The RISKS Digest
Volume 32 Issue 58

Thursday, 1st April 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


April No-Fools' Day? No fooling!
Post-vaccine guidance
Rob Slade
Errors ruin 15 million doses of Johnson & Johnson's COVID-19 vaccine
Dark web bursting with COVID-19 vaccines, vaccine passports
Ars Technica
New York launches nation's first vaccine passports
USA Today
Vaccine passports
Lauren Weinstein
New Covid vaccines needed globally within a year, say scientists
The Guardian
Child tweets gibberish from U.S. nuclear-agency account
BBC News
Fooling facial recognition
The Register
Biometrics instead of passwords
The Register via Arthur T.
The Antiscience Movement Is Escalating, Going Global and Killing Thousands
Peter J. Hotez
Nine requests assistance from government after major cyber-attack
John Colville
How the Nine cyber-attack is affecting the Herald
John Colville
How a Software Error Made Spain's Child COVID-19 Mortality Rate Skyrocket
The Underground Nuclear Test That Didn't Stay Underground
Atlas Obscura
Solar Geoengineering Should be Investigated, Scientists Say
Scientific American
PHP's Git Server Hacked to Insert Secret Backdoor to Its Source Code
The Hacker News
New wave of hacktivism adds twist to cybersecurity woes
Blockchain is causing female green sea turtles
Rob Slade
Your right to repair: COVID-19 is sending businesses, hospitals, and consumers to the breaking point
Wetware data retrieval: Forensic analysis and data recovery from water-submerged hard drives
Scientists can implant false memories—and reverse them...
Suez Canal Blocked After Giant Container Ship Gets Stuck
NY Times
Suez Canal from Space
Geoff Kuenning
'Agile' F-35 fighter software dev techniques failed to speed up supersonic jet deliveries
The Register
F-35 vs. bird
Gabe Goldberg with PGN comments
Radiation Upset confused computers and caused false alarm on International Space Station
The Register
Vote-by-mail fraud in Australia
Vanessa Teague
How Facebook got addicted to spreading misinformation
No security on Website intended to prove that Swiss are vaccinated
Anthony Thorn
Volkswagen apparently changing their name in U.S.
Lauren Weinstein
Remote Work Is Here to Stay. Manhattan May Never Be the Same
Where Are Those Shoes You Ordered? Check the Ocean Floor
David Lesher
Cautionary story about cryptocurrencies, apps, security...
Gabe Goldberg
Energy-harvesting card treats 5G networks as wireless power grids
Yet another 5G attack vector
Rob Slade
Re: No good evidence that 5G harms humans, new studies find
Douglas Lucas
Re: Cybersecurity in retrospect: not good!
Dick Mills
Re: How far should humans go to help species adapt?
Bob Wilson
Re: Too much choice is hurting America
Sam Steingold
Re: Risk transfer and Doordash
John Levine
TikTok Does Not Pose Overt Threat to U.S. National Security
Eva Xiao
Info on RISKS (comp.risks)

April No-Fools' Day? No fooling!

Peter Neumann <>
Tue, 30 Mar 2021 10:47:11 PDT
With all the worldwide rampant disinformation, this year RISKS is attempting
to eschew intentional foolishness on April Fools' Day.  However, this issue
is full of unintentional folly—which is normally our standard fare.

Walt Kelly's Pogo might once have said about April Fools' Day,
  "We have met the fools, and they are us."

There are of course still a lot of fools believing wild conspiracy theories.
But might the fools be many people who do not read RISKS?  I would like to
believe that after more than 36 years, our readership is continually
becoming more enlightened.

However, please read the next item carefully.  It starts out (a) as an April
Fools piece, but (b) then changes its mind and is not.

Post-vaccine guidance

Rob Slade <>
Sun, 28 Mar 2021 10:51:04 -0800
Many people are concerned that health authorities, while working diligently
to ensure vaccine rollout is as fast and as smooth as possible, have not
given clear and specific guidance to those who *have* been vaccinated as to
when they can resume normal activities, and which activities are permitted,
at which point, once they have received vaccinations.  The following is a
chapter that was somehow missed from the printed edition of "Cybersecurity
Lessons from CoVID-19," and is an attempt to fill that gap.

As many will know, receipt of the vaccine shot does not immediately confer
full immunity or protection.  There is a delay while the body reacts to the
vaccine, and builds up antibody defences.  In the case of most vaccines,
this build-up of protection takes between three weeks and a month.  Most of
the vaccine candidates also benefit from, but do not necessarily require, a
booster shot.  This second shot can slightly increase the level of
protection against the infection, and tends to make the protection last for
a longer period of time.

There are few changes in routine and protective behaviour, therefore,
immediately following receipt of the shot.  Those vaccinated are, however,
cautioned against celebrating receipt of the vaccine with breakdancing,
since medical staff will be watching closely, in the first fifteen minutes
after vaccine administration, for signs of Adverse Effects From Immunization
(AEFIs), and may falsely report high levels of seizures.  Also be advised
that referring to a large vaccination facility as a "mass shooting site"
will not be appreciated by staff.

You may have heard of variants of concern.  For those who have not yet been
vaccinated, you should also be aware that there are also vaccines of
concern.  Do be cautious in terms of the vaccine that you are offered.
"Sputnick," "Phiser," or "Modern" brand vaccine is unlikely to be effective,
nor is anything manufactured by "Joe's Vaccines-Backwards-R-Us and
Autobody." If someone offers you P.1, note that this is not a vaccine, but
either the virus itself, or a fictional computer virus from a book by Thomas
J. Ryan.

Since protection does take time to build, please do not immediately discard
your facemask on the floor of the facility with loud exclamations of "Well
thank [deity of your choice] *THAT'S* over with!" as you leave.  Please
continue masking, as usual, for a least a month after receipt of the
vaccine.  (Between weeks three and four it *is* permissible to wear your
mask under your nose.)  If you wish to ceremonially burn your facemask after
the full month has passed, please ensure you do so in a well-ventilated area
away from dry vegetation, and remove all plastic and rubber components first
and discard in appropriate recycling bins.

