The RISKS Digest
Volume 32 Issue 50

Friday, 19th February 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Texas vs FERC's “best practices” for anticipating disasters
PGN
U.S. Water Supply Has Few Protections Against Hacking
WSJ
Python wheel-jacking in supply chain attacks
VDOO
A Windows Defender Vulnerability Lurked Undetected for 12 Years
WiReD
Mercedes-Benz cars giving out wrong location info
Car and Driver Magazine
Growing size of vehicle screens sparks safety concerns
The Center for Auto Safety
Forget Self-Driving Cars: the Pentagon Wants Autonomous Ships, Choppers, and Jets
WSJ
California DMV suffers massive third-party data breach
TechCrunch
Researcher hacks over 35 tech firms in novel supply chain attack
Ax Sharma
How faster Internet is being blocked by politics and poverty throughout the eastern U.S.
CNET
‘Spy pixels in emails have become endemic’
BBC News
Google has bowed to pressure and will make ‘significant’ payments to Rupert Murdoch's News Corp
Business Insider
The losers in the news battle
Lauren Weinstein
Fixing Chrome 88's suddenly broken custom search-engine behavior
Lauren Weinstein
Facebook blocks news in Australia over government's payment rules
Dylan Byers
Woke teachers want Shakespeare cut from curriculum: ‘This is about White supremacy’
Washington Times
Facebook to Label Climate Change Posts Like Covid, Vote Content
Yahoo!
France Ties Russia's Sandworm to a Multiyear Hacking Spree
WiReD
Citibank can't get back $900 million it wired by mistake
CNN
Incredibly poor software design costs Citigroup $500M
Matt Levine
Climate Change Could Shred Guitars Known for Shredding
Scientific American
Data breach warning after California DMV contractor hit by file-stealing ransomware
TechCrunch
Entitled People Are More Likely To Be Angry at Bad Luck
Scientific American
Who Should Stop Unethical A?I
Matthew Hutson
AI may mistake chess discussions as racist talk
Techxplore
“Holy cow. Bitcoin is using half a percent of all the world's electricity?”
geoff goodfellow
Nvidia limits crypto-mining on new graphics card
msn.com
The IRS Cashed Her Check, Then the Late Notice Started Coming
ProPublica
Authorities have taken down the dark web's largest illegal marketplace vendor
The Verge
U.S. election cybersecurity
CDT
People answer scientists' queries in real time while dreaming
Scientific American
How Oracle Sells Repression in China
The Intercept
The Untold History of America's Zero-Day Market
WiReD
“Vaccine” passport?
Rob Slade
Man offered vaccine after error lists him as 6.2cm tall
BBC
Gorilla COVID risks
CNN
Japanese contact tracing software of Covid-19 patient on Android did not work for four months
Kyodo News
Bruce Schneier's CRYPTO-GRAM, 15 Feb 2021
PGN
Re: Calling All Ham Radio Operators
Bob Wilson
Info on RISKS (comp.risks)

Texas vs FERC's “best practices” for anticipating disasters

Peter Neumann <neumann@csl.sri.com>
Fri, 19 Feb 2021 10:49:28 PST

Richard Parker,
Texas Could Have Kept the Lights On:
  The state's powerful [sic] utilities failed to prepare for the worst
Editorial, The New York Times, 18 Feb 2021 https://www.nytimes.com/2021/02/17/opinion/texas-blackout-energy-abbott.html

Paul Krugman,
Texas, Land of Wind and Lies:
 When post-truth politics meets energy policy, the outlook is bleak
Editorial, The New York Times, 19 Feb 2021

PGN's mini-editorial for RISKS:

Many of the lessons from 35 years of the ACM Risks Forum have been massively ignored in Texas, in this case resulting in massive power outages with no potable water, and added difficulties for COVID-19 vaccines that needed deep refrigeration). The lessons from dozens of previous propagating outages have been partially addressed in other states, with considerable diminution in massively cascading multi-state fiascoes over time. However, the earlier notion of having spare electricity to share with other regions has been deprecated, which could otherwise help out in emergencies. Furthermore, Texas's desire to go it alone has seriously backfired, especially in that there were explicit warnings from the Federal Emergency Regulatory Commission that extensive cold-hardening was needed after a serious cold snap in 2011 that effected millions with no power—evidently ignored without any sensible system engineering for resilience. The Texas disaster clearly violates the Albert Einstein principle: Everything should be made as simple as possible but no simpler. This is a horrible example of “much too simple”. As usual, the blame can be widely distributed, but in this case most of it is mercilessly self-inflicted. Furthermore, the incredible fantasy of the Governor and others in blaming this disaster on alternative energy sources such as wind power borders on insanity.

In this case, even the “best practices” recommended by FERC a decade ago may not have been good enough, but could have avoided much of the effects of this disaster.

The loss of the Challenger shuttle was another example of a lesson to be learned in anticipating cold weather (e.g., RISKS-5.78 and 5.80). What made that particularly unfortunate was that Roger Boisjoly had explicitly warned not to launch in freezing weather because it was known that the O-rings might not hold. Thus, in that case the risks were known in advance, but not adequately considered. (See RISKS-12.40 for more on that.)

