transnational law enforcement agencies. Significant engagement appears missing. Some countries enable and encourage cybertheft/extortion to harass enemies and boost their own economies.
Risk: Global economic destabilization.
https://medicalxpress.com/news/2020-12-digital-stethoscope-artificial-intelligence-lung.html
“‘Because it can take recordings and telemeter them to physicians, clinical support can be provided for hard-to-reach areas or areas requiring increased medical support,’ said West.”
“The digital stethoscope also features noise suppression to enhance the auditory signal from the lungs, simplifying the diagnosis process.”
“‘The noise suppression is a critical aspect that allows it to be used in even challenging clinics, like we see popping up with increased COVID hospitalizations,’ West said. ‘No training is required. Noise suppression runs automatically on the device and provides clear body sounds.’”
“‘In tests of the device, physicians were found to favor it over 95% of the time compared to traditional techniques. Once the algorithm is further improved, the digital stethoscope can be distributed to the field.’“
One expects an AI stethoscope to correctly distinguish and discriminate respiratory sounds from lungs afflicted by pneumonia, chronic obstructive pulmonary disorder, silicosis, emphysema, or bronchitis.
Whatever an AI stethoscope detects and diagnoses requires additional clinical assessment to confirm initial diagnosis: blood chemistry, x-ray, lung capacity, biopsy, CAT/MRI, etc. Trust but verify.
Noise suppression mechanisms, if not applied carefully, can erroneously modify (damp or amplify) respiratory harmonics which might render an inaccurate diagnosis. The AI stethoscope's diagnostic capabilities will ideally demonstrate diagnosis based on low false positive/negative outcomes with high-fidelity receiver operating characteristics.
Risk: Inappropriately indicated treatment protocols based on AI-stethoscope diagnosis.
Cade Metz, The New York Times, 5 Dec 2020, via ACM TechNews, 7 Dec 2020
Police agencies in four U.S. cities are participating in the Drone as First Responder program, launching unmanned aerial vehicles in response to emergency calls. The Chula Vista, CA, police dispatches drones, with a certified pilot federally on the roof of the Police Department to oversee launches and pilot the drones upon their return; a special drone from Silicon Valley's Skydio avoids obstacles on its own and can follow a particular person or vehicle. The latest drone technology would allow police to operate autonomous drones relatively inexpensively, although civil liberties proponents are concerned. Greater police use of drones could eliminate any expectation of privacy outside the home, as the drones collect and store more video footage. The American Civil Liberties Union's Jay Stanley said, “It could allow law enforcement to enforce any area of the law against anyone they want.“ https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28602x226c2ax068361&
[Of special interest to organization secretaries! ;-)]
A new wave of startups is trying to optimize meetings, from automated scheduling tools to facial recognition that measures who's paying attention.
Headroom aims to tackle the social distance of virtual meetings in a few ways. First, it uses computer vision to translate approving gestures into digital icons, amplifying each thumbs up or head nod with little emojis that the speaker can see. Those emojis also get added to the official transcript, which is automatically generated by software to spare someone the task of taking notes. Green and Rabinovich say this type of monitoring is made clear to all participants at the start of every meeting, and teams can opt out of features if they choose.
More uniquely, Headroom's software uses emotion recognition to take the temperature of the room periodically, and to gauge how much attention participants are paying to whomever is speaking. Those metrics a displayed in a window on-screen, designed mostly to give the speaker real-time feedback that can sometimes disappear in the virtual context. “If five minutes ago everyone was super into what I'm saying and now they're not, maybe I should think about shutting up,” says Green.
https://www.wired.com/story/ai-can-run-work-meetings-now-headroom-clockwise/
For those of us who hate being on camera, I hope the software enjoys looking at my profile picture.
More seriously, there's not a word about how this AI has been trained. What could go wrong?
A growing group of lawyers are uncovering, navigating, and fighting the automated systems that deny the poor housing, jobs, and basic services.