Currently, for unvaccinated individuals, gatherings are restricted to
households or a designated "safe six."  Three weeks after initial
vaccination, you may introduce a seventh person, but only someone that none
of you really like.  After four weeks, you may introduce one additional
vaccinated person per week, as long as they sit more than six feet or two
metres away, which distancing can be reduced by one foot (thirty
centimetres) per week.  (If that additional person has received a different
vaccine from the one you received, please add an additional four inches [ten
centimetres] of distance.)

Once you have received your second vaccine shot, you may engage in board
games with people who have received only their first shot, but only if the
board and all pieces are sprayed with disinfectant after each move.

As vaccines have been priorized for those in older age categories, there
will be situations where grandparents have been vaccinated, but their
children and grandchildren have not.  If the grandparents have had both
shots, then they may visit if their children (parents of the grandchildren)
have had at least one shot, and may have some contact with grandchildren,
but should avoid "lifting" games, especially if the grandchildren weigh more
than fifty pounds.  As most vaccines are not yet approved for children under
the age of sixteen, contact with the grandchildren should be limited to a
gentle pinch on the cheek and the comment, "My, aren't you getting big!"
(Both cheek and fingers should be sanitized immediately after.)  Children
may attend school, as studies show that transmission rates within schools
are lower than in the general community.  (Parents and grandparents are
warned that they will not be allowed to live in schools until full
vaccination is achieved.)

In terms of intimate relationships, you may engage in short affairs between
the receipt of your initial shot and your booster shot, but do not enter
into any relationship likely to extend beyond the date for your second shot.

Weddings and other large gatherings may slowly resume, with restrictions.
If both bride and groom are unvaccinated, the ceremony is limited to ten
people, outdoors.  If both bride and groom have had their first vaccination,
the ceremony is limited to ten people, indoors.  If the bride and groom have
had vaccinations from different manufacturers, the ceremony may be held
indoors, but the centre aisle must be a least three metres wide.  If all
guests have had both shots, the ceremony may be held with 50 guests.  Any
guests who have had only one vaccine are limited to no more than 15, and
must be at least four rows back from those who have had both shots.  If the
groom and the groom have both had their shots from the same manufacturer,
and all the guests have as well, and there is at least one Catholic in the
guest list who has had both shots *and* has been sprinkled with holy water,
please contact the Vatican medical office for the proper protocol.

Children's birthday parties with large numbers of children and all parents
in attendance should only be planned if you do not intend to hold a similar
party with the same guests next year.

Medical guidance is that handwashing should continue after receipt of the
first vaccine, but you can reduce the time taken by leaving off the last
line of the second repetition of the "Happy Birthday" song.  After receipt
of the booster shot, you should continue handwashing, but you don't have to
scrub under your finger-nails.  Two weeks after receipt of the second shot,
you may eat chili with your bare hands and rub them dry on your pants.

Two weeks after receipt of the second vaccine shot, decisions about being in
enclosed spaces are best left to you and your claustrophobia therapist.

In terms of travel, road trips in the family car are seen as safer than air
travel or other forms of mass transit.  Leaving the car for meals,
recreation, or nightly housing increases the risk, so it is recommended that
you just drive to the various locations you want to visit, and not leave the
car for any reason until you return home.  Note that the kids continually
asking "Are we there yet?" will not be accepted as a valid excuse for
killing them.

In regard to travel, as well as other activities, some may wish to obtain a
"vaccine passport."  Well, you can't.  At least not one that will be
recognized as a passport at pretty much any border control.  Many people
will be willing to sell you a vaccine passport, or a vaccine certificate,
sometimes even if you haven't been vaccinated!  Almost nobody will be
willing to accept such a passport or certificate.  A true vaccine
certificate will include the date and time of your vaccination, the maker of
your vaccine, the batch number, your name, medical history, and medical
insurance information, the name, phone number, and digital signature of the
person who registered you for the vaccine certificate, the name, phone
number, medical certificate, and proof of non-membership in an anti-vaxxer
organization of the person who reconstituted your shot, and the name,
number, and a decent picture with the eyes not *too* squidged shut of the
person who gave you the shot.  Note that non-Chinese vaccine certificates
will not be accepted in China.

Remember that no vaccine provides 100% protection.  Two weeks after the
second dose, with a month between first and second doses, Pfizer provides
95%, Moderna provides 94%, and AstraZeneca provides 60%, 69%, 76%, 79%, 89%,
or 100%, depending upon how many AstraZeneca press releases you have read.
Reading AstraZeneca press releases increases protection, but at the expense
of a risk of increased anxiety.  Those taking the AstraZeneca vaccine
following a full regime of AstraZeneca press releases are advised to combine
it with Xanax, and one low-dose or "baby" aspirin.  (Medical guidance is
that AstraZeneca press releases are not recommended for children under the
age of five.)

In terms of other activities, pleased be advised that, following
administration of the vaccine, you will *not* be able to play the bagpipes
unless you could play them before you were vaccinated.

For further details or clarification of these recommendations, please see

  The foregoing is, of course, an "April Fools" piece, and not actual
  medical advice.  (If it *had* been medical advice, of course, you would
  have been charged more.)  However, yesterday, as I wrote this, and a few
  days ago, as you read this, events forced me to reconsider and add a
  little bit.  I had no sooner sent this off to Peter for RISKS than I
  started on my, pretty much daily, trip to the library and the mall.  I
  never got to the library because it was surrounded by police.  Someone had
  gone on a rampage, stabbing at least six people and sending them to
  hospital.  At least one has died.

  The municipality where I live is part of the fairly cosmopolitan city of
  Vancouver, but has the feel of a small town.  The neighbourhood where I
  reside is even more protected.  It is in a kind of pocket on the side of
  the mountain, and even wind storms seem to pass over it, so it is very
  much the type of place where people would say, "yeah, we see things like
  that on the news, but they never happen *here*."

  The suspect is, apparently, "known to police" and has a record.  Nobody
  has yet mentioned "mental issues," but you can almost hear the reporters
  keeping themselves from saying it.  (Which is not, of course, a reason for
  attacks: I've fought my own "mental issues" for fifty years.  But that's
  another topic.)  We probably won't ever know the real reason for the
  attack, but I have to suspect that media reports of mass shootings over
  the past weeks contributed.

