Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I ran across this and wonder what really happened, and whether it can happen again.
The District's phone and online system crashed on Thursday morning just as thousands of residents became newly eligible to sign up for 4,350 appointments for the COVID-19 vaccine.
Mayor Muriel Bowser said this week that appointments would open at 9 a.m. to residents living in priority ZIP codes who are 65 or older, are 18 and older and have a qualifying medical condition ranging from asthma to cancer, or work in a number of essential jobs from child care to grocery stores.
But the demand almost immediately overwhelmed the city's online and phone system, with many callers reporting that they couldn't even get through on the phone. Others reported that even when they did get through online, the system wasn't updated to reflect the new eligibility criteria for pre-existing conditions and essential workers.
Testing scalability—why bother? That's what customers are for.
(Office of Inspector General, Transportation)
“While FAA and Boeing followed the established certification process for the 737 MAX 8, we identified limitations in FAA's guidance and processes that impacted certification and led to a significant misunderstanding of the Maneuvering Characteristics Augmentation System (MCAS), the flight control software identified as contributing to the two accidents. First, FAA's certification guidance does not adequately address integrating new technologies into existing aircraft models. Second, FAA did not have a complete understanding of Boeing's safety assessments performed on MCAS until after the first accident. Communication gaps further hindered the effectiveness of the certification process. In addition, management and oversight weaknesses limit FAA's ability to assess and mitigate risks with the Boeing ODA. For example, FAA has not yet implemented a risk-based approach to ODA oversight, and engineers in FAA's Boeing oversight office continue to face challenges in balancing certification and oversight responsibilities. Moreover, the Boeing ODA process and structure do not ensure ODA personnel are adequately independent. While the Agency has taken steps to develop a risk-based oversight model and address concerns of undue pressure at the Boeing ODA, it is not clear that FAA's current oversight structure and processes can effectively identify future high-risk safety concerns at the ODA.”
ODA == Organization Designation Authorization is the FAA designation for delegated certification authority of 737-MAX certifications to Boeing. See page 29 of this report for percent of delegation for certified flight systems on the 737-MAX: Boeing performed ~30% certifications (self-certifications) in JAN2014 to ~100% by JAN2017.
The OIG's report raises troubling questions about self-certification of 737-MAX flight systems by Boeing. Government delegation of certification authority to industry indicates policy review is essential, and revisions to delegation practices, are urgently required.
Risk: Self-certification authority without independent enforcement oversight
Khari Johnson, VentureBeat, 22 Feb 2021 via TechNews, Wednesday, February 24, 2021
EU Report Warns AI Makes Autonomous Vehicles ‘Highly Vulnerable’ to Attack
A report by the European Union Agency for Cybersecurity (ENISA) describes autonomous vehicles as “highly vulnerable to a wide range of attacks” that could jeopardize passengers, pedestrians, and people in other vehicles. The report identifies potential threats to self-driving vehicles as including sensor attacks with light beams, as well as adversarial machine learning (ML) hacks. With growing use of artificial intelligence (AI) and the sensors that power autonomous vehicles offering greater potential for attacks, the researchers advised policymakers and businesses to foster a security culture across the automotive supply chain, including third-party providers. The researchers suggested AI and ML systems for autonomous vehicles “should be designed, implemented, and deployed by teams where the automotive domain expert, the ML expert, and the cybersecurity expert collaborate.” https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-299f0x228a9ax070159&
University of Warwick (U.K.) 25 Feb 2021, via ACM TechNews, 26 Feb 2021
Researchers at the University of Warwick in the U.K. have found that the LiDAR sensors on autonomous vehicles (AVs) are less effective in detecting objects at a distance during periods of heavy rain. The researchers used the university's WMG 3xD simulator to test an AV's LiDAR sensors in different intensities of rain on real roads; they found that when the rainfall increased up to 50 mm per hour, object detection by the sensors dropped in conjunction with a longer range in distance. Warwick's Valentina Donzella said, “Ultimately we have confirmed that the detection of objects is hindered to LiDAR sensors the heavier the rain and the further away they are.”