In our RISKS-related archives is also a major six-week complete power-outage disaster in Quebec in the winter of 1996-1997 when transmission towers froze and collapsed from the weight of ice under the prolonged hard freeze, and the outage lasted for months. Water was also a relevant issue there as in Texas, because there were no available public water sources during the entire outage. (Surely, cold weather was not a surprise there.)


Python wheel-jacking in supply chain attacks (VDOO)

geoff goodfellow <geoff@iconia.com>
Thu, 18 Feb 2021 10:26:45 -1000

Recently, a novel supply-chain attack was published by security researcher Alex Birsan, detailing how dependency confusion (or “name-squatting”) in package managers can be misused in order to execute malicious code on production and development systems.

In short, most package managers such as pip and npm do not distinguish between internal packages (hosted on internal company servers) and external ones (hosted on public servers). […] https://www.vdoo.com/blog/python-wheel-jacking-supply-chain-attacks


U.S. Water Supply Has Few Protections Against Hacking (WSJ)

geoff goodfellow <geoff@iconia.com>
Sat, 13 Feb 2021 09:25:54 -1000

Vulnerabilities highlighted after cyber intruder tampered with treatment plant in Florida

A Florida city whose water system was hacked last week said Friday that it completed a federally mandated security-risk assessment three months ago, but hadn't yet integrated the findings into its emergency plans.

The hacking incident—occurring after a security review—has thrown into stark relief a vulnerability of the more than 50,000 community water systems that supply most Americans with their drinking water: they don't have to meet any national standard for cybersecurity.

That is in contrast to electric utilities, which have had to meet increasingly stringent rules since 2008 for the physical and cybersecurity of key assets and, more recently, for parts of their supply chains. Rules for the electric industry are reinforced by monetary penalties for violations.

On Feb. 5, an engineer at a water treatment plant in Oldsmar, Fla., in Pinellas County, detected that a hacker had accessed the facility's control system and attempted to increase the amount of lye used to treat the water to a potentially dangerous level. The control engineer witnessed the tampering, as a ghostly hand moved a cursor over his screen, and he reversed it immediately, officials said. But the episode highlighted how few protections are mandated to defend the U.S. water supply.

The incident comes as officials warn about the growing sophistication and brazenness of attacks on critical infrastructure. Many attacks are never publicly revealed, but The Wall Street Journal identified targets in a Russian campaign in 2017 to pierce electric-utility defenses, by first penetrating trusted suppliers, and another effort in 2019 by unidentified hackers who targeted electric utilities in at least 18 states.

More recently, the government has said the sprawling SolarWinds hack, disclosed in December, compromised more than half a dozen federal agencies including the State, Commerce and Treasury departments, and critical infrastructure organizations—whose names, as yet, haven't been revealed.

The federal government took a small step toward addressing the problem of insufficient cyber-defenses in the water industry in 2018 with passage of the America's Water Infrastructure Act. The law requires water providers serving about 80% of the U.S. population to do security-risk reviews and integrate findings into their emergency plans.

The biggest water providers were required to complete that work last year, and all but 10 of 542 organizations complied, according to the Environmental Protection Agency. But nearly 9,000 smaller suppliers—including the water department in Oldsmar—have until the end of this year to complete their reviews and implement findings.

The smallest of suppliers—the 40,000 organizations with fewer than 3,300 customers, each—are exempt.

Even though water systems must certify completion of their work to the EPA, they aren't required to share copies of their work product with the agency. As a result, the EPA doesn't actually assess the quality of their action. Because the agency doesn't possess the documents, they are effectively beyond the reach of federal public-records law. […]

Federal officials advised water utilities this week to take a hard look at remote access tools, which have been especially popular during the pandemic. Industry experts said many improvements can be made at little or no expense—such as enforcing password protection and utilizing encryption and firewalls—but that small utilities struggle with things as simple as cyber training.

The Federal Bureau of Investigation, which is investigating the intrusion, said it has probed other incidents in which desktop sharing software was used as an attack vector against critical infrastructure providers.

Cybersecurity experts said preliminary information about the Oldsmar water department—such as that employees shared a single password on TeamViewer — suggested broader security problems.

The Water Information Sharing and Analysis Center, a nonprofit clearinghouse for threat information geared to water suppliers, said the incident appeared to be “more opportunistic than sophisticated,” partly because the intruder didn't attempt to hide the fact he was messing with the chemical delivery system.

Christopher Krebs, former director of the Cybersecurity and Infrastructure Security Agency, said in congressional testimony Wednesday that it is possible the intruder was a disgruntled employee or a foreign actor. “That's why we do investigations,” he said, adding that the municipal utility's defenses were “not where anybody, any operational security professional would like for that security posture to be.”

Unfortunately, he added, “Oldsmar is probably the rule rather than the exception.”

He urged Congress to consider offering the industry more financial assistance to make cyber upgrades.

