The RISKS Digest
Volume 32 Issue 66

Wednesday, 12th May 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

The Pentagon Inches Toward Letting AI Control Weapons
WiReD
DarkSide hacking group responsible for the Colonial Pipeline shutdown
CNBC and Bloomberg via geoff goodfellow
U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyberattack
The Hacker News
What the U.S. Colonial pipeline cyberattack means for Europe
Politico Europe
ISPs Funded 8.5 Million Fake Comments Opposing Net Neutrality
WiReD
Tesla backseat driver was arrested then released; now he says he is back at it
Electrek
Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks
The Hacker News
U.S. Intelligence Agencies Warn About 5G Network Weaknesses
The Hacker News
Pro tip for the “but how do we protect ourselves?” folks
Brian Krebs
Twitter's Tip Jar Privacy Fiasco Was Entirely Avoidable
WiReD
I have been pwned!—but not really
Rob Slade
Marvin Minsky hacked?
Tom Van Vleck
That reminds me of Bob Fenichel's Turing Hack
Tom Van Vleck
96% of U.S. Users Opt Out of App Tracking in iOS 14.5, Analytics Find
Samuel Axon
FaceApp misprepresentation
WashPost
A risk of computerizing what worked fine without the computer
NotAlwaysRight
Apple's new Airtags can be easily abused by stalkers
WashPost
Michigan GOP lawmaker floats bill to register, fine ‘fact checkers’
Lauren Weinstein
Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles
Amos Shapir
Info on RISKS (comp.risks)

The Pentagon Inches Toward Letting AI Control Weapons (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Tue, 11 May 2021 00:51:30 -0400

But as the drone demonstrations highlight, more widespread use of AI will sometimes make it more difficult to keep a human in the loop. This might prove problematic, because AI technology can harbor biases or behave unpredictably <https://www.wired.com/story/foundations-ai-riddled-errors/>. A vision algorithm trained to recognize a particular uniform might mistakenly target someone wearing similar clothing. Chung says the swarm project presumes that AI algorithms will improve to a point where they can identify enemies with enough reliability to be trusted.

https://www.wired.com/story/pentagon-inches-toward-letting-ai-control-weapons/

Presumes… what could go wrong?


DarkSide hacking group responsible for the Colonial Pipeline shutdown

geoff goodfellow <geoff@iconia.com>
Mon, 10 May 2021 09:22:38 -1000

The DarkSide hacker gang that is responsible for the devastating Colonial Pipeline attack this weekend is a relatively new group, but cybersecurity analysts already know enough about them to determine just how dangerous they are. <https://www.cnbc.com/2021/05/09/gasoline-futures-jump-as-much-of-vital-pipeline-remains-shutdown-following-cyberattack.html>

According to Boston-based Cybereason, DarkSide is an organized group of hackers set up along the ransomware as a service business model, meaning the DarkSide hackers develop and market ransomware hacking tools, and sell them to other criminals who then carry out attacks. Think of it as the evil twin of a Silicon Valley software start-up.

Bloomberg first reported <https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown> that DarkSide may be involved in the attack on Colonial Pipeline. The FBI confirmed Monday that DarkSide was behind the attack.

On Monday, Cybereason provided CNBC with a new statement from DarkSide's website that appears to address the Colonial Pipeline shutdown.

Under a heading, About the latest news, DarkSide claimed it's not political and only wants to make money without causing problems for society

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the statement said. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Cybereason reports that DarkSide has a perverse desire to appear ethical, even posting its own code of conduct for its customers telling them who and what targets are acceptable to attack. Protected organizations not to be harmed include hospitals, hospices, schools, universities, nonprofit organizations, and government agencies. Also apparently protected are entities based in former Soviet countries. Fair game, then, are all for-profit companies in English speaking countries. […]

https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsiblee-for-colonial-pipeline-shutdown.html

[See also David Sanger and Nicole Perlroth, FBI Identifies Group Behind Pipeline Hack, The New York Times, 11 May 2021.]

U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyber-Attack (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Tue, 11 May 2021 12:36:14 -1000

The ransomware attack <https://thehackernews.com/2021/05/ransomware-cyber-attack-forced-largest.html> against Colonial Pipeline's networks has prompted the U.S. Federal Motor Carrier Safety Administration (FMCSA) to issue a regional emergency declaration <https://www.fmcsa.dot.gov/sites/fmcsa.dot.gov/files/2021-05/ESC-SSC-WSC - Regional Emergency Declaration 2021-002 - 05-09-2021.pdf> in 17 states and the District of Columbia (D.C.).