Volvo XC40 Recharge electric SUVs are currently being held at US ports because the company is waiting to ship a crucial software update before releasing them to customers and dealers, The Verge has learned.
The problem appears to be that these XC40 Recharge SUVs—which is Volvo's first all-electric vehicle—left the company's factory without the Volvo On Call software activated. Volvo On Call is a subscription service that connects Volvo cars to an owner's smartphone, allowing them to remotely turn the vehicle on and off, lock or unlock the doors, and access diagnostic information. […] https://www.theverge.com/2021/3/1/22307866/volvo-xc40-recharge-delay-software-update-on-call-ota
Air Vice Marshal Rich Maddison is a senior RAF officer with decades of flying experience. “As an Air Force we are as high-tech as you get, but this, this is just me.”
He is referring to a miniature computer with a black and lime green screen and minuscule memory that uses AA batteries to power a 1997 design. It is a Psion 5 device and for AVM Maddison it represents his personal aviation history.
The dated device is where he keeps his own flying log. Hailing from an era when computers came with their own programming languages, the Psion invited users to tinker with its limited applications. He could take fields in its address book and convert them to resemble a pilot's logbook.
Funny, backup isn't mentioned. I guess that hadn't been invented yet.
Six former sub-postmasters have had fraud convictions linked to a faulty computer system quashed in court. The long-running scandal began when the Post Office installed a new computer system that led to hundreds of sub-postmasters being wrongly convicted.
Jimmy Jenkins, KJZZ, February 23, 2021
According to Arizona Department of Corrections whistleblowers, hundreds of incarcerated people who should be eligible for release are being held in prison because the inmate management software cannot interpret current sentencing laws.
As of 2019, the department had spent more than $24 million contracting with IT company Business & Decision, North America to build and maintain the software program, known as ACIS, that is used to manage the inmate population in state prisons.
One of the software modules within ACIS, designed to calculate release dates for inmates, is presently unable to account for an amendment to state law that was passed in 2019.
Senate Bill 1310, authored by former Sen. Eddie Farnsworth, amended the Arizona Revised Statutes so that certain inmates convicted of nonviolent offenses could earn additional release credits upon the completion of programming in state prisons. Gov. Ducey signed the bill in June of 2019.
But department sources say the ACIS software is not still able to identify inmates who qualify for SB 1310 programming, nor can it calculate their new release dates upon completion of the programming.
Toyota announced they're adding Amazon Alexa as a feature in some of their cars, but will it be as convenient and helpful as it's supposed to be?
Ellen Previews the New Alexa Backseat Driver
[Someone commented: So it's just like being married.]
A new attack framework aims to infer keystrokes typed by a target user at the opposite end of a video conference call by simply leveraging the video feed to correlate observable body movements to the text being typed.
The research was undertaken by Mohd Sabra, and Murtuza Jadliwala from the University of Texas at San Antonio and Anindya Maiti from the University of Oklahoma, who say the attack can be extended beyond live video feeds to those streamed on YouTube and Twitch as long as a webcam's field-of-view captures the target user's visible upper body movements.
“With the recent ubiquity of video capturing hardware embedded in many consumer electronics, such as smartphones, tablets, and laptops, the threat of information leakage through visual channel[s] has amplified,” the researchers said.
“The adversary's goal is to utilize the observable upper body movements across all the recorded frames to infer the private text typed by the target.” <https://www.ndss-symposium.org/wp-content/uploads/ndss2021_3A-1_23063_paper.pdf>.
To achieve this, the recorded video is fed into a video-based keystroke inference framework that goes through three stages. […] https://thehackernews.com/2021/02/experts-find-way-to-learn-what-youre.html
Israel's parliament passed a law Wednesday allowing the government to share the identities of people not vaccinated against the coronavirus with other authorities, raising privacy concerns for those opting out of inoculation.