Rescinding the lifetime deal is already sparking criticism from Instant Ink subscribers
“HP Regularly reviews pricing and makes adjustments based on a variety of factors. Our updated Instant Ink subscription pricing plans include ending the free printing plan option while allowing for more roll-over flexibility, options, and benefits.”
https://www.consumerreports.org/printers/hp-ends-free-ink-for-life/
Just like limiting unlimited bandwidth, terminating free-for-life.
https://waymo.com/terms/ retrieved on 07DEC2020 (Pearl Harbor Day!)
NOTE: Capitalized words used selectively for emphasis.
“9. Indemnification”
“To the fullest extent permitted by applicable law, YOU will INDEMNIFY, DEFEND, and HOLD HARMLESS Waymo and its affiliates, and each of their respective officers, directors, agents, partners and employees (individually and collectively, the ‘Waymo Parties’) FROM AND AGAINST ANY loss, liability, claim, demand, damages, expenses or costs (‘Claims’) arising out of or related to (a) your ACCESS to or USE of our Services; (b) your User Content or Feedback; (c) your violation of these Terms; (d) your violation, misappropriation or infringement of any rights of another (including intellectual property rights or privacy rights); and (e) your conduct in connection with our Services. You agree to promptly notify Waymo Parties of any third-party Claims, cooperate with Waymo Parties in defending such Claims and pay all fees, costs and expenses associated with defending such Claims (including, but not limited to, attorneys' fees). You also agree that the Waymo Parties will have control of the defense or settlement, at Waymo's sole option, of any third-party Claims. This indemnity is in addition to, and not in lieu of, any other indemnities set forth in a written agreement between you and Waymo or the other Waymo Parties.”
Ironclad indemnification protects Waymo Parties arising from Service incidents, mishaps, or injuries.
“11. Limitation of Liability”
“To the fullest extent permitted by applicable law, Waymo and the other Waymo Parties will not be liable to you under any theory of liability — whether based in contract, tort, negligence, strict liability, warranty, or otherwise—for any indirect, consequential, exemplary, incidental, punitive or special damages or lost profits, even if Waymo or the other Waymo Parties have been advised of the possibility of such damages.”
“The total liability of Waymo and the other Waymo Parties, for any claim arising out of or relating to these Terms or our Services, regardless of the form of the action, is limited to the amount paid, if any, by you to use our Services.”
If Waymo's liability is miraculously established, the cost of the Service will be reimbursed.
Given these service terms, is it any wonder why the DV industry is poised for “blastoff”?
The National Safety Council publishes https://injuryfacts.nsc.org/all-injuries/preventable-death-overview/odds-of-dying/ (retrieved on 07DEC2020).
The odds of dying in a motor vehicle accident are 1 in 106. The DV industry is betting that their services can beat these odds. Is their bet a beneficial “risk shift” (public risk for private profit) or will it become yet another example of “Profit Without Honor” (https://www.amazon.com/Profit-Without-Honor-Looting-Criminal/dp/0134871421)?
In the pursuit of surveillance as a service, Jeff Bezos is intent on recording even our moods. How much personal data is too much to give to Amazon?
https://www.nytimes.com/2020/11/27/opinion/amazon-halo-surveillance.html
https://www.npr.org/2020/12/06/943647610/he-designed-a-smartwatch-app-to-help-stop-his-dads-nightmares retrieved on 07DEC2020.
There is an urgent public health need to treat post traumatic stress disorder (PTSD) in military service veterans, especially those exposed to combat conditions. I do hope this app is effective.
Consulting the QuickSearch option of FDA's Product Classification Database @ https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/pcdsimplesearch.cfm (type in “PTSD”) yields:
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/classification.cfm?IDMZ.
To learn a bit more, access https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=3909.
The FDA's Total Product Lifecycle (TPLC) linkage on Product Code QMZ reveals no published MAUDE medical device report (MDR) submissions to date for injury, malfunction, death or other event types. The TPLC platform aggregates device problems and patient problem categories. Patient problems are traced to injury, malfunction, death or other MDR event labels. Revisit TPLC Product Code QMZ in a year or so to observe the net public health benefit or deployment effectiveness of the app.
