The RISKS Digest
Volume 32 Issue 59

Sunday, 4th April 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Safe and affordable electricity supply in danger
German finance watchdog
Weather Service Internet systems are crumbling as key platforms are taxed and failing
WashPost
533 million Facebook users' phone numbers and personal data have been leaked online
Business Insider
An Accidental Disclosure Exposes a $1 Billion Tax Fight With Bristol Myers
NYTimesƒ
No vehicle inspections in Mass. for second straight day due to malware attack on vendor
The Boston Globe
Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities
Ars Technica
7% of Americans don't use the Internet. Who are they?
Pew Research
5G is not just a radio
Bob Frankston
Scientists Collected Human DNA From the Air In a Breakthrough
Science News for Students
NFTs built on sand?
The Atlantic via Bob Frankston
Google and “pink noise”
Lauren Weinstein
It’s Easy - and Legal - to Bet on Sports. Do Young Adults Know the Risks?
NYTimes
Another water system hacked
KSNT
Re: Energy-harvesting card treats 5G networks as wireless power grids
Martin Cooper
Re: Antiscience Movement Is … Killing Thousands
Henry Baker
Re: Scientists can implant false memories-and reverse them
Stephen E. Bacher
Re: Volkswagen apparently changing their name in U.S.
John Levine
Re: New York launches nation's first ‘vaccine passports’
John Levine
Re: Vintage technology: ‘It sounds so much cleaner’
Terje Mathisen
Re: Too much choice is hurting America
John Levine Andrew Pam
Info on RISKS (comp.risks)

Safe and affordable electricity supply in danger (German finance watchdog)

Thomas Koenig <tkoenig@netcologne.de>
Thu, 1 Apr 2021 21:32:18 +0200

The Bundesrechnungshof, Germany's federal financial watchdog, has stated that the “safe and affordable supply of electricity is in increasing danger” due to Germany's “Energiewende” (energy transition).

https://www.bundesrechnungshof.de/de/presse-service/pressemitteilungen/sammlung/bund-steuert-energiewende-weiterhin-unzureichend (there is not yet an English version as I write this).

To quote its president: “Affordability is still not measurably determined; security of supply is incompletely assessed. Whether citizens and the economy will be reliably supplied with electricity in the future is subject to risks that the German government is not fully aware of. I am concerned about the high electricity prices for private households and small and medium-sized enterprises. This puts the acceptance of the generation project at risk.”

The risk? To push through policies without looking at risks and potential consequences.


Weather Service Internet systems are crumbling as key platforms are taxed and failing (WashPost)

Lauren Weinstein <lauren@vortex.com>
Sat, 3 Apr 2021 08:39:41 -0700

[Most of their online systems crashed Tuesday.]

https://www.washingtonpost.com/weather/2021/03/30/nws-internet-infrastructure-outages/


533 million Facebook users' phone numbers and personal data have been leaked online (Business Insider)

Lauren Weinstein <lauren@vortex.com>
Sat, 3 Apr 2021 09:31:04 -0700

https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4


An Accidental Disclosure Exposes a $1 Billion Tax Fight With Bristol Myers (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Fri, 2 Apr 2021 15:35:45 -0400

The IRS believes the American drugmaker used an abusive offshore scheme to avoid federal taxes.

The Botched Redaction

It is not clear when IRS agents first learned about the arrangement. But by last spring, the IRS chief counsel's office had determined that it violated a provision of the tax law that targets abusive profit-shifting arrangements.

In a 20-page legal analysis, the IRS calculated that the offshore setup was likely to save Bristol Myers up to $1.38 billion in federal taxes.

After a complex audit, the IRS often circulates its analyses to agents nationwide in case they encounter similar situations. A redacted version of the report is also made public on the IRS website, cleansed of basic information like the name of the company.

But when the IRS posted its Bristol Myers report last April, it was not properly redacted. With tools available on most laptops, the redacted portions could be made visible.

https://www.nytimes.com/2021/04/01/business/bristol-myers-taxes-irs.html

Tricky technology. Long ago I saw content on foils (projected via overhead projector, remember those?) redacted with black magic marker. Oops—heat of projector boiled off marker, so forbidden content slowly appeared for audience. First/only multimedia presentation using foils.