The measure, which passed with 30 votes for and 13 against, gives local governments, the director general of the education ministry and some in the welfare ministry the right to receive the names, addresses and phone numbers of unvaccinated citizens.
The objective of the measure—valid for three months or until the Covid-19 pandemic is declared over—is “to enable these bodies to encourage people to vaccinate by personally addressing them”, a parliament statement said. […]
As anticipated. https://www.engadget.com/facebook-australia-news-043441256.html
Marianne Kolbasuk McGee (HealthInfoSec), 26 Feb 2021 (healthcareinfosecurity.com)
Truveta Initiative Involves Sharing De-Identified Data From 14 Provider Organizations
Evaluations find apps are useful, but would benefit from better integration into health-care systems.
“The brain is an electrical organ. Everything that goes on in there is a result of millivolts zipping from one neuron to another in particular patterns. This raises the tantalizing possibility that, should we ever decode those patterns, we could electrically adjust them to treat neurological dysfunction—from Alzheimers to schizophrenia—or even optimize desirable qualities like intelligence and resilience.”
Brain tissue possesses plasticity: neural pathways can be molded. Adjust the neural pathway, and the characteristic electrical impulses (pulse frequency and amplitude) can modify human behavior and/or physiological response.
Exploring transcranial stimulation to treat depression suggests that traditional therapies (talk + medicine) underachieves expected outcomes. Depression is a significant public health disorder that requires priority treatment.
The US CDC estimates that 4.7% of the population aged 18+ regularly experiences feelings of depression. (https://www.cdc.gov/nchs/fastats/depression.htm) That's 0.047 * 255M =~ 12M people (https://datacenter.kidscount.org/data/tables/99-total-population-by-child-and-adult-populations#detailed/1/any/false/1729,37,871,870,573,869,36,868,867,133/39,40,41/416,417) for 2019 population estimates).
The FDA assigns five product codes (OBP, OKP, QCI, QFF, QMD) for approved medical devices based on transcranial stimulation. Visit https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm and apply “transcranial” in the textbox to view medical device reports.
These devices typically apply electromagnetic induction (discovered by Michael Faraday in 1831): a low-frequency, high-intensity magnetic field therapeutically adjusts the brain's neural pathways, a personalized electromagnetic pulse (EMP).
Patients report immediate change in emotional state when applied. Whether or not these therapeutic devices yield persistent palliative relief from symptomatic depression remains to be demonstrated.
Risk: Iatrogenic result.
Electronic Frontier Foundation
During the pandemic, a dangerous business has prospered: invading students' privacy with proctoring software and apps. In the last year, we've seen universities compel students to download apps that collect their face images, driver's license data, and network information. Students who want to move forward with their education are sometimes forced to accept being recorded in their own homes and having the footage reviewed for suspicious behavior.
Given these invasions, it's no surprise that students and educators are fighting back against these apps. Last fall, Ian Linkletter, a remote learning specialist at the University of British Columbia, became part of a chorus of critics concerned with this industry.
Now, he's been sued for speaking out. The outrageous lawsuit—which relies on a bizarre legal theory that linking to publicly viewable videos is copyright infringement—will become an important test of a 2019 British Columbia law passed to defend free speech, the Protection of Public Participation Act, or PPPA.
I griped yesterday (Sunday, Feb 28) to my money manager that my February distribution hadn't been paid:
Today is last day of month, last business day was Friday—no expected deposit.
This needs to be reliable—what happened?
This should be automatic?
Unfortunately, when the date of the distribution falls on a Saturday or Sunday, it pushes the payment to the next business day which is today. The funds should be posted to your account this morning. For your March 28 distribution, it will post to your banking account on Monday, March 29.