Attempting to determine benefit or harm from historical medical device use can be challenging. There appears to be no federal regulation requiring the device manufacturer or supplier to periodically disclose use volumes.
Device manufacturer financial reports document revenue and percentage change in revenue; no tables disclose product inventory counts sold or returned for inspection/failure analysis. See “Medtronic FY20 Irish Financial Report” @ https://investorrelations.medtronic.com/static-files/5b588fc9-9447-427d-9d51-6ff7b73370aa table on pg. 4/pdf pg. 6, retrieved on 07DEC2020.
The FDA's systems do not publish totalized counts of device implants/explants or use/disuse. MDR narratives must be searched to discover language stating ‘device was returned for analysis’, ‘implanted’, ‘explanted’, ‘removed’, or ‘replaced’.
Further, every patient is different (pre-existing morbidities, genetics, gender, age, etc.) As a result, it is sometimes challenging to conclude if the device initiated the MDR event, or if the patient's underlying condition(s) contributed/caused the event. For this reason, focusing exclusively on MDR death events can be misleading as a predictive indicator of future therapeutic prescription outcome. Device malfunctions and injuries arising from their use are more tightly correlated.
The FDA's disclaimer is VERY CLEAR about attempting to project outcomes based solely on the TPLC and MAUDE historical device/patient problem counts. See https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/TextSearch.cfm#disclaimer retrieved on 07DEC2020.
The rate of device use by healthcare professionals/systems (hospitals) can be determined from historical procedure billing found in the United States Center for Medicare and Medicaid Services (CMS.gov). With that information, one can estimate probabilities for future patient or device problems based on historical procedure billing counts and population statistics. —
A friend, and NYIT, have asked me to do a CISSP review seminar. Since I've taught the seminars for two decades, first for ISC2 and then for various other commercial training companies, this is not hard. I'm about 70% through my first draft. At the same time, I'm going to be giving the differential privacy presentation on Friday. https://infosecbc.org/2020/11/27/december-11th-2020-meeting/ https://community.isc2.org/t5/P/D/m-p/41128 So Gloria asked me if I was going to be putting any differential privacy content into the review seminar.
I had to think about that. For one thing, knowing what I know about the CISSP exam question process, I very much doubt that anyone (other than myself) has yet created any questions about differential privacy in the CISSP exam question style. (There is plenty of trivia in regard to differential privacy that can be used to make up questions to prove how smart you are in comparison to the other guy, but that isn't the CISSP question style.) https://community.isc2.org/t5/Exams/CISSP-questions/m-p/18626
But the next problem is, where would I put it within the domains? Would it go in Law, Investigation, and Ethics, which is where we usually talk about privacy? But differential privacy isn't really about privacy. At least not your privacy. It's not something you can do, but something that enterprises, developers, and whole infrastructures of the IT universe have to put in place in order to protect privacy on a much larger scale. Do I put it in crypto? There's lots of math involved, some of it similar to a lot of work in various corners of crypto (although not exactly the same). Or should it go into Applications Security, since most of it primarily applies to databases and queries and it has to be baked in to database design at a pretty structural level in order to actually work.
Part of the problem is that differential privacy isn't actually a single “thing.” It's an amalgam of a number of ideas and technologies, none of them actually new, trying to address some interesting, and long-term, problems of privacy and disclosure. Trying to see whether these approaches actually work has raised some new issues and concepts, and differential privacy probably will provide some important and interesting approaches to some aspects of privacy and database design in the years to come. But it's kind of like Public Key Infrastructure (PKI) in crypto: you've got a lot of moving parts, and you have to make sure they are all properly in place in order to have the system work properly and not be in danger of some kind of attack on your implementation. It's also kind of the quantitative risk analysis of privacy and database design: there are a lot of details, and it's a lot of work, and most people are going to be too lazy to try to make it work properly.
And how is this different from what already happens today?
It is now recognised that certain market dynamics (mainly customer inertia in switching suppliers) ALREADY gives rise to the appearance of collusion when there is none.