An EPA official said the agency estimates that $750 billion is needed to replace pipes, upgrade water treatment facilities and improve cyber-preparedness at water utilities a big lift.

Kevin Morley, manager of federal relations for the American Water Works Association, an industry group, said that $10 million was authorized in 2018 to help small utilities pay for security upgrades but Congress never appropriated the money. There are other federal programs that provide grants and low-interest loans.

https://www.wsj.com/articles/u-s-water-supply-has-few-protections-against-hacking-11613154238


A Windows Defender Vulnerability Lurked Undetected for 12 Years (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 13 Feb 2021 13:58:07 -0500

Microsoft has finally patched the bug in its antivirus program after researchers spotted it last fall.

Just because a vulnerability is old doesn't mean it's not useful. Whether it's Adobe Flash hacking or the EternalBlue exploit for Windows, some methods are just too good for attackers to abandon, even if they're years past their prime. But a critical 12-year-old bug in Microsoft's ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don't try to make up for lost time.

https://www.wired.com/story/windows-defender-vulnerability-twelve-years/


Mercedes-Benz cars giving out wrong location info (Car and Driver Magazine)

danny burstein <dannyb@panix.com>
Mon, 15 Feb 2021 17:56:45 +0000 ()

Mercedes-Benz is recalling almost 1.3 million vehicles from the 2016 through 2021 model years to fix a problem with the communication module for the eCall emergency call system. Affected vehicles could indicate the wrong location to emergency services when used in case of an incident on the road. […]

The National Highway Traffic Safety Administration (NHTSA), in its recall notice, says the problem is expected to affect 100 percent of the 1,292,258 Mercedes-Benz and Mercedes-AMG vehicles subject to the recall by Mercedes-Benz USA

https://www.caranddriver.com/news/a35498170/mercedes-benz-emergency-call-system-recall/


Growing size of vehicle screens sparks safety concerns (The Center for Auto Safety)

Gabe Goldberg <gabe@gabegold.com>
Sun, 14 Feb 2021 21:18:13 -0500

Mercedes is unveiling a 56-inch smart screen in one of its cars later this year, part of a new trend safety groups say could pose real dangers on the road.

https://www.autosafety.org/growing-size-of-vehicle-screens-sparks-safety-concerns/


Forget Self-Driving Cars: the Pentagon Wants Autonomous Ships, Choppers, and Jets (WSJ)

ACM TechNews <technews-editor@acm.org>
Wed, 17 Feb 2021 13:05:51 -0500 (EST)

Andy Pasztor,The Wall Street Journal, 13 Feb 2021 via ACM TECHNEWS, Wednesday, February 17, 2021

The Pentagon is pushing for increased use of automation in the U.S. military, outpacing efforts in commercial automation as officials aim to counter technological advances among adversaries. These autonomous technologies are expected to emerge in future civilian aircraft, air traffic control systems, and drone applications, but unlike commercial automation, there are concerns about the lack of regulation over the Pentagon's initiatives. While these advanced systems will not be deployed immediately, the recent $740 billion defense authorization bill includes provisions to expand and promote automation across the military. Military projects in the works include pairing an autonomous jet fighter with a traditional one in mock dogfights and using autonomous helicopters to deliver supplies to remote outposts, an autonomous vehicle for transporting ground troops, undersea vehicles to carry cargo and gather intelligence, and artificial intelligence to assume the role of a U-2 reconnaissance plane pilot for navigation. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-297d5x228694x070110&


California DMV suffers massive third-party data breach (TechCruch)

Lauren Weinstein <lauren@vortex.com>
Thu, 18 Feb 2021 07:53:51 -0800

https://techcrunch.com/2021/02/18/california-motor-vehicles-afts-ransomware/


Researcher hacks over 35 tech firms in novel supply chain attack (Ax Sharma)

ACM TechNews <technews-editor@acm.org>
Wed, 17 Feb 2021 13:05:51 -0500 (EST)

Ax Sharma, BleepingComputer, 9 Feb 2021 via ACM TECHNEWS, Wednesday, February 17, 2021

Security researcher Alex Birsan launched a novel software supply chain attack that breached the internal systems of more than 35 major companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber. The attack involved uploading malware to open source repositories like PyPI, npm, and RubyGems, which then was distributed downstream automatically into the company's internal applications. The attack did not need action by the victim, unlike traditional typo-squatting or brandjacking attacks, instead taking advantage of dependency confusion, a unique design flaw of open-source ecosystems. Birsan explained that “vulnerabilities or design flaws in automated build or installation tools may cause public dependencies to be mistaken for internal dependencies with the exact same name.” Birsan has earned more than $130,000 from bug bounty programs and pre-approved penetration testing arrangements for his research. “https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/


How faster Internet is being blocked by politics and poverty throughout the eastern U.S. (CNET)

geoff goodfellow <geoff@iconia.com>
Thu, 18 Feb 2021 12:10:41 -1000

Biden's broadband plan faces a serious test case in Appalachia's digital divide, where a potent mix of extreme poverty, lack of infrastructure and poor data present tremendous hurdles to the president's dream of closing the broadband gap.