But that does seem strange—computers don't work on Sundays? Funds transfer networks take Sundays off? Surely these payments are made automatically so what's the reason Sundays are skipped?
So I'm waiting for some nonsense justification. Friend speculated:
Whaddaya wanna bet this is some ancient rule that these can only happen on biz days?
Really, every day's a business day these days. Credit card companies have no problem with billing days on weekends. And customers can't tell them that they're delaying payment to Monday. So payments should be made on weekends. Or should be made Friday before, not Monday after.
‘Incorrect software parameter’ sends Formula E's Edoardo Mortara to hospital: Brakes' fail-safe system failed (The Register) https://www.theregister.com/2021/03/01/formula_e_bug/
Swiss Formula E driver Edoardo Mortara ended up in hospital after a software error left him driving into a safety wall at the ABB FIA Formula E World Championship in Diriyah, Saudia Arabia, on Saturday.
The Mercedes-EQ Team said they've managed to correct the software problem and convince ruling body the FIA (Federation Internationale de l'Automobile) that the problem has been resolved.
Former Audi driver Daneil Abt, who, prior to being suspended for cheating in an online race last May, had a similar accident also attributed to braking software and took note of the parallel circumstances.
The Diriyah race saw also a more alarming accident, involving driver Alex Lynn (said to be well), and a missile interception over the city that occurred in the midst of a fireworks display.
Drivers for Uber, Lyft, and other firms are building apps to compare their mileage with pay slips. One group is selling the data to government agencies.
Owners of Roomba robot vacuums have complained the devices appear “drunk” following a software update.
Problems include the machines “spinning around”, constantly recharging or not charging at all, and moving in strange directions.
The devices' maker iRobot has acknowledged its update had caused problems for “a limited number” of its i7 and s9 Roomba models.
However, it added a fix would take “several weeks” to roll out worldwide.
In the meantime, the firm is asking those affected to share the serial numbers of their devices so it can remove the most recent update.
Ken Munro is a cyber-security expert who specialises in security around the Internet-of-things—anything which is connected to the Internet. “Updates usually add new features or fix security bugs in smart products,” he said. “They don't always go to plan though, sometimes introducing new bugs.”
What could ever go wrong with over-the-air updates of automotive software? It'll be OK as long as it doesn't touch anything related to engine, handling, navigation, safety, or infotainment. I can't wait.
Over time, Word will learn and adapt to users' writing style while reducing spelling and grammatical errors.
Redmond first tipped the text-prediction feature in September, when it had a limited rollout for Word beta testers and Microsoft 365 Word on the web users, as well as Outlook.com and Outlook on the web users in North America. The idea is to help users “write more efficiently by predicting text quickly and accurately,” Microsoft said at the time.
What COULD go wrong with this… paving the way to even worse things than demented spelling checkers.
A doctor in Sacramento, California joined a traffic court hearing on Zoom while performing surgery on a patient. Scott Green was dressed in surgical scrubs in an operating theatre when he appeared at his virtual trial on Thursday, the Sacramento Bee reported.
When questioned by the judge, Mr Green said he was happy to go ahead, and that he had “another surgeon right here who's doing the surgery with me”.
The judge said that would not be “appropriate” and postponed the trial.
The Medical Board of California has now said in a statement that it would look into the incident, adding that it “expects physicians to follow the standard of care when treating their patients”.
The New York Times
At issue was whether the city should continue to sort 4-year-olds into gifted and talented classes through a selective admissions process. Mr. de Blasio had said that the city would continue to offer an admissions exam for toddlers this year, then announce a new admissions system before he leaves office in January.
What could go wrong with selecting 4-year old kids for enhanced learning, leaving others behind?
Other issues here are desegregation and entrance criteria for New York's specialized schools (one of which I attended, so have opinion on entrance exams for them).