  We have all been in a pandemic, and under various restrictions, from
  handwashing to lockdowns, for over a year now.  CoVID fatigue is real, and
  it seems to be encouraging us do some pretty awful things.  I have been
  extremely disappointed by the move of racism from covert and pernicious to
  overt, vociferous, and even demanding.  The almost complete collapse of
  any kind of civility in American political discourse is terrifying.  The
  economy seems to have, almost automatically, made the rich richer, and the
  poor poorer, widening the inequity gap.  The pandemic seems to have
  magnified all that is worst about our society.

  I hope that the beginning of this piece was, at least, amusing, and
  possibly provides a bit of a break for you in these dark times.  The
  vaccines do provide us with a "light at the end of the tunnel" (which is a
  phrase I most often associate with the lights of an oncoming train).
  While even the vaccines, as a limited resource, have created tensions and
  problems, I hope that, within months, they will make a significant
  difference to the over-arching pandemic problems.

  In the meantime, keep to the precautions for a little longer.  Wash your
  hands, wear a mask, maintain distance, don't have or go to parties or
  events.  When you can, without jumping any queues, get vaccinated.  See
  you all on Zoom when there is an opportunity, and in person, hopefully, by
  the fall.

  Oh, one more thing.  The day before April Fools day, 31 Mar, is apparently
  World Backup Day.  I'm very big on
  backups.  We give them lip service, but we don't do them as often as we
  should.  I wrote the first part of this piece over several days, keeping
  it up on the system I was using to write it.  As is often the case with
  something I'm working on, I made a separate backup.  And, as blind, random
  chance would have it, the system I was writing it on had a hiccup and
  collapsed, taking the piece with it.  But, I recovered the backup, and all
  was well.

  Now go make a backup.  And, while it's completing, wash your hands.

Errors ruin 15 million doses of Johnson & Johnson's COVID-19 vaccine (The Verge + NYTimes)

Monty Solomon <>
Thu, 1 Apr 2021 08:41:04 -0400
Johnson & Johnson Covid-19 vaccine is delayed by a U.S. factory mixup.  A
manufacturer in Baltimore accidentally conflated the ingredients for two
different coronavirus vaccines, officials say.

Dark web bursting with COVID-19 vaccines, vaccine passports (Ars Technica)

Lauren Weinstein <>
Tue, 30 Mar 2021 07:24:30 -0700
  [Fake vaccines. Unrefrigerated vaccines. Fake vaccination cards. Train
  wreck.  LW]

New York launches nation's first 'vaccine passports'

Geoff goodfellow <>
Sun, 28 Mar 2021 09:53:05 -1000
Others are working on similar ideas, but many details must be worked out.

Starting Friday, New Yorkers will be able to pull up a code on their cell
phone or a printout to prove they've been vaccinated against COVID-19 or
recently tested negative for the virus that causes it.

The first-in-the-nation certification, called the Excelsior Pass, will be
useful first at large-scale venues like Madison Square Garden, but next week
will be accepted at dozens of event, arts and entertainment venues
statewide. It already enables people to increase the size of a wedding
party, or other catered event.

The app, championed by Gov. Andrew Cuomo to support the recovery of
industries most affected by the pandemic, is funded by the state and
available for free to businesses and anyone with vaccination records or
test results in New York.

Like an airline boarding pass, people will be able to prove their health
status with a digital QR code—or "quick response" machine-readable label.
They'll need to download the Excelsior Pass app, enter their name, date of
birth, zip code and answer a series of personal questions to confirm their
identity. The data will come from the state's vaccine registry and also will
be linked to testing data from a number of pre-approved testing companies.

The New York system, built on IBM's digital health pass platform
<>, is provided via
blockchain technology, so neither IBM nor any business will have access to
private medical information. An entertainment venue will simply scan the QR
code and get a green check or a red X.

The new pass is part of a growing but disjointed effort to provide vaccine
"passports" or  certifications, so people won't have to hang onto a
dog-eared piece of paper, worry about privacy issues or forgeries, or fork
over extra cash to prove they're not contagious.  [...]

Vaccine passports Unfortunately, the probability that the array of proposed "vaccine passport"

Lauren Weinstein <>
Tue, 30 Mar 2021 09:15:12 -0700

New Covid vaccines needed globally within a year, say scientists (The Guardian)

geoff goodfellow <>
Tue, 30 Mar 2021 13:27:39 -1000
*Survey of experts in relevant fields concludes that new variants could
arise in countries with low vaccine coverage*   [...]

Child tweets gibberish from U.S. nuclear-agency account (BBC News)

Gabe Goldberg <>
Tue, 30 Mar 2021 14:03:52 -0400
A young child inadvertently sparked confusion over the weekend by posting an
unintelligible tweet to the official account of US Strategic Command.

Risks? Technology + children

Fooling facial recognition (The Register)

Rob Slade <>
Wed, 31 Mar 2021 11:11:28 -0700
Two tricksters in China have fooled the state's massive facial recognition
system.  Temporarily, anyway.

It's really interesting to look at this story and see the implications
behind it.  One of the first things people ask about face recognition is,
"Can't you just fool it with a picture?"  Apparently the Chinese thought
of that.  Your image, seemingly, has to be "live," so the attackers used
a simple deepfake app to animate the picture.

And that was enough to fool the system ...

Biometrics instead of passwords

"Arthur T." <>
Wed, 31 Mar 2021 06:17:10 -0400
When your face is your password, you'd best never let anyone take your
picture.  Conversely, if anyone has ever taken your picture, you probably
shouldn't use your face as a password. Unfortunately, some people don't have
either option.