The declaration provides a temporary exemption to Parts 390 through 399 of the Federal Motor Carrier Safety Regulations (FMCSRs <https://www.fmcsa.dot.gov/regulations>), allowing alternate transportation of gasoline, diesel, and refined petroleum products to address supply shortages stemming from the attack.

“Such [an] emergency is in response to the unanticipated shutdown of the Colonial pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the Affected States,” the directive said. “This Declaration addresses the emergency conditions creating a need for immediate transportation of gasoline, diesel, jet fuel, and other refined petroleum products and provides necessary relief.”

The states and jurisdictions affected by the pipeline shut down and included in the Emergency Declaration are Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia.

The exemptions, which aim to alleviate any supply disruptions that may arise as a result of Colonial halting its pipeline operations, are expected to be in effect until the end of the emergency or June 8, 2021, 11:59 p.m., whichever is earlier. FBI Confirms DarkSide Ransomware. […] https://thehackernews.com/2021/05/us-declares-emergency-in-17-states-over.html


What the U.S. Colonial pipeline cyberattack means for Europe (Politico Europe)

Peter G Neumann <neumann@csl.sri.com>
Tue, 11 May 2021 11:16:19 PDT

America Hernandez and Laurens Cerulus, Politico Europe, 11 May 2021

The shutdown of a major fuel pipeline in the U.S. is a cybersecurity wakeup call for EU energy operators.

Preliminary investigations indicate that a group of Russian criminal hackers known as Darkside were likely behind the ransomware attack that shut down the nearly 9,000-kilometer Colonial Pipeline—which transports almost half the jet fuel, diesel, gasoline and heating fuel used on the East Coast of the United States.

Similar incidents have happened in Europe.

Russia-based cyberattacks on critical energy infrastructure have put the EU on high alert since 2014, when the annexation of Crimea and war in the Donbas led to Ukraine being hit with a series of attacks crippling everything from power grids to election systems.

Those infiltrations culminated in the 2017 NotPetya attack, which paralyzed multinationals like the Danish shipping giant Maersk, logistics giant FedEx, pharma company Merck and other major corporations, and cost an estimated $10 billion to clean up.

Since then, the EU has moved to strengthen its energy system resilience — but the work is far from over.

“The attack on Colonial just screams out for new regulation on critical infrastructure companies,” said Bart Groothuis, a Dutch member of the European Parliament who leads negotiations on draft EU rules for cybersecurity of networks and IT systems.

According to the European Union's Cybersecurity Agency (ENISA), the sector reported roughly 100 significant cybersecurity incidents in 2020—half of which were ransomware attacks.

Assessing the vulnerabilities

Energy system operators in Europe have so far faced only limited requirements under the bloc's first-ever 2016 cybersecurity legislation, the Networks and Information Security (NIS) Directive<https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2013/0027(COD)&l=en> — as well as some sectoral legislation. <https://ec.europa.eu/info/news/tackling-cybersecurity-challenges-energy-commission-adopts-recommendation-cybersecurity-energy-sector-2019-apr-03_en>

Those include applying minimum cybersecurity standards and promptly reporting incidents as they happen.

According to the EU Agency for the Cooperation of Energy Regulators (ACER), the most exposed elements of the bloc's pipeline systems are so-called SCADAs—supervisory control and data acquisition systems that govern hardware such as pressure-reducing stations, valves and compressor stations.

“These are typically not linked to any other network, precisely to reduce the exposure to cyberattacks,” said ACER spokesperson Una Shortall.

The Colonial attack, however, didn't directly hit the infrastructure. Instead, it targeted the business-side computer systems of the private operator, which shut down the pipeline as a precaution.

“In a case like this, the company itself is the first line of defense and the first line of response to crisis,” Shortall added.

Planning for the worst

The bloc has several measures in place to ensure it can weather emergency shutdowns.

To avoid the kind of fuel shortages and gasoline price increases currently being experienced in parts of the U.S., all EU countries are required under the Oil Stocks Directive to keep at least 90 days' worth of crude oil or petroleum product imports on hand, or 61 days' worth of consumption — whichever is greater.

But it's not always respected. In December, the European Commission chastised Bulgaria, Romania and the Czech Republic for repeatedly failing to keep the minimum supplies on hand, in some cases going as far back as 2013.

The good news is that upwards of 80 percent the bloc's crude imports arrive on oil tankers and trucks, according to the International Association of Oil and Gas Producers (IOGP). Refined products like gasoline and diesel are also transported through the EU by truck and rail, rather than through fixed pipelines—vastly upping flexibility.

