Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Flash cards are a common memorization tool. They can be simply written on pieces of paper and easily be carried for use in spare moments.
Military personnel in Europe used public flash-card apps to memorize exact locations, previously secret, and the precise security details to keep those nuclear weapons from unintended use.
The data uncovered by reporters spanned 2013 to the present. When NATO was asked to comment, the data was taken down. Let's hope the archives too!
There is a good argument that human foibles make us unsuitable for tools too powerful.
Full report via the Bellingcat investigative journalist group at https://www.bellingcat.com/news/2021/05/28/us-soldiers-expose-nuclear-weapons-secrets-via-flashcard-apps/
https://www.theregister.com/2021/05/28/flashcards_military_nuclear/
Seems like this problem is the result of people not understanding simple consequences. Either they didn't know some facts, or they didn't draw logical conclusions.
Some things the missile workers should have been told:
The Three Questions apply.
ACM SIGSOFT Software Engineering Notes, vol 14 no 5 July 1989, pp 62-63 (https://multicians.org/thvv/threeq.html, has cartoon also)
The “Rule of 48” mentioned in Michael Crichton's “Andromeda Strain” is a more general phenomenon affecting all fields of research. The “Rule of 48” refers to a 1936 citation reporting the number of human chromosomes as 48. Decades later, the original microscope photographs were examined, and the count was confirmed as 46.
Wired published “The 60-Year-Old Scientific Screwup That Helped Covid Kill”, describing recent research into the airborne spread of virus particles, including SARS-CoV-2/COVID-19. The article documents how a questionable number became embedded in the medical and public health communities.
An interesting read, applicable to many areas other than medicine and public health.
https://www.wired.com/story/the-teeny-tiny-scientific-screwup-that-helped-covid-kill/
The malicious code, which masquerades as ransomware, appears to come from a hacking group with ties to Iran.
https://www.wired.com/story/never-before-seen-wiper-malware-hitting-israeli-targets/
https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html
As the ransomware industry exploded, a Russian-speaking outfit called DarkSide offered would-be computer crooks not just the tools, but also customer support. We got an inside look.
As a result of the law enforcement exception, Facebook alone honors hundreds of thousands of government requests for user data annually—roughly 296,000 in 2020. Meanwhile, social media companies have spent years fending off defendants' court-approved subpoenas, even when they're aware that the consequence could be a death sentence. In 2019, a Superior Court judge who approved one such subpoena in a murder trial excoriated the companies. Facebook and Twitter appear to be misusing their immense resources to manipulate the judicial system in a manner that deprives two indigent young men facing life sentences of their constitutional right to defend themselves at trial, Judge Charles Crompton wrote. Facebook and Twitter have made it clear that they are unwilling to alter their behavior, regardless of the harm to others—or the rulings of this court.” Crompton found them in contempt of court for disobeying a lawful order, and the companies simply ate the maximum $1,000 fines, a penalty that was likely cheaper than paying their lawyers to do another hour of work.
If the Supreme Court decides to hear the case and rules in Colone's favor, it could stand to not only potentially save Colone's life but spare countless underprivileged people years of unjust incarceration.
https://gizmodo.com/a-death-row-inmate-has-waited-years-for-github-to-provi-1846976389
Organizations signed a formal list of 70 public complaints against the social media giant.
May 26, 2021—“Representatives from a coalition of organizations gathered outside Facebook's lobbying headquarters in Washington, D.C. Tuesday to protest the company's alleged abuse of the American people and announce a formal list of 70 public complaints against the social media platform.
Robert Weissman, president of the consumer rights advocacy group and think tank Public Citizen, accused Facebook of political indifference and subverting democracy, saying “the American people and people of the world will no longer tolerate Facebook's abuses. This is a company out of control. It is literally out of the control of our democracy.”
The organizations present hold Facebook responsible for the alleged spreading of misinformation that influences elections, limiting users' access to competing ideas, and wielding unjust amounts of political power.