The Antiscience Movement Is Escalating, Going Global and Killing Thousands (Peter J. Hotez)

Dewayne Hendricks <>
March 31, 2021 6:44:25 JST
Peter J. Hotez, *Scientific American*, 29 Mar 2021 [Via Dave Farber]
Rejection of mainstream science and medicine has become a key feature of the
political right in the U.S. and increasingly around the world


Antiscience has emerged as a dominant and highly lethal force, and one that
threatens global security, as much as do terrorism and nuclear
proliferation. We must mount a counteroffensive and build new infrastructure
to combat antiscience, just as we have for these other more widely
recognized and established threats.  Antiscience is the rejection of
mainstream scientific views and methods or their replacement with unproven
or deliberately misleading theories, often for nefarious and political
gains. It targets prominent scientists and attempts to discredit them. The
destructive potential of antiscience was fully realized in the USSR under
Joseph Stalin.  Millions of Russian peasants died from starvation and famine
during the 1930s and 1940s because Stalin embraced the pseudoscientific
views of Trofim Lysenko that promoted catastrophic wheat and other harvest
failures.  Soviet scientists who did not share Lysenko's *vernalization*
theories lost their positions or, like the plant geneticist, Nikolai
Vavilov, starved to death in a gulag.  Now antiscience is causing mass
deaths once again in this Covid-19 pandemic.  Beginning in the spring of
2020, the Trump White House launched a coordinated disinformation campaign
that dismissed the severity of the epidemic in the United States, attributed
Covid deaths to other causes, claimed hospital admissions were due to a
catch-up in elective surgeries, and asserted that ultimately that the
epidemic would spontaneously evaporate.  It also promoted hydroxychloroquine
as a spectacular cure, while downplaying the importance of masks.  Other
authoritarian or populist regimes in Brazil, Mexico, Nicaragua, Philippines
and Tanzania adopted some or all of these elements.
  [Long item truncated for RISKS.  PGN]

Nine requests assistance from government after major cyber-attack

John Colville <>
Sun, 28 Mar 2021 20:29:23 +0000
Channel 9 is one of the three commercial TV networks in Sydney Australia.

Media giant Nine Entertainment Co has requested the assistance of the
Australian Signals Directorate after a major cyber-attack hit its broadcast
systems in the early hours of Sunday morning.  As Nine worked to resolve the
issue, Australian Parliament was also investigating a potential cyber attack
in Canberra on Sunday evening, which is affecting government-issued
smartphones and tablets.

How the Nine cyber-attack is affecting the Herald

John Colville <>
Wed, 31 Mar 2021 03:32:06 +0000
This is related to the Channel Nine cyber-attack, which was previously
reported because Nine Entertainment Co. also owns the *Sydney Morning Herald*
newspaper, and *The Age* from Melbourne.

How a Software Error Made Spain's Child COVID-19 Mortality Rate Skyrocket (Slate)

Jim Reisert AD1C <>
Fri, 26 Mar 2021 03:04:07 -0600
Elena DeBr├ęSlate, 25 Mar 2021

“Even though I didn't know what the problem was, I knew it wasn't the right
data,'' Soler realized once he got his hands on the Lancet paper. “Our data
is not worse than other countries. I would say it is even better,'' he
says. Pediatricians across the nation contacted Spain's main research
institutes, as well as hospitals and regional governments. Eventually, they
discovered that the national government somehow misreported the data. It's
hard to pinpoint exactly what went wrong, but Soler says the main issue is
that patient deaths for those over 100 were recorded as children. He
believes that the system couldn't record three-digit numbers, and so instead
registered them as one-digit. For example, a 102-year-old was registered as
a 2-year-old in the system. Soler notes that not all centenarian deaths were
misreported as children, but at least 47 were. This inflated the child
mortality rate so much, Soler explains, because the number of children who
had died was so small. Any tiny mistake causes a huge change in the data.

The Underground Nuclear Test That Didn't Stay Underground (Atlas Obscura)

Gabe Goldberg <>
Fri, 26 Mar 2021 12:35:18 -0400
The fallout cloud from the Baneberry test was never supposed to exist.

Solar Geoengineering Should be Investigated, Scientists Say (Scientific American)

Richard Stein <>
Sat, 27 Mar 2021 08:42:20 +0800
[These musings are whole cloth fiction and satire!]

I wonder when someone will cook the Internet-startup equivalent of Mel
Brook's movie "The Producers" featuring a song and dance act entitled
"Springtime for Terms of Service."]

"A controversial policy to address climate change by artificially cooling
the planet deserves more research, according to a panel of leading
U.S. scientists.

"But only if it is carefully governed."

Careful governance, an epic oxymoron encapsulates both modern corporate
behaviors and political institutional effectiveness, is the watch-word
defining the environmental oversight and mitigation measures that protect
all life forms, especially but not exclusively homo sapiens, against
anthropogenic disaster. "What, me worry?"'s IPO was a blockbuster of a blockbuster.
Influencers begged to shill for it. They gleefully acknowledged the fiction
that "doing climate good, especially via a technological fix" is a win-win
grift to exploit.

Rumors that the Chortootolliator's intellectual property for design and
operation—'s crown jewels for its self-promoted
"climate-saving miracle product of our generation"—was exfiltrated via an
Elbonian phish campaign were categorically rejected as distorted.

"A failed, but deceitfully conducted effort to scuttle the IPO attributed to
disgruntled industrial competitors and agents of foreign disruption," said
CEO Carbon Dioxide III. They added, "'Strong minds discuss ideas, average
minds discuss events, and weak minds discuss people.' What's on your mind?"

The public was sold. Temporarily dopamine-burst-jerked via their cellphone
doom-scrolls, quick endorsement via stock purchase followed the idea: a
gizmo that extracts climate changing effluence from the Earth's atmosphere,
thereby excusing all personal sacrifice for its causation, then it must,
above all, be convenient! Profitable? Is the day long?'s corporate charter, and their product "terms of
service" express a refreshingly honest and bold statement of fact, fiction,
and software:

a) The founding charter concludes, "Money is earned, tax-sheltered, and
carefully funneled under the rubric of 'campaign finance' contributions, to
preserve the fiction that this corporation is a public service, like
Standard Oil, the old telephone monopoly, Enron, and local fire
department. Our motto: We put the air in your lungs."

b)'s "About Us" summarizes its raison d'etat: "To
preserve the welfare of nations, and by extension, the Earth's Gaia, our
mission is to extract climate changing gases and aerosols from the
atmosphere to curtail ecosystem erosion and accelerate its historic
recovery. Deployed Chortootolliator's beneficially restore the ozone layer."