“The EU crude oil pipeline network is a lot less dense—pipe imports of crude are a very small share,” said Nareg Terzian, EU spokesperson for IOGP. “It actually makes sense if you think about it: Historically, the oil market has been more liquid and open than the gas one, also because oil is simply much easier to store and transport than gas.”

Natural gas is a bigger worry for the EU.

Following the 2006 and 2009 gas crises, Europe's network of gas transmission system operators has conducted regular simulations of supply interruptions on all EU import pipelines—and prepared rerouting plans using the Continent's system of cross-border interconnectors, underground storage reserves and liquefied natural gas (LNG) terminals.

The most recent analysis<https://entsog.eu/sites/default/files/2020-10/INV0332-20 Addendum to the SoS 2017 - for publication.pdf>, published in October, simulated winter gas cutoffs of up to two months on three major Russian supply routes: via Finland and down to the Baltic States; via Ukraine; and along the Trans-Balkan pipeline flowing to Romania, Bulgaria and Greece.

In the Finnish case, the response would be ramping up LNG imports in Lithuania to maximum capacity and tapping Latvia's storage reserves to supply the region. The Baltic connector pipeline—which launched in December 2019 and links Estonia to Finland—would send flows north.

Should the Trans-Balkan pipeline shut down, flows destined for Bulgaria could be sent through the second line of TurkStream, at the Turkish-Bulgarian border.

But if the Ukrainian route to the EU is hit with a long-term outage in the dead of winter, Romania could be left stranded—even if Russian gas flows are maintained through Belarus and through Germany's Nord Stream pipeline.

“Romania has no other possibilities to import gas” after its storage stocks are used up, the analysis warns.

The scenarios don't account for countries dialing down usage. They also focus more on accidents on individual routes, rather than deliberate shutdowns on multiple routes by a single supplier like Russia.

“The EU must think long and hard about energy diversification and consider once again the risks of Nord Stream 2<https://politico.us8.list-manage.com/track/click?u=e26c1a1c392386a968d02fdbc&id=c65a90dc4e&e=b93961e7ed>, which, if built, will concentrate 80 percent of all Russian gas supplies=20to Europe to one submarine pipeline system,” said Sergiy Makogon, CEO of Ukraine's gas grid operator.

“Digital threats have just come to the fore, but they can't overshadow physical security,” Makogon added. “We have seen mysterious accidents reshape the European energy landscape in 2009, when an unexplained blast<https://politico.us8.list-manage.com/track/click?u=e26c1a1c392386a968d02fdbc&id=20db2acd86&e=b93961e7ed> destroyed a portion of the Turkmenistan-Russia pipeline, ending exports of Turkmen gas to Europe. Or the 2006 pipeline exposition<https://politico.us8.list-manage.com/track/click?u=e26c1a1c392386a968d02fdbc&id=b3b63382f8&e=b93961e7ed> that left Georgia and Armenia without gas in the middle of winter.”

The rise of digital attacks could change the way those scenarios are modeled.

“Cyber has introduced in the energy sector a new way to think about threats and risks: Better to simulate and stimulate a reaction and to derive a preventive strategy than to have a scenario that will rarely repeat twice on large scale infrastructures,” ACER's Shortall said.

Policies in the pipeline

European companies could soon face tougher cybersecurity rules, when EU legislators pass a proposal<https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2020/0359(COD)&l=en> by the European Commission to strengthen the NIS regime.

In the draft law, energy firms risk being fined up to 2 percent of their annual turnover if they don't put in place security audits, have incident response policies and check the security of their suppliers. The proposal also added a range of subsectors of the energy market to the scope of the law, including hydrogen production, district heating, electricity production and central oil stockholding.

The EU is also working on a “network code” on cybersecurity for electricity firms that would be adopted next year; a similar code for gas is also in the works. And the sector is already working with public authorities to share information on attacks and incidents within a European Energy Information Sharing and Analysis Center.

“The sector is catching up in terms of cybersecurity,” said Evangelos Ouzounis, head of secure infrastructure and services at ENISA, adding that more investments and continuous information sharing were needed to rule out incidents like the Colonial catastrophe.


ISPs Funded 8.5 Million Fake Comments Opposing Net Neutrality (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 9 May 2021 16:10:02 -0400

The secret campaign, backed by major broadband companies, used real people's names without their consent.