Leo Hermann, ETH Zurich (Switzerland), 22 Reb 2021 Security Flaw Detected for 2nd Time in Credit Cards via ACM TechNews, Friday, February 26, 2021
A method for bypassing security measures to use certain credit and debit cards without a PIN code has been uncovered by researchers at Switzerland's ETH Zurich. Previously, the researchers had demonstrated that bypassing security was possible using Visa cards, while the new research shows security methods may be bypassed with Mastercard and Maestro cards by exploiting the data exchanged between the card and the card terminal. The method initially worked only with Visa cards, but the researchers were able to manipulate the payment process so the card terminal performed a Visa transaction and the card itself performed a Mastercard or Maestro transaction. The researchers informed Mastercard of their findings, after which the company updated the relevant safeguards. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-29a98x228c4ax070842&
Matthew Sparkes, New Scientist, 24 Feb 2021 via ACM TechNews, Friday, February 26, 2021
Researchers at the University of Michigan, Virginia Polytechnic Institute and State University, and Google have accelerated computer-chip testing by simulating chips and applying advanced software testing tools for analysis of the simulations. Virtual testing lets engineers utilize fuzzing, a method that monitors for unexpected results or crashes that can be reviewed and corrected. The researchers had to modify software fuzzers to run over time, rather than trigger a single input and wait for the response. This approach enabled a chip that would usually take 100 days to test to be analyzed in one day. The researchers think faster hardware testing could reduce development time and bring more reliable, more secure next-generation chips to market faster. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-29a98x228c4dx070842&
A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an extension can be such a risky proposition.
Singapore-based Infatica[.]io is part of a growing industry of shadowy firms trying to woo developers who maintain popular browser extensions — desktop and mobile device software add-ons available for download from Apple, Google, Microsoft and Mozilla designed to add functionality or customization to one's browsing experience.
Some of these extensions have garnered hundreds of thousands or even millions of users. But here's the rub: As an extension's user base grows, maintaining them with software updates and responding to user support requests tends to take up an inordinate amount of the author's time. Yet extension authors have few options for earning financial compensation for their work.
So when a company comes along and offers to buy the extension—or pay the author to silently include some extra code—that proposal is frequently too good to pass up.
For its part, Infatica seeks out authors with extensions that have at least 50,000 users. An extension maker who agrees to incorporate Infatica's computer code can earn anywhere from $15 to $45 each month for every 1,000 active users. […] https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/
Why was SolarWinds so vulnerable to hackers? Bruce Schneier, The New York Times, Op-Ed, 24 Feb 2021
Worth reading! Last paragraph:
In today's unregulated markets, it's just too easy for software companies like SolarWinds to save money by skimping on security and to hope for the best[*]. That's a rational decision in our free-market world, and the only way to change that is to change the economic incentives.
Washington (CNN) Current and former top executives at SolarWinds are blaming a company intern for a critical lapse in password security that apparently went undiagnosed for years.
The password in question, “solarwinds123,” was discovered in 2019 on the public Internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server.
A system so insecure that an intern can compromise it.
[Re: Error-prone software that reportedly ruined lives] https://www.bbc.com/news/business-55271193
Less prejudice, more objectivity: An application process that is not influenced by the personal preferences of a recruiter. That is the promise of many AI companies entering the market worldwide, including a start-up based in Munich.
According to the software developer, the artificial intelligence analyzes tone of voice, language, gestures and facial expressions and creates a behavioural personality profile. The application process will not only be “faster, but also more objective and fair”, according to the start-up.
Apparently that sounds promising: the company has just received a seven-digit funding from investors. The start-up states that it cooperates with DAX-listed companies, the brand logos of Lufthansa, BMW Group and ADAC can be found on the website.
Similar products are already in use in the US. Hirevue, a company from the US state of Utah, claims to have 700 companies as customers. Hirevue products have drawn criticism from AI experts, the software's results were considered to be opaque.
And yet, AI is considered a key technology and already now it's hard to imagine a future without it — also in recruiting.