No vehicle inspections in Mass. for second straight day due to malware attack on vendor (The Boston Globe)

Monty Solomon <monty@roscom.com>
Thu, 1 Apr 2021 21:52:34 -0400

https://www.boston.com/news/local-news/2021/04/01/no-vehicle-inspections-in-mass-for-second-straight-day-due-to-malware-attack-on-vendor


Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities (Ars Technica)

Monty Solomon <monty@roscom.com>
Sat, 3 Apr 2021 12:30:57 -0400

Exploits allow hackers to log into VPNs and then access other network resources.

https://arstechnica.com/gadgets/2021/04/feds-say-hackers-are-likely-exploiting-critical-fortinet-vpn-vulnerabilities/


7% of Americans don't use the Internet. Who are they?

geoff goodfellow <geoff@iconia.com>
Sun, 4 Apr 2021 09:47:13 -1000

For many Americans, going online is an important way to connect with friends and family, shop, get news and search for information. Yet today, 7% of U.S. adults say they do not use the Internet, according to a Pew Research Center survey conducted 25 Jan—8 Feb 2021.

Internet non-adoption is linked to a number of demographic variables, but is strongly connected to age—with older Americans continuing to b= e one of the least likely groups to use the Internet. Today, 25% of adults ages 65 and older report never going online, compared with much smaller shares of adults under the age of 65.

Educational attainment and household income are also indicators of a person's likelihood to be offline. Some 14% of adults with a high-school education or less do not use the Internet, but that share falls as the level of educational attainment increases. Adults living in households earning less than $30,000 a year are far more likely than those whose annual household income is $75,000 or more to report not using the Internet (14% vs. 1%). […]

https://www.pewresearch.org/fact-tank/2021/04/02/7-of-americans-dont-use-the-internet-who-are-they/


5G is not just a radio

“Bob Frankston” <bob2021a@bob.ma>
1 Apr 2021 19:32:41 -0400

5G continues to generate headlines. All the talk about 5G radios is interesting, but those radios are only part of the 5G story. As I dig deeper, the story becomes stranger and stranger, with the radios distracting us from the issues of 5G networking protocols and policies. I'm concerned about the risks of accepting the idea that we need a 1970s style telecommunications network. It's the triumph of marketecture over architecture. Why isn't that story being covered?

There is a risk in treating the Internet as just another telecommunications service (relegated to the slow lane). It's just the opposite—or should be. A phone call is just an app and not a network service. What happened to all we've learned about best-efforts packet connectivity? Why is our policy at odds with reality? The consequence is to limit our ability to communicate and innovate.

Another risk is expertise creep. I respect the expertise of radio engineers. But that doesn't mean that they are experts in the software and business protocols for connected devices and applications. Remember that telecom engineers told us we needed a special network for voice until VoIP happened. Today we're again being told that we need a special network for applications such as video and connected devices even though we're doing just fine without one. More to the point, we're doing just fine because we can innovate outside of the network, and that's a problem for the legacy business model. Requiring a SIM cheap creates unnecessary dependencies and opportunities for failure.

I could go on, but there is so much weirdness that I wrote a whole column asking why the IEEE has fixated on 5G as the one future. For the deep dive into 5G https://rmf.vc/IEEE5GPast.


Scientists Collected Human DNA From the Air In a Breakthrough (Science News for Students)

geoff goodfellow <geoff@iconia.com>
Thu, 1 Apr 2021 11:13:04 -1000

The first reported collection of human and animal DNA from ambient air is a boon for researchers in forensic archeology, ecology, and population studies

In a first, scientists have revealed that animal and human DNA can be plucked straight out of thin air. The development heralds a promising new scientific technique with possible applications for ecology, forensics, and medicine, according to a new study.

Because animals shed cells into their environments, researchers can use water or soil samples to hunt for environmental DNA (eDNA), which provides a novel source of information about the lifeforms that inhabit any given area even if they are not present for DNA collection. The collection of eDNA has been pioneered in aquatic and underground environments, offering a data-rich and non-invasive way to examine species and their habitats.

Now, a team led by Elizabeth Clare, senior lecturer at Queen Mary University of London (QMUL), has provided the “first proof of concept demonstration that air samples are a viable source of DNA for the identification of species in the environment,” according to a study published on Wednesday <https://dx.doi.org/10.7717/peerj.11030> in the journal PeerJ.

Plant and fungal eDNA has been snatched from the air before, but Clare was surprised to find that there were no analogous studies for animals in the scientific literature. She noted, though, that a pair of high school students from Japan presented a bird-focused eDNA concept at a science fair. […] <https://www.sciencenewsforstudents.org/blog/eureka-lab/isef-2019-two-teens-pull-dna-birds-out-air> https://www.vice.com/en/article/88awgb/scientists-collected-human-dna-from-the-air-in-a-breakthrough


NFTs built on sand? (The Atlantic)

Bob Frankston <bob2021a@bob.ma>
4 Apr 2021 14:50:20 -0400

https://medium.com/the-atlantic/nfts-werent-supposed-to-end-like-this-14f14aff42e1

“… the NFT prototype we created in a one-night hackathon had some shortcomings. You couldn't store the actual digital artwork in a blockchain; because of technical limits, records in most blockchains are too small to hold an entire image. Many people suggested that rather than trying to shoehorn the whole artwork into the blockchain, one could just include the web address of an image, or perhaps a mathematical compression of the work, and use it to reference the artwork elsewhere.”