[For GPT-3's sake: Noble, very noble. The lie is the truth turning fact into
fiction. This statement is false.]

c) Each country is licensed to operate's
"Chortootolliator" installation according to local, prioritized regulation
thus ensuring that climate-change atmospheric gas reduction targets, per
IPCC agreement, are realized according to globally optimized, time-dependent
ecosystem disruption. When IPCC compliance deviates, see "terms of service"
for sanctions. Licenses are granted subject to local taxation agreements
based on population estimates.

d)'s use terms assert indemnification claims
protecting it's employees, and especially CxOs, against a 'perp walk' into
financial history envied by Linus Van Pelt's security blanket.

PHP's Git Server Hacked to Insert Secret Backdoor to Its Source Code

geoff goodfellow <>
Mon, 29 Mar 2021 08:56:22 -1000

New wave of hacktivism adds twist to cybersecurity woes (

Richard Stein <>
Sat, 27 Mar 2021 11:51:09 +0800

"Wrapping oneself in an allegedly altruistic motive does not remove the
criminal stench from such intrusion, theft and fraud," Seattle-based Acting
U.S. Attorney Tessa Gorman said.

According to a U.S. counter-intelligence strategy released a year ago,
"ideologically motivated entities such as hacktivists, leaktivists, and
public disclosure organizations," are now viewed as "significant threats,"
alongside five countries, three terrorist groups, and transnational criminal

Corporate "terms of service" exempt business and government from
accountability. They serve a free-pass when "intrusion, theft, and fraud"
arise from Internet-enabled products and services. The question of the
Internet's viability as an enabling economic vehicle and transformative
agent is specious.

Freelancers and advanced persistent threats stealing or liberating monetized
or classified information expose the sadly ironic, asymmetric nature of
infosec practice. To plan/initiate/execute intrusion/exfiltration action is
substantially less expensive than fielding an effective defense that
prevents occurrence.

If governments and businesses cannot safely operate, and consistently defend
and protect information against Internet theft, fraud, or intrusion, why do
they persist at the attempt? Do they expect to achieve a different result,
as Einstein's definition of insanity suggests?

Internet vulnerability to intrusion and exfiltration reveals the "elephant
on the table," visible since at least the Morris worm some 32 years ago (see Why aren't the employees or
brands that build, sell, and use the products that enable intrusion, theft,
and fraud subject to greater accountability?  Don't they have some hand in
this gyre of breach?

If no one is above the law, and "corporations are people too," one would
expect more prosecutions for product liability and negligence arising from
these incidents. Sadly, there's more lip service than public accountability.

If the hypothesized prosecutions materialized, would the infosec-theater
industry fold up? Would technology-heavy entities rethink their product
engineering and deployment efforts, and be suitably motivated to tighten
their practices against intrusion, theft, and fraud? Would these
prosecutions initiate an economic upheaval that effectively required a
nationalized technology industry (imagine or to
prevent future mushroom cloud-size liability insurance premiums from
bankrupting startups as a precaution to "go-live parties?"

Internet-facing entities are repeatedly assaulted with impunity. They are
slow to learn and embrace history. And, there's always feckless private
sector governance to demand profit over probity. Each incident speaks
volumes about organizational governance competence.  Accountability must be
enforced to teach lessons when porous Internet defenses are deployed and
information tumbles out undetected for months.

Unless governments and businesses are held to strict account for ineffective
Internet defenses, there will be no end to pleas for bigger checks written
to fund infosec budgets.

Procurement standards for Internet-facing and enabling technologies must
elevate and be rigidly enforced for compliance with strict, standardized
digital security measures.

Competent and fair enforcement will require an army of skilled engineers.
Can supply the talent without breach?

18APR1999 comp.risks identifies 'hacktivist' for the first time. The
'leaktivist' label is not used. Other references:

Blockchain is causing female green sea turtles

Rob Slade <>
Mon, 29 Mar 2021 18:02:23 -0700
When green sea turtles lay their eggs, the gender is not yet determined.  If
the sand is above thirty degrees celsius, the hatchlings turn out to be
female.  If the sand is cooler than thirty degrees, the hatchlings turn out
to be male.

Global warming is driving an imbalance in sea turtle gender.

Blockchain is driving global warming.

I used to say that Flash was causing global warming.  I mean, when you went
to a news media Website (and they used a *lot* of Flash to run videos, video
ads, and animations) and you were using a MacBook or similar, you could
actually *see* the battery life cut in half.  Flash used a *lot* of power,
and, multiplied by all the visitors to news Websites, it must have been a
huge use of power resources.

However, now I think that blockchain is to blame.

First off, blockchain is not a thing.  It's a collection of technologies.
Part digital signature, part distributed database, and extremely variable in

It's also heavily tied to cryptocurrencies.  Most of the cryptocurrencies
use blockchain of some type.  Part of the power drain is not actually
blockchain's fault, since so many people are chasing the elusive lure of
cryptocurrency "mining."  To create a new cryptocurrency "coin," you have to
find a number with certain cryptographic (and therefore numerical)
characteristics.  It takes a lot of computing power to find such numbers,
particularly as the "easy" ones are found first, and the later ones get
harder and harder to calculate.

But after the mining, it's all blockchain.

Part of the blockchain is digitally signing a transaction.  There a little
bit of a power drain there, every time you use part of a cryptocoin to buy a
pizza.  But that's minor.  The thing is, the other part of blockchain is a
distributed database.  Everybody who is using a cryptocurrency is a portion
of the distributed database.  They don't just keep track of their *own*
transactions, but also a certain proportion of *all* the transactions made
with that cryptocurrency.  So, even if *you* aren't buying silly things with
your cryptocurrency, *other* people who are using the same cryptocurrency
for trivial transactions are causing transactions to be recorded, and
digitally signed, on your computer.  And on thousands, or even millions, of
other computers, all over the world.  For each and every transaction.  And,
as they say, a few million milli-amp-hour milliseconds here, a few million
milli-amp-hour milliseconds there, pretty soon it adds up to a real power

We should be developing actual digital cash, if we want that, rather than
this kludge of cryptocurrency that is backed up by a rather weak blockchain

Now, in addition to cryptocurrency, there are Non-Fungible Transactions, or
NFTs.  Cryptocurrency is based on a belief in the value of the scarcity of
numbers with certain properties.  NFTs are based on the belief that people
will speculate on anything.  Or even nothing.  NFTs are pretty close to
nothing.  Some of them are possibly valid artworks.  Others are simply based
on the promise that they are the only one in the world.  Since digital art
can be endlessly copied, and the copies, to any generation you want, are
completely identical to the original, the promise of singularity is attested
by a digital signature.  Backed up by a blockchain.  And each time you trade
or speculate on a Non-Fungible Transaction, all kinds of computers, all over
the world, are adding their contribution to global warming.