For one public school teacher in Laurel County, Kentucky, proper education means making a painful and difficult decision. While her home is connected to AT&T's U-Verse Internet service, it's only fast enough to support one person at a time. So in the midst of a pandemic-driven mandate for remote learning, she often has to choose between teaching her students and ensuring her own school-age kids are able to log on.

“We have really done a horrible job making sure they have the means,” said the teacher, who requested we withhold her name out of fear of losing her job.

One pandemic-driven solution in Kentucky has been to put mobile hotspots in public school parking lots so kids without internet at home can keep up with schoolwork, but that isn't without its own flaws. <https://www.cnet.com/news/drastically-speed-up-your-android-phones-hotspot-with-this-simple-setting/> “If they don't have gas money to come and get their child at the school when they're sick, they're sure not going to have gas money to drive to the school every day to download their assignments,” she said. […] https://www.cnet.com/features/biden-broadband-plan-digital-divide-appalachia-rural-test-case/


'Spy pixels in emails have become endemic' (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Feb 2021 12:36:06 -0500

The use of “invisible” tracking tech in emails is now “endemic”, according to a messaging service that analysed its traffic at the BBC's request.

Hey's review indicated that two-thirds of emails sent to its users' personal accounts contained a “spy pixel”, even after excluding for spam.

Its makers said that many of the largest brands used email pixels, with the exception of the “big tech” firms.

Defenders of the trackers say they are a commonplace marketing tactic.

And several of the companies involved noted their use of such tech was mentioned within their wider privacy policies.

https://www.bbc.com/news/technology-56071437

Hardly news, just a reminder…


Google has bowed to pressure and will make ‘significant’ payments to Rupert Murdoch's News Corp (Business Insider)

Lauren Weinstein <lauren@vortex.com>
Wed, 17 Feb 2021 13:55:02 -0800

It's difficult to disagree with Jeff Jarvis' view as described in this article. This is a slippery slope that goes a significant way toward breaking the fundamental principles of the Web, toward a “pay to link” model that would destroy competition and could leave the big boys the only ones standing. And this could make disinformation/misinformation problems worse as well. -L

https://www.businessinsider.com/google-news-payments-deal-rupert-murdoch-wall-street-journal-australia-2021-2


The losers in the news battle

Lauren Weinstein <lauren@vortex.com>
Wed, 17 Feb 2021 21:18:24 -0800

The ultimate losers in the battle between news organizations, Facebook, and Google, isn't any of those. It's ordinary users, who will be impotent observers as the Internet they've come to know collapses around them in a sea of pay-to-link sites that will bleed the Web dry.


Fixing Chrome 88's suddenly broken custom search-engine behavior

Lauren Weinstein <lauren@vortex.com>
Sat, 13 Feb 2021 21:29:15 -0800

Fixing Chrome 88's suddenly broken custom search engine behavior

[C'mon Google!] In the last 24 hours or so, the standard Chrome “custom search engines” shortcut behavior (e.g. yt<space> to search on YouTube), that I've depended on for many years, stopped working in Chrome 88.

To fix it: Go to: chrome://flags/#omnibox-keyword-search-button DISABLE. Then RELAUNCH.

Please don't suddenly change stuff like this, Google, without any warning or explanation! And please don't deprecate this fix!


Facebook blocks news in Australia over government's payment rules (Dylan Byers)

Lauren Weinstein <lauren@vortex.com>
Wed, 17 Feb 2021 12:34:11 -0800

https://www.nbcnews.com/tech/tech-news/facebook-blocks-news-australia-governments-payment-rules-rcna292

Facebook said Wednesday that Australian users and publishers will not be able to post news content to its social network after the country's government threatened to force it to pay publishers.

The announcement is the most significant and severe split between Facebook and a foreign government over growing calls for big tech companies to pay publishers to feature their content. […]


Woke teachers want Shakespeare cut from curriculum: ‘This is about White supremacy’ (Washington Times)

geoff goodfellow <geoff@iconia.com>
Thu, 18 Feb 2021 12:13:55 -1000

The crown teachers once put on William Shakespeare now lies uneasy upon his head as the English playwright comes under assault from teachers who fault his unwoke attitudes regarding race, sexuality, gender and class.

For the new breed of teachers, Shakespeare is seen less as an icon of literature and more as a tool of imperial oppression, an author who should be dissected in class or banished from the curriculum entirely.

“This is about white supremacy and colonization,” declared the teachers who founded #DisruptTexts, a group that wants staples of Western literature removed or subjected to withering criticism.

The anti-Shakespeare teachers say fans of the plays ignore the author's problematic worldview. They say readers of Shakespeare should be required to address the “whiteness” of their thinking.

If Shakespeare must be taught, these educators say, then it should be presented with watered-down versions of the original or supplemental texts focused on equality issues. […] https://www.washingtontimes.com/news/2021/feb/15/woke-teachers-want-shakespeare-cut-curriculum-abou/


Facebook to Label Climate Change Posts Like Covid, Vote Content (Yahoo!)