The largest Internet providers in the US funded a campaign that generated ‘8.5 million fake comments’ to the Federal Communications Commission as part of their fight against net neutrality rules during the Trump administration, according to a report issued Thursday by New York state attorney general Letitia James.

Nearly 18 million out of 22 million comments were fabricated, including both pro- and anti-net-neutrality submissions, the report said. One 19-year-old submitted 7.7 million comments supporting net neutrality under fake, randomly generated names. But the astroturfing effort by the broadband industry stood out because it used real people's names without their consent, with third-party firms hired by the industry faking consent records, the report said.

The New York Attorney General's Office began its investigation in 2017 and said it faced stonewalling from then FCC chair Ajit Pai, who refused requests for evidence. But after a years-long process of obtaining and analyzing “tens of thousands of internal emails, planning documents, bank records, invoices, and data comprising hundreds of millions of records,” the office said it “found that millions of fake comments were submitted through a secret campaign, funded by the country's largest broadband companies, to manufacture support for the repeal of existing net neutrality rules using lead generators.”

It was clear before Pai completed the repeal in December 2017 that millions of people”including dead people”were impersonated in net neutrality comments. Even industry-funded research found that 98.5 percent of genuine comments opposed Pai's deregulatory plan. But Thursday's report reveals more details about how many comments were fake and how the broadband industry was involved.

https://www.wired.com/story/isps-funded-85-million-fake-comments-opposing-net-neutrality/

Hey, there's a bright side—4+ million comments were real. Nice work, Pai — suppressing evidence.


Tesla backseat driver was arrested then released; now he says he is back at it (Electrek)

Lauren Weinstein <lauren@vortex.com>
Wed, 12 May 2021 09:30:03 -0700

https://electrek.co/2021/05/12/tesla-backseat-driver-arrested-releases-back-at-it/

Why does this person still have a driver's license?

If Elon Musk had an ounce of integrity, @Tesla would shut down all driver assist and self-drive capabilities of anyone found to be abusing those systems, including of course back seat drivers.


Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks (

geoff goodfellow <geoff@iconia.com>
Wed, 12 May 2021 07:58:48 -1000

Three design and multiple implementation flaws have been disclosed in IEEE 802.11 technical standard that undergirds Wi-Fi, potentially enabling an adversary to take control over a system and plunder confidential data.

Called FragAttacks <https://www.fragattacks.com/> (short for FRgmentation and AGgregation attacks), the weaknesses impact all Wi-Fi security protocols, from Wired Equivalent Privacy (WEP) all the way to Wi-Fi Protected Access 3 (WPA3), thus virtually putting almost every wireless-enabled device at risk of attack.

“An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices,” Mathy Vanhoef, a security academic at New York University Abu Dhabi, said. “Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.”

IEEE 802.11 provides the basis for all modern devices using the Wi-Fi family of network protocols, allowing laptops, tablets, printers, smartphones, smart speakers, and other devices to communicate with each other and access the Internet via a wireless router.

Introduced in January 2018, WPA3 <https://www.wi-fi.org/discover-wi-fi/security> is a third-generation security protocol that's at the heart of most Wi-Fi devices with several enhancements such as robust authentication and increased cryptographic strength to safeguard wireless computer networks.

According to Vanhoef, the issues <https://github.com/vanhoefm/fragattacks> = stem from “widespread” programming mistakes encoded in the implementation of the standard, with some flaws dating all the way back to 1997. The vulnerabilities have to do with the way the standard fragments and aggregates frames, allowing threat actors to inject arbitrary packets and trick a victim into using a malicious DNS server, or forge the frames to siphon data.

The list of 12 flaws <https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md> […]

https://thehackernews.com/2021/05/nearly-all-wifi-devices-are-vulnerable.html


U.S. Intelligence Agencies Warn About 5G Network Weaknesses (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Tue, 11 May 2021 12:27:29 -1000

Inadequate implementation of telecom standards, supply chain threats, and weaknesses in systems architecture could pose major cybersecurity risks to 5G networks, potentially making them a lucrative target for cybercriminals and nation-state adversaries to exploit for valuable intelligence.

The analysis, which aims to identify and assess risks and vulnerabilities introduced by 5G adoption, was published on Monday by the U.S. National Security Agency (NSA), in partnership with the Office of the Director of National Intelligence (ODNI) and the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA).

“As new 5G policies and standards are released, there remains the potential for threats that impact the end-user. For example, nation states may attempt to exert undue influence on standards that benefit their proprietary technologies and limit customers' choices to use other equipment or software.”