This is why utility prices rise quickly when raw costs go up, but fall slowly when they go down.
This is why brands invest heavily in brand loyalty.
And the fix needs to be the same—keep humans in the loop, looking for the opportunity to steal a march on their opponents by intervening and cutting prices to steal customers.
> 30 lines of code = 140KB?
On my machine a two-line “Hello world” compiles to 20kB. So with static linking of more libraries, 30 lines could easily compile to 140kB.
But it might also mean 30 lines of code were changed in a larger file.
Actually, the Mystery of the Monolith had been solved.
The Article: The Mystery Of The Utah Monolith May Have Been Solved By Internet Sleuths details how the monolith was found; the last paragraph also details who had created it. <https://www.iflscience.com/editors-blog/the-mystery-of-the-utah-monolith-may-have-been-solved-by-internet-sleuths/>
I should note the the piece on anti-semitism and AI contains assertions that are politically contested. I'm particularly referring to the notion that criticisms of the state of Israel are inherently anti-Semitic.
The framing of the piece conflated anti-semitism—a real and pernicious type of racism—with political criticism of Israel—a legitimate form of free speech.
In affect, this highlights just how wicked hard applying AI to news/speech/politics is.
> cosponsored a bill requiring stablecoins like Facebook's Libra to be > issued by banks.
The important word is “stablecoins”; this is quite reasonable.
A stablecoin promises that you can redeem it for some amount of real money. That means that each coin is in effect a demand loan of the underlying value to whomever holds the money, and it makes sense to regulate them like other organizations that accept demand loans and give you an IOU. These organizations are generally called banks.
The best known stablecoin, Tether, claims you can redeem every tether for $1 but outside the crypto bubble it is widely considered to be a fraud. There have been over 18 billion tether issued and there is no evidence that tether has anything close to $18 billion in assets. Last year in a lawsuit their lawyer asserted that they had 74c for each tether but there's not much evidence of that either.
The usual risk is that as soon as someone says BLOCKCHAIN! a certain number of people check their common sense at the door.
Ben—Thank you for this informed response to my post. I am forwarding your response as follow up on this thread.
On 5/12/20 12:05 pm, Ben Kamen wrote:
> As a private pilot that owns a small 2 seater (and we talk about blocked > pitot tubes a lot) - the problem isn't new as mud daubers have been doing > this for a long time. (if this is the same species)
> In areas where they are prolific or to be safe, any time the plane is > parked outside, pitot covers are recommended.
> The bigger problem isn't completely blocked tubes because a dead airspeed > indicator would be obvious on rollout for takeoff.
> What most of us worry about more is partially blocked tubes that give > faulty readings.
> Also being an EE, I could image some interesting tests for startup, but > the FAA does like simplicity and fiber could be a problem because pitot > tubes have heaters built into them to melt off any ice-buildup in incing > conditions. Even my 2-seater that's not certified for flying into known > icing conditions has a pitot heater. So a remote visual sensing system > would have to deal with that.
> Would a power-on-self-test be able to discern if the inlet is bugged > via fiber optic signal and sensor?
Wasps nests in pitot tubes are a long-known issue in aviation. In North America, at least, the offending species is the Mud Dauber Wasp. As the linked article points out pitot tube covers are the current method of controlling such issues.
How is it detected? A thorough pre-flight is key, but daubers can get pretty deep into the tube, beyond inspection ability. So issues with the Air Speed Indicator (ASI) are detected procedurally. Small aircraft crews, during the takeoff roll, are supposed to note that the ASI “comes alive” and is behaving consistent with the expected takeoff performance roll early enough to abort if necessary. Professional airline crews do the same, but also cross-check between the Captain's and First Officers' ASIs.
But as it is a human procedure, humans can fail at it. Birgenair Flight 301 is an example of a pitot tube blocked by a wasp nest, with the pilots noticing, but ignoring the warnings, with all occupants perishing.
https://en.wikipedia.org/wiki/Birgenair_Flight_301
Please report problems with the web pages to the maintainer