Peter Neumann <neumann@csl.sri.com>
Thu, 18 Feb 2021 14:24:16 PST

Facebook Inc. will begin labeling some user posts that mention climate change in the same way it has annotated posts discussing elections and Covid-19, a sign the social network is taking climate-related misinformation more seriously.

The labels will direct users to Facebook's Climate Science Information Center—an existing hub that includes related news articles, climate change data and recommendations for Pages to follow. The new labels will be added to some posts about climate change, regardless of their accuracy, a strategy Facebook has used with other widely discussed topics as a way to fight falsehoods.

Chief Executive Officer Mark Zuckerberg has argued that the best way to keep misinformation from spreading on its networks is not just to remove misleading posts, but to offer people accurate information from authoritative sources. The labels are rolling out first to users in the U.K., though the plan is to bring them to more countries soon, according to a Facebook blog post.

Facebook has been used to spread climate misinformation in much the same way the service is used for sharing all kinds of misleading posts. False statements about climate change reviewed by Facebook's fact-checkers are flagged, but unlike Covid-19 misinformation, climate posts are not typically removed. That's because Facebook doesn't consider most climate misinformation to pose an imminent threat of harm, which is the bar for removing false information from the service. […] https://finance.yahoo.com/news/facebook-label-climate-change-posts-110000858.html


France Ties Russia's Sandworm to a Multiyear Hacking Spree (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Feb 2021 19:14:58 -0500

A French security agency warns that the destructively minded group has exploited an IT monitoring tool from Centreon.

https://www.wired.com/story/sandworm-centreon-russia-hack/


Citibank can't get back $900 million it wired by mistake

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Feb 2021 11:37:13 -0500

New York (CNN Business)After committing one of the “biggest blunders in banking history,” Citibank won't be allowed to recover the almost half a billion dollars it accidentally wired to Revlon's lenders, a US District Court judge ruled.

Citibank, which was acting as Revlon's loan agent, meant to send about $8 million in interest payments to the cosmetic company's lenders. Instead, Citibank accidentally wired almost 100 times that amount, including $175 million to a hedge fund. In all, Citi (C) accidentally sent $900 million to Revlon's lenders.

https://www.cnn.com/2021/02/16/business/citibank-revlon-lawsuit-ruling/index.html


Incredibly poor software design costs Citigroup $500M (Matt Levine)

George Mannes <gmannes@gmail.com>
Wed, 17 Feb 2021 13:34:31 -0500
>From the incomparable Bloomberg columnist Matt Levine
(Relevant excerpts from paywalled item):

… The “easiest (or perhaps only)” way to pay off some lenders but not others was to instruct the software to pay off all the lenders! But tell it only to pretend to pay them! Just send that money to a wash account! This is all fine! Let's read another horrifying paragraph!

Because the vast majority of wire transactions processed by Citibank using Flexcube involve the payment of funds to third parties, any payment entered into the system is released as a wire payment unless the maker suppresses the default option. Citibank's internal Fund Sighting Manual provides instructions for suppressing Flexcube's default. When entering a payment, the employee is presented with a menu with several boxes that can be checked along with an associated field in which an account number can be input. The Fund Sighting Manual explains that, in order to suppress payment of a principal amount, “ALL of the below field[s] must be set to the wash account: FRONT[;] FUND[; and] PRINCIPAL”—meaning that the employee had to check all three of those boxes and input the wash account number into the relevant fields.

This is just demented stuff. If you want to send out interest payments in cash, but send the principal payment to the wash account, you have to check the box next to PRINCIPAL and also the boxes next to FRONT and FUND. PRINCIPAL sounds like principal: You are sending the principal to the wash account, sure, right, yes, check that box. FRONT and FUND sound like nothing. So the Citi operations people messed it up:

Notwithstanding these instructions, Ravi, Raj, and Fratta all believed — incorrectly—that the principal could be properly suppressed solely by setting the PRINCIPAL field to the wash account. Accordingly, as Ravi built out the transaction between 5:15 and 5:45 p.m. in his role as maker, he checked off only the PRINCIPAL field, neglecting the FRONT and FUND fields. Figure 1, below, “is an accurate image of the Flexcube screen after [Ravi] input the data.”

At 5:45 p.m., Ravi emailed Raj for approval of the transaction, explaining that “Princip[al] to Wash A[ccount] & Interest to DDA A[ccount].” The “DDA Account” referenced the Demand Deposit Account, which is an operational, external-facing account used by Citibank to collect payments from customers and make transfers to lenders. After reviewing the transaction, Raj believed—incorrectly—that the principal would be sent to the wash account and only the interest payments would be sent out to the Lenders. Raj then emailed Fratta, seeking final approval under the six-eye review process, explaining “NOTE: Principal set to Wash and Interest Notice released to Investors.” Fratta, also believing incorrectly that the default instructions were being properly overridden and the principal payment would be directed to the wash account, not to the Lenders, responded to Raj via email, noting, “Looks good, please proceed. Principal is going to wash.”