Specifically, the report cites undue influence from adversarial nations on the development of technical standards, which may pave the way for adopting untrusted proprietary technologies and equipment that could be difficult to update, repair, and replace. Also of concern, per the report, are the optional security controls baked into telecommunication protocols, which, if not implemented by network operators, could leave the door open to malicious attacks.

A second area of concern highlighted by the NSA, ODNI, and CISA is the supply chain. Components procured from third-party suppliers, vendors, and service providers could either be counterfeit or compromised, with security flaws and malware injected during the early development process, enabling threat actors to exploit the vulnerabilities at a later stage. […] https://thehackernews.com/2021/05/us-intelligence-agencies-warn-about-5g.html


Pro tip for the “but how do we protect ourselves?” folks (Brian Krebs)

geoff goodfellow <geoff@iconia.com>
Tue, 11 May 2021 12:09:50 -1000

Pro tip for the “but how do we protect ourselves?” folks. DarkSide ransomware, like many other strains, will not install on systems where certain Cyrillic keyboard and other scripts are already installed. So, install the Russian keyboard. You don't have to use it.

https://twitter.com/briankrebs/status/1392163072970829830


Twitter's Tip Jar Privacy Fiasco Was Entirely Avoidable (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 9 May 2021 16:05:43 -0400

Sending its users to PayPal has created all sorts of problems that Twitter should have caught ahead of time.

On Thursday, Twitter continued its grand tradition of embracing features users had unofficially pioneered (see also: the @-reply, the retweet, the hashtag) by instituting a Tip Jar. Enjoy someone's tweet? Send them some money straight from the app, via the online payment processor of their choice. Simple enough. And yet, predictably, not so simple, especially for those who value their anonymity online.

Within a few hours of Twitter's Tip Jar announcement, security researcher Rachel Tobac found an unfortunate wrinkle: Sending someone money via PayPal revealed to them her home address. Not long after, former Federal Trade Commission chief technologist Ashkan Soltani discovered that using PayPal for the Tip Jar could reveal a user's email address, even if no transaction took place.

https://www.wired.com/story/twitter-tip-jar-privacy-fiasco-entirely-avoidable/

The risk? Good intentions.


I have been pwned!—but not really

Rob Slade <rslade@gmail.com>
Mon, 10 May 2021 12:05:56 -0700

Today I received a notification from haveibeenpwned.com, informing that I was “pwned” in the DriveSure data breach.

The notification lists my email address, the breach, the date (December of 2020), the number of accounts, the compromised data (email addresses, names, passwords, phone numbers, physical addresses, and vehicle details), and a description of the breach.

The thing is, I don't recall dealing with DriveSure.

And the email address given was my rslade@gmail.com address.

Aha!

I get lots of email through that account that isn't for me. It isn't exactly spam, either. It is directed at someone, and, although some of it is marketing bumpf, some of it is quite personal. A lot of people think that rslade@gmail.com is their email address, and provide it to friends and business contacts.

The upside is that, no, my password and personal details probably haven't been pwned.

The downside is that there is a risk in using a very popular email platform.


Marvin Minsky hacked?

Tom Van Vleck <thvv@multicians.org>
Tue, 11 May 2021 08:15:30 -0700

Compsci boffin publishes proof-of-concept code for 54-year-old zero-day in Universal Turing Machine

The Register https://www.theregister.com/2021/05/11/turing_machine_0day_no_patch_available/

[Marvin Minsky taught my 2nd computer course at MIT. THVV]

That reminds me of Bob Fenichel's Turing Hack

Tom Van Vleck <thvv@multicians.org>
Tue, 11 May 2021 17:25:27 -0700

Bob Fenichel was an assistant professor at MIT in 1965. He wrote a set of FAP macros to simulate a Turing machine. As the macros were expanded, they defined other macros with temporary names. You invoked the top-level macro something like TURING A,B,C where A was the tape, B the initial position, C the transition table.

The macro-assembler assembled the macros, simulating the operation of the specified machine, and eventually assembled either PZE 1 or PZE 0 depending if the machine stopped on a 1 or 0 on the tape.

So all the “computation” was done in (conditional) macro expansion. This was a practical demonstration that a macro language that allowed macros to define other macros is able to compute anything computable. Of course, the FAP simulation was in practice limited by the storage available on the assembler's macro expansion tape, but the cost of 7094 time was an even more practical limit on these experiments. It is still one of the neatest hacks I've seen.