The law of unintended consequences.  Blockchain is causing female green sea

Your right to repair: COVID-19 is sending businesses, hospitals, and consumers to the breaking point (ZDNet)

Gabe Goldberg <>
Mon, 29 Mar 2021 01:02:21 -0400
People are spending a lot more time at home, using their products, and stuff
is breaking down.

Right now, when the speaker in your iPhone stops working or a memory stick
in your laptop malfunctions, you're often left with one option: Take it to
an authorized service center and pay for someone else to repair it for
you. It's costly, expensive, and something that needs to change. But as
right to repair legislation is gaining popularity across the country, that
change may happen sooner than later.

This is similar to a long-ago controversy when IBM crippled customers'
ability to understand/improve/repair mainframe operating systems, by
withdrawing their source code. Doing that doesn't seem to have benefited
customers or IBM but the people who did it aren't around to own the

Wetware data retrieval: Forensic analysis and data recovery from water-submerged hard drives (Techxplore)

Richard Stein <>
Mon, 29 Mar 2021 21:32:05 +0800

"However, if the device has been submerged in saltwater, then irreparable
damage can occur within 30 minutes. The situation is worse for a solid-state
drive which will essentially be destroyed within a minute of saltwater
ingress. The research provides a useful guide for forensic investigators
retrieving hard drives that have been submerged in water."

Anyone possessing indictable data? Predisposed to juggle hard disks or thumb
drives near the ocean?

Scientists can implant false memories—and reverse them...

geoff goodfellow <>
March 24, 2021 4:02:31 JST
Scientists figure out two new ways to root out false memories.

Memories are tricky and can comprise much more than our actual

Our minds can make memories out of stories we've heard, or photographs we've
seen, even when the actual recollections are long forgotten. And, new
research suggests, this can happen even when the stories aren't true.

“I find it so interesting, but also scary, that we base our entire identity
and what we think about our past on something that's so malleable and
fallible,'' psychologist Aileen Oeberst at the University of Hagen in
Germany tells Inverse.

Oeberst is the first author of a study released Monday in the Proceedings of
the National Academy of Sciences that examines false memories and what can
be done to reverse them. False memories, the study suggests, are more than
unsettling. When they take root, they can disrupt a courtroom—and the
fate of the individuals there.  [...]

Suez Canal Blocked After Giant Container Ship Gets Stuck (NY Times)

Gabe Goldberg <>
Wed, 24 Mar 2021 19:21:40 -0400
The ship, stretching more than 1,300 feet, ran aground and blocked one of
the world's most vital shipping lanes, leaving more than 100 ships stuck at
each end of the canal.

  [A little digging, tugging, and high tide on Monday/Tuesday apparently
  loosened the ship, after enormous queueueueueueing up in both directions.
  But this massive blockage was just another event for RISKS that was
  waiting to happen.  PGN]

Suez Canal from Space

Geoff Kuenning <>
Thu, Mar 25, 2021 at 11:26 AM
What's fascinating about this photo (which seems to be aerial, not space) is
the comments.  I didn't bother using a translator on the ones in Dutch, but
the ones in English show significant ignorance of the way the world works.

The ship has a capacity of 20,000 TEU, which translates to 10,000 containers
if we assume that they're all 40-footers.  A commenter suggested using
helicopters to offload the ship.  Let's assume optimistically that two
choppers can simultaneously pick up containers, one at the bow and one
amidships, working backwards.  Thinking *very* optimistically, it might take
five minutes for a chopper to hover over a container, workers below to
attach cables, the aircraft to lift the container to the nearby shore and
set it down, workers there to free it, and the helicopter to fly back to the
ship.  That translates to 416 hours, or 17 days, of continuous helicopter
use.  And of course five minutes is absurd, and the work probably can't
continue at night (or at least it can't continue as fast).  And you'd have
to refuel the choppers or have spares, etc., etc.

To be fair, you might be able to free the ship after offloading
only half the cargo, so maybe it'd only take 9 days.  Or more
realistically, a month.

Oh, and although an empty container weighs about 8000-9000 pounds, a loaded
one can be up to 67K pounds.  The world's biggest heavy-lift helicopter, the
M-26, can only handle 44K pounds.  So at least some of those containers
aren't going to be lifted by air.  It looks like there are land-based cranes
that can reach and lift at least some of the containers, but again it would
be a slow process since you'd have to account for things like boom swing.
It would probably take at least 15 minutes per container, and it's not clear
to me (a complete non-expert) whether you could have more than one crane
working at the same time.

BTW, researching all of the above took me about ten minutes.


'Agile' F-35 fighter software dev techniques failed to speed up supersonic jet deliveries (The Register)

Tom Van Vleck <>
Fri, 26 Mar 2021 08:18:02 -0700
They used "C2D2, or Continuous Capability Development and Delivery."
Don't get me started...

F-35 vs. bird

Gabe Goldberg <>
Fri, 26 Mar 2021 17:25:59 -0400
$100M airplane vulnerable to small birds. Brilliant.
Too bad they skimped on this one.

  [EGULLite' or EAGLEite'?  FraTERNite'?  LiBERTe'? (and what do we do with
  Bert's friend Rubber Duckie?  Canard en caoutchouc?  Unfortunately,
  airplanes susceptible to birds are another old story in RISKS—sucked
  into jet engines, shattering the pilot's window, and more, such as these:

* Bird strikes cause crash of Ethiopian Airlines 737, killing 31
  (ACM SIGSOFT Software Engineering Notes 14 2)
* Migratory birds jam FAA radar in Midwest (R 17 44)
* It's A Bird... It's A Plane... It's NonLethalDrone (R 28 93)

Radiation Upset confused computers and caused false alarm on International Space Station (The Register)

Tom Van Vleck <>
Fri, 26 Mar 2021 08:18:02 -0700
They fixed it by switching power supplies and rebooting.