The software gave him a warning, but not a very good one:

Raj then proceeded with the final steps to approve the transfers, which prompted a warning on his computer screen—referred to as a “stop sign” — stating: “Account used is Wire Account and Funds will be sent out of the bank. Do you want to continue?” But “[t]he stop sign' did not indicate the amount that would be sent out of the bank,' or whether it constituted an amount equal to the intended interest payment, an amount equal to the outstanding principal on the loan, or a total of both.” Because Raj intended to release “the interim interest payment to [the] [L]enders,” he therefore clicked “YES.”

Here's Figure 1; it does not particularly explain itself:

See, the “don't actually send the money” box next to “PRINCIPAL” is checked, but that doesn't do anything, you have to check two other boxes to make it not actually send the money.

When they discovered the error the next day, their first reaction was not to email the lenders asking for the money back (that was their second reaction); their first reaction was to email tech support to say the software was broken:

At 10:26 a.m., Fratta emailed Citibank's technology support group: “Yesterday we processed a payment with Principal to the wash and Interest to be sent to lenders. All details in the front end screens yesterday le[d] us to believe that the payment would be handled in that manner. . . . Screenshots provided below indicating that the wash account . . . is present and boxes checked appropriately for the principal components.” Fratta then forwarded the same email to members of his team, with the subject line “Urgent Wash Account Does not Work.” He stated: “Flexcube is not working properly, and it will send your payments out the door to lenders/borrowers. The wash account selection is not working. This lead [sic] to ~1BN going out the door in error yesterday for an ABTF Deal, Revlon.” …

Over the course of the day, Fratta learned that the principal payments — which were made with Citibank's own money, as Revlon had provided funds only for the interim interest payments to be made in connection with the roll up transaction—were not caused by a technical error, but by human error: the failure to select the FRONT and FUND fields when inputting the default override instructions in Flexcube.

Nope, nope, he was right the first time, this whole setup is a “technical error.” Citi's software will only let you pay principal to some lenders if you pretend to pay it to every lender, and it will only let you pretend to pay principal to every lender if you check the “just pretend” box next to “PRINCIPAL” (fine!) and “FUND” (what?) and “FRONT” (what even?). What a terrifying thing…l


Climate Change Could Shred Guitars Known for Shredding (Scientific American)

Richard Stein <rmstein@ieee.org>
Sun, 14 Feb 2021 09:44:58 +0800

https://www.scientificamerican.com/podcast/episode/climate-change-could-shred-guitars-known-for-shredding/

“It is the wood that the rock greats have sworn by—swamp ash, in the form of their Fender Telecaster and Stratocaster guitars—for over 70 years. If you've ever listened to rock, you've probably heard a swamp ash, solid body guitar. But now, climate change is threatening the wood that helped build rock and roll.”

Rock n' roll will never die, but the next generation of inspirational guitarists, and their rich riffs, may not mature without solid-body swamp ash stringed instruments. Amplifiers that go to 11 can't fix Fender Stratocaster extinction.


Data breach warning after California DMV contractor hit by file-stealing ransomware (TechCrunch)

Gabe Goldberg <gabe@gabegold.com>
Fri, 19 Feb 2021 15:29:42 -0500

California's Department of Motor Vehicles is warning of a potential data breach after a contractor was hit by ransomware.

The Seattle-based Automatic Funds Transfer Services (AFTS), which the DMV said it has used for verifying changes of address with the national database since 2019, was hit by an unspecified strain of ransomware earlier this month.

In a statement sent by email, the DMV said that the attack may have compromised “the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers.” But the DMV said AFTS does not have access to customers' Social Security numbers, dates of birth, voter registration, immigration status or driver's license information, and was not compromised.

https://techcrunch.com/2021/02/18/california-motor-vehicles-afts-ransomware/?guccounter=1


Entitled People Are More Likely To Be Angry at Bad Luck (Scientific American)

Richard Stein <rmstein@ieee.org>
Thu, 18 Feb 2021 11:00:49 +0800

https://www.scientificamerican.com/article/entitled-people-are-more-likely-to-be-angry-at-bad-luck/

“Defeat is never fun, but losing a game of poker is less painful when it's due to the luck of the draw rather than an opponent who's cheating. Unfairness fires people up, whereas bad luck just disappoints.”

“But interestingly, this isn't true for everyone. In a series of studies, we found that people who have higher levels of psychological entitlement—who believe they deserve good things—actually felt victimized and angered when they experienced, remembered or imagined bad luck befalling them.”

Where would the technology industry be if luck preordained investment outcomes? Is the game of life imperceptibly fixed for some and not others? Fortitude sustains human perseverance, though the myth of Sisyphus reminds us that effort does not always render beneficial outcome.

That luck serves a significant role in personal or collective achievement, or underachievement, or at least the perception of it, is both devastating and demoralizing. Resorting to luck as the sole determinant of success reinforces the desperate idiom that “Man plans and God laughs.”