“We took that shortcut because we were running out of time. Seven years later, all of today's popular NFT platforms still use the same shortcut. This means that when someone buys an NFT,…”

Given that the DNS entries expire every year, there is a real problem. We must remove the semantics from the DNS though this approach is still dependent upon ephemeral websites.


Google and “pink noise”

Lauren Weinstein <lauren@vortex.com>
Sat, 3 Apr 2021 22:02:49 -0700

While running an experiment here today, I told Google Assistant/Google Home to “Play pink noise”—and without a word it seemed to comply. I also told it to “play white noise”—and it also complied without a word.

But—hmmm—I couldn't seem to hear a difference between the two. Well, hell, my hearing can't be what it used to be, let's pull out the spectrum analyzer. And … uh … the spectrums for both look identical. And it's the spectrum for white noise. And in fact, someone with a Hub (which I don't have) checking my results says, yes, Google is playing white noise when you ask it for either white noise or pink noise.

Does this matter? Well, yeah, it does. You can find articles around the Net saying that “play pink noise” actually does play pink noise through these Google devices, and there are generally believed to be physiological differences in our reactions to pink noise vis-a-vis white noise. In general, pink noise is viewed as being easier on the ears and more useful for sound masking and relaxation purposes than white noise.

There are some alternate ways to get genuine pink noise from these devices, but they require calling up third party apps, videos, or sound files.

And really, this shouldn't be necessary. If you tell Google to play pink noise, it should either play pink noise or admit that it can't … OK Google? Thanks.


It’s Easy - and Legal - to Bet on Sports. Do Young Adults Know the Risks? (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Thu, 1 Apr 2021 17:31:40 -0400

https://www.nytimes.com/2021/04/01/sports/sports-betting-addiction.html

Risks? Yeah, who knew. What could go wrong?


Another Water system hacked (KSNT)

Peter G Neumann <neumann@csl.sri.com>
Thu, 1 Apr 2021 13:36:08 PDT

Yet another one. No surprise to RISKSers.

https://www.ksnt.com/news/kansas/kansas-man-faces-charges-for-shutting-down-water-supply-cleaning-systems/


Re: Energy-harvesting card treats 5G networks as wireless power grids (RISKS-32.58)

Martin Cooper <mcooper@dynallc.com>
Wed, Mar 31, 2021 at 6:50 PM

[via geoff goodfellow]

The second paragraph is a description of a perpetual-motion process. If you harvest 30% of the output power, that harvested power is not transmitted. Now imagine that you use that 30% to replace input electrical power. You are now producing the original power output with only about 85% of the original power (assuming a reasonable 50% efficiency of the transmitter). Now do that again, and again and again, and pretty soon the transmitted power remains the same, but the input power is equal to the output power. 100% efficiency. Wow! Now, do it again and you are actually (or should I say, virtually), creating new power. Very exciting! Forget about wind and solar power. Let's do an IPO!

Of course, this logic is flawed, but so is the idea that millimeter wave frequencies can radiate at higher densities and farther than lower frequencies.

> Date: Wed, Mar 31, 2021 at 7:36 AM
> From: Andy Poggio <poggio@csl.sri.com>
They are talking about single digit microwatts—truly tiny amounts of power. This won't be charging up your electric car with this. There are some types of very low power sensors that can use this and avoid batteries —but this is a very limited use. Andy Poggio

Re: Antiscience Movement Is … Killing Thousands (RISKS-32.58)

Henry Baker <hbaker1@pipeline.com>
Thu, 01 Apr 2021 14:38:11 -0700

“Antiscience has emerged as a … force … that threatens global security”

IMHO, ‘antiscience’, per se, isn't the issue, but ‘anti-elite’ is. Anti-elite is the equal and opposite reaction to the condescension dripping from the collegiate classes.

Ever since ~1960, when JFK started preferring ‘the best and brightest’ to run everything, the underlying assumption has been that higher IQ's and higher degrees would lead to the greatest good for the greatest number. Indeed, the Chinese Communist Party (CCP) has taken this theory to the reductio ad absurdum, with its technocratic wet dream that “All animals are equal, but some animals [with higher IQ's and better breeding] are more equal than others”.

This theory was never itself based upon ‘science’, nor was it ever subjected to a double-blind test. Indeed, the only real research tests of this theory came in the form of the ‘Milgram Experiments’ which proved that elite university students were capable of the most Nazi-like behavior given the slightest provocation.