Vote-by-mail fraud in Australia

Vanessa Teague <>
Tue, 30 Mar 2021 22:23:38 +0000
Some somewhat-interesting news from Melbourne: one of our local councillors
(in the adjacent council to my place) has recently been arrested for
vote-by-mail fraud.

The allegations relate to an apparent spate of double-voting during recent
local government elections, which are conducted exclusively by mail.  The
Victorian Electoral Commission became suspicious when a larger-than-usual
number of voters called up to say they hadn't received a ballot, despite the
VEC having already received a returned vote from them.  The allegation is
that someone fished blank ballots out of people's mail boxes, filled them
in, and fraudulently returned them.

However, the clarity of the case is complicated by strange behaviour from
the electoral commission.  The commission refuses to publish the votes, and
declined a FoI request from me:
so it's not possible for anyone outside the VEC to examine the voting
patterns they allege are suspicious.  (Indeed, it's not possible for anyone
else to even check that they counted properly.)

On the bright side, this makes me even gladder for the support of the
Victorian League of Women Voters in opposing a legislative proposal from a
few years ago which would have allowed the entire election to be conducted
over the Internet.  At least this way, we have a fair idea that fraud
occurred and some chance of successfully prosecuting an (alleged)

  [Included in RISKS from a non-public list, with permission.  PGN]

How Facebook got addicted to spreading misinformation (TechReview)

Monty Solomon <>
Thu, 25 Mar 2021 10:41:50 -0400
The company's AI algorithms gave it an insatiable habit for lies and hate
speech. Now the man who built them can't fix the problem.

No security on Website intended to prove that Swiss are vaccinated

Anthony Thorn <>
Wed, 24 Mar 2021 09:36:16 +0100
The Swiss Covid-Vaccination website ( was
taken offline after the Federal Data Protection registrar opened formal
proceedings against the operator of the platform after a report castigating
its security in the magazine Republik.

The website is operated by a foundation, but sponsored by the Federal
Department of health, and 9 Cantons.

The report in German:

The problems identified:

Comprehensive access rights:

* Every medical professional who is registered on the platform has
  comprehensive access to the vaccination and health data of all recorded
  private individuals. For example, they could easily manipulate anybody's
  covid-relevant vaccination data.

* Inadequate verification: When registering as a medical specialist for the
  first time, there is no actual identity verification. The verification is
  based solely on the information provided by the applicant. That means: It
  is easy to pretend to be a "doctor".

* Security gaps: Hackers can steal the Covid-19 vaccination cards of all
  previously vaccinated people on the platform relatively easily. With a
  little technical knowledge, they can also manipulate vaccination data and
  other health data.

Worrying about the security of health data may be paranoid, but it's
evidently justified.

Volkswagen apparently changing their name in U.S.

Lauren Weinstein <>
Mon, 29 Mar 2021 11:03:47 -0700
Volkswagen is apparently (I'm not kidding) changing name of U.S. ops to
"Voltswagen" to emphasize electric cars. Dunno where all these people forced
to use electric cars are going to charge them, especially on a power grid
that collapses in many areas when you add a light bulb.

  [Is that known as re-volting?  PGN]

Remote Work Is Here to Stay. Manhattan May Never Be the Same (NYTimes)

Dave Farber <>
Mon, 29 Mar 2021 22:17:16 +0900
Jonah Markowitz, *The New York Times*, 29 Mar 2021
Remote Work Is Here to Stay. Manhattan May Never Be the Same.

New York City, long buoyed by the flow of commuters into its towering off=
ice buildings, faces a cataclysmic challenge, even when the pandemic ends.

Where Are Those Shoes You Ordered? Check the Ocean Floor (RISKS-32.57)

David Lesher <>
Thu, 25 Mar 2021 23:23:35 -0400
There is another RISK of containers lost overboard.

A sailor friend noted because the contents, especially electronics, are
well-packed in urethane foam. As a result, rather than rapidly sinking to
the sea floor, the escaping containers submerge only a few feet. A passing
sailboat hitting such an invisible obstacle gets its bottom ripped open and
goes down quickly.

Cautionary story about cryptocurrencies, apps, security...

Gabe Goldberg <>
Wed, 31 Mar 2021 00:47:17 -0400
He downloaded the Trezor app on iOS. It was a scam and stole $1 million in
bitcoin. *The Washington Post*

Be careful out there...

Energy-harvesting card treats 5G networks as wireless power grids

geoff goodfellow <>
Tue, 30 Mar 2021 13:40:22 -1000
A team from Georgia Tech has just announced a world-first: a 3D-printed
rectifying antenna the size of a playing card that can harvest
electromagnetic energy from 5G signals and use it to power devices, turning
5G networks into wireless power grids.

Wireless communications put a lot of energy into the air, and over the
years we've covered a number of efforts to harvest that energy. Short-range
Wi-Fi signals have been the target of several projects, TV broadcasts and
radio signals have been the focus of others. One device even hopes to
increase the life of a smartphone's battery by 30 percent just by
harvesting some of the radio waves the phone itself is generating.

But 5G communications offer a whole new opportunity. "5G has been designed
for blazing fast and low-latency communications," reads the Georgia Tech
team's latest study, published in the peer-reviewed journal *Scientific
Reports*. "To do so, mm-wave frequencies were adopted and allowed
unprecedently high radiated power densities by the FCC. Unknowingly, the
architects of 5G have, thereby, created a wireless power grid capable of
powering devices at ranges far exceeding the capabilities of any existing

Millimeter-wave energy harvesting has been possible for some time, says the
team, but hasn't been practical in many cases because long-range power
harvesting tends to require large rectifying antennas, and the larger these
rectennae get, the narrower their field of view becomes; you have to keep
the rectenna pointed right at the wave energy source to make them work...


Yet another 5G attack vector

Rob Slade <>
Tue, 30 Mar 2021 12:05:54 -0700
OK, 5G is definitely going to be a problem.

But usually the problem parts are kind of unintended consequences, the "gee,
we didn't think that allowing other people to run stuff on your phone could
be *misused*" type of thing.

But this time, it seems to be something that might have been originally
intended to be a form of security.  5G has provisions for a sort of
virtual LAN type of operation.  And, almost inevitably, somebody has
found out how to use it to attack.
You can crash system segments, and also extract user data.