Who Should Stop Unethical AI? (Matthew Hutson)

Jan Wolitzky <jan.wolitzky@gmail.com>
Mon, 15 Feb 2021 06:44:57 -0500

At artificial-intelligence conferences, researchers are increasingly alarmed by what they see.

Matthew Hutson, The New Yorker, 15 Feb, 2021

https://www.newyorker.com/tech/annals-of-technology/who-should-stop-unethical-ai


AI may mistake chess discussions as racist talk (Techxplore.com)

Richard Stein <rmstein@ieee.org>
Fri, 19 Feb 2021 10:13:39 +0800

https://techxplore.com/news/2021-02-ai-chess-discussions-racist.html

‘“We don't know what tools YouTube uses, but if they rely on artificial intelligence to detect racist language, this kind of accident can happen,” KhudaBukhsh said. And if it happened publicly to someone as high-profile as Radic, it may well be happening quietly to lots of other people who are not so well known.’

Would discussion of “rainbow-sprinkled cookies” or an “all red, queen-high flush” crash Youtube's AI platform?

Risk: AI misclassification.


“Holy cow. Bitcoin is using half a percent of all the world's electricity?”

geoff goodfellow <geoff@iconia.com>
Wed, 17 Feb 2021 13:11:45 -1000

https://twitter.com/Ryan-Knutson/status/1362167579461226497


Nvidia limits crypto-mining on new graphics card (msn.com)

Richard Stein <rmstein@ieee.org>
Fri, 19 Feb 2021 10:25:54 +0800

https://www.msn.com/en-xl/news/other/nvidia-limits-crypto-mining-on-new-graphics-card/ar-BB1dNJev

“Nvidia said the software for its forthcoming GeForce RTX 3060 card will limit how efficiently it can process Ethereum transactions by about 50%.”

“This will make it less economical for miners to use the card for mining Ethereum.”

A software throttle is an exploit target.


The IRS Cashed Her Check, Then the Late Notice Started Coming (ProPublica)

Gabe Goldberg <gabe@gabegold.com>
Fri, 19 Feb 2021 14:23:48 -0500

https://www.propublica.org/article/the-irs-cashed-her-check-then-the-late-notices-started-coming


Authorities have taken down the dark web's largest illegal marketplace vendor

Monty Solomon <monty@roscom.com>
Thu, 18 Feb 2021 22:49:59 -0500

Authorities have taken down the dark web's largest illegal marketplace https://www.theverge.com/2021/1/12/22227929/darkmarket-shutdown-europol-worlds-largest-illegal-marketplace


U.S. election cybersecurity (CDT)

<Peter G Neumann>
Tue, 16 Feb 2021 17:10:11 -0800

The Center for Democracy and Technology has issued a relevant report:

https://cdt.org/wp-content/uploads/2021/02/2021-02-02-CDT-Agenda-for-US-Election-Cybersecurity-KAS-FINAL.pdf


People answer scientists' queries in real time while dreaming (Scientific American)

Richard Stein <rmstein@ieee.org>
Fri, 19 Feb 2021 17:25:29 +0800

https://www.scientificamerican.com/article/people-answer-scientists-queries-in-real-time-while-dreaming/

“Researchers demonstrate that during REM sleep, people can hear—and respond to—simple questions (What is eight minus six?)”

Not difficult to imagine an exploitation of this capability. For instance, a CxO for a publicly listed company asked a yes-or-no question: ‘Will your shop achieve projected profitability this quarter?’

Risk: Sleep-talking.


How Oracle Sells Repression in China (

Gabe Goldberg <gabe@gabegold.com>
Fri, 19 Feb 2021 15:24:57 -0500

In its bid for TikTok, Oracle was supposed to prevent data from being passed to Chinese police. Instead, it’s been marketing its own software for their surveillance work.

https://theintercept.com/2021/02/18/oracle-china-police-surveillance/


The Untold History of America's Zero-Day Market (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 15 Feb 2021 20:04:47 -0500

https://www.wired.com/story/untold-history-americas-zero-day-market/

A bit too breathless and incoherent…


“Vaccine” passport?

Rob Slade <rmslade@shaw.ca>
Tue, 16 Feb 2021 11:59:18 -0800

I'm not holding my breath, waiting for one.

I have, previously, mentioned John McAfee's “enterprise” regarding a similar certificate or passport for swingers in the time of AIDS. The thing just isn't workable, at best, and, at worst, it can be a positive danger.

You're going to have to carry some kind of document or card. Let's say it's a card. Now, does it just give contact info for a centralized database? (One version I saw just used a QR code on your phone, so that definitely seems to just be a “pointer” situation.) How centralized? This is going to be used for international travel, one would think, if it is going to be used at all. So which countries are going to sign on? And which are going to accept a database in some other jurisdiction? And which are going to accept having their citizens' data stored by someone else?

OK, so what if we make it a smart card and store it on the phone. Same problems with jurisdiction. Which countries are going to agree (within the next few months, please) to a standard for data storage on such a card? And start producing them, all to the same specs.