96% of U.S. Users Opt Out of App Tracking in iOS 14.5, Analytics Find (Samuel Axon)

ACM TechNews <technews-editor@acm.org>
Wed, 12 May 2021 12:25:21 -0400 (EDT)

Samuel Axon, Ars Technica, 7 May 2021, via ACM TechNews, 12 May 2021

U.S. users have opted out of application tracking nearly all (96%) of the time following Apple's release of iOS 14.5 in April, according to mobile app analysis platform Flurry Analytics. That release was accompanied by Apple's launch of enforcement of the App Tracking Transparency policy, which requires iPhone, iPad, and Apple TV apps to request user consent to monitor their activity across multiple apps for data collection and ad targeting. Based on data from roughly 1 million mobile apps, Flurry Analytics said U.S. users agree to be tracked only 4% of the time; globally, the firm found that number reaching 12%.

https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2af34x22b1c8x069859&


FaceApp misprepresentation (WashPost)

Monty Solomon <monty@roscom.com>
Wed, 12 May 2021 09:53:55 -0400

A beautiful female biker was actually a 50-year-old man using FaceApp. After he confessed, his followers liked him even more.

The middle-aged father's big reveal sparked a debate over identity in the Internet age: “The only thing I'm creating is my appearance. Everything else is me.”

https://www.washingtonpost.com/technology/2021/05/11/japan-biker-faceapp-soya-azusagakuyuki/


A risk of computerizing what worked fine without the computer (NotAlwaysRight)

“Mark Lutton” <mlutton@rcn.com>
Tue, 11 May 2021 22:42:45 -0400

https://notalwaysright.com/gordon-was-their-glue/233352/

This story comes from the web site “Not Always Right.”

Gordon was a janitor, odd-job man, and general get-things-done man at a care facility for vulnerable adults and the elderly. He was happy, friendly, cheerful, and competent, kept the infrastructure running well, and kept the place spick and span. Basically, he was really good at his job and went above and beyond as the necessity presented itself.
Come the day when the place was computerised. The requirement was now that he book all his activities on a computerised timesheet, for which he had to have a computer of his own or a mobile phone. Gordon did not have a computer and didn't have the most up-to-date phone; all he needed to do was to take phone calls, which he managed perfectly well with his old model.
This latest requirement gave him a lot of trouble. He managed to get around it by being allowed to use one of the computers in the office, which was not part of his domain, and he felt socially awkward in there. Not only was it a complicated, fiddly, and awkwardly buggy piece of software - it used to crash when you didn't enter the operations in the correct order - but Gordon did not take easily to learning how to use a computer. Equally unfortunately, there was nobody in the facility who was skilled in training a technological newcomer, and he was getting shouted at plenty, so of course, he found himself shouting back.
It didn't end well. He was given an ultimatum: shape up or ship out. He was close to retirement anyway, so he took that early retirement and shipped out before the facility had even begun to think about getting his replacement trained up. They were forced to rely completely on the agency staff who had been used on a temporary basis on the occasions when Gordon was on leave. While competent enough at general janitorial duties, such temporary staff were nowhere near familiar enough with the facility to know how to keep it running properly, and things started progressively breaking down and not getting properly repaired, and of course, it turned out that Gordon had contacts in the trade where he would call specific people to get various repairs done. Without Gordon's happy smiling presence, coupled with the increasingly shabby and ill-maintained infrastructure, morale plummeted, and staff started to drift away. Hence, they started failing inspections, and in due course, the facility closed. I'm not sure what happened to the residents; I believe they were shunted off to other establishments.

Original story is from Not Always Right at the link above. Submitted to RISKS by Mark Lutton, mlutton@rcn.com


Apple's new Airtags can be easily abused by stalkers (WashPost)

Lauren Weinstein <lauren@vortex.com>
Wed, 5 May 2021 18:35:47 -0700

https://www.washingtonpost.com/technology/2021/05/05/apple-airtags-stalking/


Michigan GOP lawmaker floats bill to register, fine ‘fact checkers’

Lauren Weinstein <lauren@vortex.com>
Wed, 12 May 2021 08:34:30 -0700

Only if there's an equivalent fine for anyone who purposely promotes misinformation, idiots!

https://www.detroitnews.com/story/news/politics/2021/05/11/michigan-gop-lawmaker-floats-bill-register-and-fine-fact-checkers/5043399001/


Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles (RISKS-32.65)

Amos Shapir <amos083@gmail.com>
Mon, 10 May 2021 16:32:59 +0300

I'd love to find out how it was possible for a 4-year old boy to do that; Unfortunately, The Washington Post site requires subscription.

Please report problems with the web pages to the maintainer

x
Top