Granted, you have to be in a situation where 5G is being used with older
technology, but how many people will be in a "pure" 5G environment?  And
a fix is being worked on, but that, of course, inevitably leads to
situations where you are going to have a mix of "old" 5G and "patched" 5G,
so ...

Re: No good evidence that 5G harms humans, new studies find (RISKS-32.57)

Douglas Lucas <>
Mon, 29 Mar 2021 04:00:09 +0000
RISKS-32.57 includes a post from geoff goodfellow that links several
Gizmodo articles about 5G and two studies published this month in the
Journal of Exposure Science and Environmental Epidemiology suggesting little
to no adverse health effects from such radiation.

For a lengthy list of 1000+ peer-reviewed studies to the contrary,
consult Powerwatch at:

For a 3-minute video warning of EMF dangers by Columbia University scientist
Dr Martin Blank, see here:

Despite this contrary evidence, those against EMF dangers are lumped in with
various disreputable groups and then dismissed, without the contrary
evidence actually being addressed.

Re: Cybersecurity in retrospect: not good! (RISKS-32:57)

Dick Mills <>
Wed, 24 Mar 2021 11:16:56 -0400
New laws, new government powers are not needed.  But we just need to apply
strict procurement practices to the software supply chain.  If the Solar
WInds company had to pass meet the same qualifications and quality audits as
a vendor of F35 fighter planes, this probably never would have happened.

Remember, that the goat of terrorism is to make the victims change their
society.  If every cyber attack or otherwise
scary new story pushes us into giving the government more powers and more
laws, we are being driven to self
destruction. (As I write, the news of a mass shooting is causing the
President to call for new powers, new laws.)

See Bruce Schneier's essay on the economics of companies like Solar Winds.
The surprise is that selling low quality software is perfectly rational
economic behavior.

Re: How far should humans go to help species adapt? (RISKS-32.57)

Bob Wilson <>
Wed, 24 Mar 2021 11:30:20 -0500
This is a very valid question, and I am glad to see it being discussed.  But
as written it repeats what I think is a very common mistake.

Everywhere we look people are objecting to "gene editing". They mean gene
editing using recently created tools, but they do not demonstrate
understanding of that. Humans have been editing genes for millennia!  Only
the methods have changed. Selecting animal or plant offspring with desired
characteristics, and arranging for them to breed true, is certainly gene
editing. If there had not been genetic change, the results would not have
been passed along to subsequent generations. This was gene editing long
before people had any idea what a gene or chromosome was.

The people who say they won't eat foods raised using edited genes would be
very hard to find any foods that are not!

Re: Too much choice is hurting America (Baker, RISKS-32.55)

Sam Steingold <>
Wed, 24 Mar 2021 17:14:58 -0400
I am afraid you misunderstood Krugman.

He is uncomfortable with too much choice for *others*, not for *himself*.
In his ideal world the Government (run by people like him) will be making
most choices for the hoi polloi/deplorables (i.e., people not like him)
because the latter are making the choices he does not like.

Risk: thinking that people like you will make choices that you like.  E.g.:
Stalin and his top-ranking victims (Trotsky, Zinoviev et al) were very
similar, but Stalin's choices of who to execute were not very beneficial to
his victims.

Re: Risk transfer and Doordash (Slade, RISKS-32.57)

John Levine <>
25 Mar 2021 15:21:08 -0400
> In terms of risk management, there are our four basic strategies: risk
> avoidance, risk acceptance, risk mitigation, and risk transfer.

Nicely put.

> [Food delivery] is a big part of the "gig economy," and the gig economy is
> a massive "race to the bottom" in terms of wages and working standards.

The entire point of the gig economy is risk transfer away from the
businesses that have historically managed the risk and priced it into the
product, to the not-employees and the customers who are rarely aware of the
new risks they've accepted until they learn the hard way.

Look at taxis vs. gig drivers. A lot of taxi regulation is about risk
mitigation. Drivers need commercial licenses, taxis need special plates with
extra inspections, taxi companies are part of the workers comp pool, and so
forth. There are also regulations that are about protecting the income of
incumbent drivers, fixed fares and medallions that limit entry, but when
Uber and Lyft ignored all the rules, there was quite a lot of baby in that
bathwater. Passengers take on more risk that the driver is unqualified, the
car is unsafe, and that if there is an accident, there's no
insurance. (Lyft's innovation was insurance fraud, drivers taking paying
passengers in private cars that their insurance didn't cover.) Drivers took
on the risk that if they got injured in an accident, there's no workers'
comp to pay the bills while they recover.

The risk parts and the income parts are quite separable; New York city made
the gig companies comply with existing car service laws requiring inspection
and insurance. There's even an argument to be made for some limits on the
number of gig drivers. When Uber and Lyft came to NYC, it added 100,000 new
vehicles driving around midtown waiting for fares and clogging traffic, five
times the number of taxis, which made traffic much slower for everyone and
smog worse.

It was always possible to set up pirate taxis, and in some areas fairly
common, e.g., gypsy cabs working in the outer boroughs of NYC where taxis
are hard to find. Mobile phones and apps made it a lot easier for pirate
dispatchers to connect with pirate taxis, and the disruption techobabble
blinded people to the fact that the main innovation was risk shifting onto
the unwary.

TikTok Does Not Pose Overt Threat to U.S. National Security, Researchers Say (Eva Xiao)

ACM TechNews <>
Mon, 29 Mar 2021 12:14:35 -0400 (EDT)
Eva Xiao, *The Wall Street Journal*, 22 Mar 2021
via ACM TechNews, Monday, March 29, 2021

Cybersecurity researchers at the University of Toronto's Citizen Lab in
Canada said TikTok's underlying computer code does not pose a national
security threat to the U.S. The researchers said a technical analysis of the
app, owned by China's ByteDance Ltd., found no evidence of "overtly
malicious behavior." Although they determined that TikTok's data collection
practices are no more intrusive than Facebook's, the researchers
acknowledged there could be security issues they did not uncover. Further,
ByteDance could be forced to turn data over to the Chinese government under
the country's national security laws. ByteDance said it was committed to
working with authorities to resolve their concerns.

Please report problems with the web pages to the maintainer