Then we have the data. There are the details of the vaccine. Which version of the vaccine? Which lot number? What is the date of administration? (Oh, and, by the way, all vaccine administration points are going to have to be prepared to input and verify all this information at the time you get your shot.) (Every single nurse-practitioner's office and pharmacy.) (And the details of who entered the info is going to have to be there as well, for verification.) Is it a multi-shot regimen? Did you get your booster?

That's a lot of data. And, if someone gets access to it, a lot more can be inferred from it. Like where you were on a given date and time …

Oh, and, by the way, there are some additional data points we should add. Like, have you been tested? What type of test? What date? […]

I see lots of problems …


Man offered vaccine after error lists him as 6.2cm tall

Amos Shapir <amos083@gmail.com>
Fri, 19 Feb 2021 14:08:17 +0200

Yet another case of GIGO: https://www.bbc.com/news/uk-england-merseyside-56111209

A young man was offered a vaccine despite not being in any risk group. It turns out his height was registered as 6.2cm instead of 6'2", which resulted in a BMI number of about 28,000—which the system flagged as “clinically, morbidly-obese”.


Gorilla COVID risks (CNN)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 16 Feb 2021 13:22:53 -0700

https://www.cnn.com/2021/02/16/africa/gorilla-covid-selfie-safety-scli-intl-scn/

Jack Guy, CNN, 16 Feb 2021

Tourists who take selfies with wild mountain gorillas could put the primates at risk of developing Covid-19, according to new research.
Scientists from Oxford Brookes University, England, looked at hundreds of Instagram posts from people visiting the animals in East Africa and found most tourists were close enough to gorillas to spread viruses and diseases, according to a press release from the university on Tuesday.
“The risk of disease transmission between visitors and gorillas is very concerning,” said study lead author Gaspard Van Hamme, an Oxford Brookes University alumnus who started work on the study during his masters program.
“It is vital that we strengthen and enforce tour regulations to ensure gorilla trekking practices do not further threaten these already imperiled great apes.”

Japanese contact tracing software of Covid-19 patient on Android did not work for four months (Kyodo News)

Chiaki Ishikawa <ishikawa@yk.rim.or.jp>
Mon, 15 Feb 2021 16:51:48 +0900

The following item explains it all.

https://english.kyodonews.net/news/2021/02/6437947c3d50-suga-apologizes-for-glitch-in-japans-covid-19-contact-tracing-app.html

A contact tracing app dubbed “COCOA” in Japan has failed miserably on Android phones since September update, but obviously no one at the health ministry or the development company who contracted the work verified the operation on a real phone despite there are SNS posts of Covid-19 patients who mentioned that their family members' phone did not report the exposure warning at all.

I think the issue is due to a few factors.:

Only some really serious developers noticed the subtle difference between the API published for iOS and Android. A blog in Japanese about the bug. It refers to the github issue comments that first reported the issue from programmer's point of view. https://zenn.dev/zipperpull/articles/20210210-cocoa-bug (in Japanese).

This made the selection of developers a bit difficult since there had been a few independent groups who already have more or less working samples. (I don't know if they were bug-free or not.). Eventually, one of the developed software was chosen as the basis of COCOA and a maintenance company was chosen whose main function, it thought, was the operation/maintenance of anonymous patient database (anonomized by apple/goole algorithms, I think.)

But actually, due to the API change over the long run, the app needed to be maintained as well for both on iOS and Android. Somehow the Android update got buggy but no real world phone tests did not take place if I understand correctly. This is probably due to the unpreparedness of the development company, but I am not sure.

If this were an ordinary software bug, I would say “OK, a bug is always there, let's fix it and move on.”.

However, when the app was relied on the health authority of the region where I live (Kanagawa prefecture), it is not such an easy-to-ignore bug. The authority stated in early January, citing lack of man-power, that it would rely on this failing app to keep track of people who come into contact with known Covid-19 patients instead of human-based tracing. This means that those who relied on Android version of the app got short shrift and worse. I am not even sure if iOS version is working correctly since there has been a report from an iOS user who got Covid-19 and yet her family members iPhones did not report the exposure. Hmm…

I use Android and have removed the app for now.


Bruce Schneier's CRYPTO-GRAM, 15 Feb 2021

Peter Neumann <neumann@csl.sri.com>
Mon, 15 Feb 2021 10:52:16 PST

For back issues, or to subscribe, visit Crypto-Gram's web page [https://www.schneier.com/crypto-gram/].

Read this issue on the web [https://www.schneier.com/crypto-gram/archives/2021/0215.html]


Re: Calling All Ham Radio Operators

Bob Wilson <wilson@math.wisc.edu>
Mon, 15 Feb 2021 15:19:40 -0600

As a ham myself, I want to point out this has nothing to do with ham radio operators. (Many of us do happily use Morse, but we are not the only such people in the world!) Ham radio is a flourishing activity (the US has more licensed hams now than ever in the past, something like three quarters of a million) that in addition to being a hobby enjoyed by many is a valuable contribution to national security and safety, and should not be (be)smirched with any connection to that hacking attack! Bob Wilson

Please report problems with the web pages to the maintainer

x
Top