For this reason, a team of reporters from Bayerischer Rundfunk (German Public Broadcasting), performed several experiments with such a product in taking a closer look at the software of a Munich based start-up. […] https://web.br.de/interaktiv/ki-bewerbung/en/
The Echo Show 10 tracks your movement to make sure you're always in the frame on video calls. But it also doubles as a surveillance camera inside your home.
I'd like to point out vaccine certificates have existed for many years, and I've just dug mine out of the filing cabinet to look at it carefully. It is a bright yellow booklet about the size of a passport but much thinner. It is labeled in English and French “International Certificate of Vaccination In accordance with the International Health Regulations of the World Health Organisation”. It is primarily for Yellow Fever, of course, but has pages dedicated for Typhoid, Cholera, and “Other” which could surely cover Covid-19. Mine has stamps on several pages, and I've carried it a few times when visiting countries where Yellow Fever vaccination might be required. My certificate reminds me to get another Yellow Fever vaccination by the end of November 2021.
So the format exists, is WHO approved, and internationally recognised. It is very easy to carry and read, does not require data connectivity, has no battery to run down, and will never prompt me to update its software. No doubt the current document format is easy to forge but that could easily be improved as we know from modern plastic banknotes bearing holograms that many countries now use (but perhaps not the USA yet?). Is it really necessary to adopt a brand-new digital format that would require lengthy negotiations to achieve international recognition when we already have something in printed form that appears to work well?
Following severe man-made or natural disasters, the grid and other critical infrastructure are subject to cyberthreats but with much less cyberprotection than normal. The recent Texas outages that were caused by severe storms could have had the outages and recovery significantly impacted by cyberthreats. The existing regulations and standards such as the NERC CIPs were shown to be dangerously lacking. These gaps apply to all US utilities and have been exploited resulting in wide-spread outages and equipment damage. There is an opportunity to use the Texasexperience to make needed changes to regulations and guidance on cybersecurity of critical infrastructures. It is evident that our adversaries are watching what happened, how we are responding, and what is being done to prevent future grid impacts. As such, resilience means addressing what could possibly be expected. The solution to building and operating a more resilient grid and other critical infrastructures lies with leadership in industry, government, Congress, and stakeholders such as credit rating agencies and insurance companies.
> Under some of the plans, when demand increases, prices rise. The goal, > architects of the system say, is to balance the market by encouraging > >consumers to reduce their usage and power suppliers to create more > >electricity.
This is the simplified view for the proletariat.
The market clearing price represents the marginal cost to “generate” one additional mWh of power in the current clearing period for the current supply and demand.
When fully operational this marginal price system (which is used in the pricing of all demand-produced commodities ranging from Natural Gas, Oil and Gasoline, to Electricity) is used to balance a more-or-less theoretical price sensitive demand above baseload against the cost of production of that commodity.
>But when last week's crisis hit and power systems faltered, the state's >Public Utilities Commission ordered that the price cap be raised to its >maximum limit of $9 per kilowatt-hour, easily pushing many customers' daily >electric costs above $100. And in some cases, like Mr. Willoughby's bills >rose by more than 50 times the normal cost.
And this is the root of the problem—political interference in the operation of a perfectly good system by artificial setting of the marginal price such that it did not represent current operational conditions.
It is entirely possible to have low demand and rolling blackouts and at the same time a low (or negative) marginal price. Just because large segments of the grid are offline does not affect the marginal price of the supply/demand balance for the parts that are working.
> Many of the people who have reported extremely high charges, including > Mr. Willoughby, are customers of Griddy, a small company in Houston that > provides electricity at wholesale prices, which can quickly change based > on supply and demand.
This is because it is obvious to anyone with even half a working brain-cell that in the long run paying the marginal price is more cost effective than paying a fixed price. If this were not the case, then all the offerers of fixed pricing would be bankrupt because they would not be charging their markup.
Please report problems with the web pages to the maintainer