Embarrassingly, very public counterexamples to this thesis started showing up almost immediately, with the disastrous Vietnam War being only the largest and most obvious, and certainly the most expensive.

Nevertheless, most in the U.S. were willing to continue tolerating this new “trickle down from the PhD's” theory (National Lampoon cover, December, 1975), so long as a few drops made it all the way down to the proles.

However, the elites forgot their noblesse oblige, and in their noble search for economic efficiency, they decided to offshore as many prole jobs as possible, as quickly as possible.

More education was advised for the proles, and ‘retraining’ for out-of-work coal miners to become web designers became fashionable. Student loan debts became nondischargeable in bankruptcy, and student loan interest rates soared from less than the Fed rate to far more than the Fed rate. Oops, no jobs after graduation. Gotcha!

The best and brightest physicians decided that prole pain was being 'undertreated', so a generation of medicine created more legal drug addiction than any Columbian druglord could ever dream of. Houston, we have an opioid crisis.

Not content with allowing the proles to own their own modest lead-poisoned homes, the elites invented ‘derivatives’ in which prole pensions were invested, so that when the derivatives exploded, both the prole homes and their pensions were gone, while the elite billionaire funds bought these homes out of bankruptcy, re-renting them to those same proles at higher rents than they had previously paid in mortgages.

The proles and rubes have recently been found guilty of using the wrong forks; they have violated the ‘norms’ of civilized (aka collegiate) society by questioning everything their betters have been advocating for the past 60 years; they have forgotten ‘their place’. Tut-tut.

Peter Hotez is right; this story will probably not end well. But IMHO it is highly unlikely that readers of Scientific American will be able to solve this problem, becuz…


Re: Scientists can implant false memories-and reverse them (RISKS-32.58)

“Stephen E. Bacher” <sebmb1@verizon.net>
Fri, 2 Apr 2021 09:27:12 -0700
> https://www.inverse.com/mind-body/how-to-reverse-false-memories-study

But the article neglects to address the question of whether true memories could be reversed using the same approach.


Re: Volkswagen apparently changing their name in U.S. (RISKS-32.58)

“John Levine” <johnl@iecc.com>
1 Apr 2021 18:08:54 -0400

They later admitted it was a lame April Fool's joke. Uh, haha.


Re: New York launches nation's first ‘vaccine passports’

“John Levine” <johnl@iecc.com>
1 Apr 2021 20:44:01 -0400
>Others are working on similar ideas, but many details must be worked out.

I have one.

You log into the state's web site and give them your name, DOB, and zip code to show who you are, and the date and county where you got the shot and what kind it was. It gives you a barcode which appears to include a cryptographic signature that you can load into the app.

They also have a pass scanner app which looks at the barcode and says whether it's valid and unexpired.

You don't even need a phone. If you have access to any computer with a web browser you can log into the site and print out a wallet card with the bar code.


Re: Vintage technology: ‘It sounds so much cleaner’ (Ward, RISKS-32.54)

Terje Mathisen <terje.mathisen@tmsw.no>
Fri, 2 Apr 2021 14:59:43 +0200

Re: Porting Kermit

Back around 1983 I started to write my own PC Kermit (in Turbo Pascal of course). After I had implemented the full “SuperKermit” set of extensions, with sliding windows, selective packet retransmission, larger packet sizes (with improved integrity checking), I made a version for the company IBM mainframe:

IBM already had a baseline Kermit, written in Pascal, so it was relatively easy to add those SuperKermit extensions, the result was file transfers that worked across 3270 protocol emulators with the same effective speed as we got from an IBM 3270 PC (or PC/AT), but at a small fraction of the cost.

At the time I wondered if the abysmally slow performance of IBM's Kermit was due to their perceived need to not compete with “proper IBM end points running SNA”.


Re: Too much choice is hurting America (Steingold, RISKS-32.58)

“John Levine” <johnl@iecc.com>
1 Apr 2021 18:23:47 -0400

It must be fun to attribute stupid condescending motives to people you don't know and, in this case, whose writing you apparently have never read.

What Paul said in that column was that too much choice can be a problem for everyone since it generally means that what claims to be “choice” is in fact shifting risk onto the unwary. (See my note in a recent Risks.) He doesn't want a thousand Medigap plans with secret loopholes or power suppliers whose prices can suddenly jump from 4c to $9.00/kwh for himself any more than he wants them for anyone else.


Re: Too much choice is hurting America (Recent RISKS)

Andrew Pam <andrew@sericyb.com.au>
Fri, 2 Apr 2021 18:10:11 +1100

I for one am finding the ongoing reporting of people's personal dislike and willful misunderstanding of Paul Krugman below the usual standards of the RISKS journal.

Please report problems with the web pages to the maintainer

x
Top