With the support of the agreeing organizations present, Weissman expressed a lack of confidence in Facebook's ability to manage itself, claiming its leaders had given up control to algorithms the company leaders didn't understand. They called on the government to regulate the industry, break up the company, and hold its executives legally accountable for the damages done against the world.
https://www.wired.com/story/ftc-lawsuit-says-frontier-lied-about-internet-speeds/
I'm shocked that an ISP would lie about such an important matter.
https://medicalxpress.com/news/2021-05-smart-toilet-stool-health-problems.html
“An artificial intelligence tool under development at Duke University can be added to the standard toilet to help analyze patients' stool and give gastroenterologists the information they need to provide appropriate treatment, according to research that was selected for presentation at Digestive Disease Week (DDW) 2021. The new technology could assist in managing chronic gastrointestinal issues such as inflammatory bowel disease (IBD) and irritable bowel syndrome (IBS).”
This gizmo uses images to decide. Would an olfactory cross-reference elevate diagnostic efficacy?
Risk: False negative/positive detection
https://phys.org/news/2021-05-replication-crisis-true-cited.html
Non-reproducible publications that are not retracted can be weaponized via social media, and are used to promote falsehoods that jeopardize public health and promote incivility.
“The influence of an inaccurate paper published in a prestigious journal can have repercussions for decades. For example, the study Andrew Wakefield published in The Lancet in 1998 turned tens of thousands of parents around the world against the measles, mumps and rubella vaccine because of an implied link between vaccinations and autism. The incorrect findings were retracted by The Lancet 12 years later, but the claims that autism is linked to vaccines continue.”
Well, I thought Disney was the “Gold Standard” in terms of threatening lawsuits over any possible trademark infringement, but Warner Brothers seems to be trying to make their mark in the field.
Warner Brothers, distributor of the Hobbit movie franchise, has threatened a lawsuit over the “Hobbit Mountain Hole” house. the owner, not interested in lawsuits, has renamed it the “Second Breakfast Hideaway.” https://vancouversun.com/news/local-news/b-c-hobbit-house-renamed-after-threat-of-lawsuit-from-warner-bros
A couple of points: I wonder if Warner is going to go after over the “second breakfast” reference.
Also, wouldn't it be the Tolkien estate that would have the real rights to “Hobbit” references? (Actually, you could probably defend the use of the term “hobbit” on the basis of prior art: the word was in use before Tolkien wrote about it …)
Skeptics say the law is clearly unconstitutional
Good luck with that. Maybe deplatform Florida entirely. Or provide a list setting I've long wished for “Set bozo mode” for a subscriber, so bozo sees own posts, thinks they're broadcasting, but nobody else does.
D.C. Attorney General Karl A. Racine on Tuesday brought an antitrust complaint against Amazon, alleging that the e-commerce giant wields monopoly power that has resulted in higher prices for consumers.
https://www.washingtonpost.com/technology/2021/05/25/dc-ag-antitrust/
Shocking.
At Build, Microsoft CEO Satya Nadella calls the update the ‘next generation of Windows,’ and promises to share more details soon.
During his keynote at Tuesday's Build developer conference, CEO Satya Nadella teased that major changes are in store for the operating system. “Soon we will share one of the most significant updates to Windows of the past decade to unlock greater economic opportunity for developers and creators. I've been self-hosting it over the past several months, and I'm incredibly excited about the next generation of Windows.” […]
Nadella didn't reveal much else, except to tease that the updated OS will benefit software developers everywhere. “Our promise to you is this: we will create more opportunity for every Windows developer today and welcome every creator who is looking for the most innovative, new, open platform to build and distribute and monetize applications. We look forward to sharing more very soon,” Nadella said.
The comment might be connected to how Redmond is reportedly developing a new version of the Microsoft App Store for Windows 10. According to Windows Central, the company is refreshing the store with a new interface while also relaxing the rules on how developers can publish apps on the platform. This includes giving developers the option to use any third-party payment solution to charge customers.
https://www.pcmag.com/news/microsoft-tips-generational-update-for-windows-10
This is supposed to be good news? As it's aimed to benefit developers? And inflicted on everyone?
By using technologies online from the cryptocurrency world, like tokens and blockchains, regular people could participate in real estate transactions that are too unwieldy in the analog world.
For example, a hot new idea is using NFTs, or non-fungible tokens—digital certificates that convey exclusive rights to something. Although NFTs are just starting to be applied to real estate, supporters say they will become standard in the industry.
A colleague recently asked me how the teletype stuff worked in the old ARPAnet IMP.
[Tech short answer: it used a two-layer co-routine. tricky and a bit obscure but small and fast]. How it works was that there were two fake [i.e., internal] hosts in the IMP: one for the tty and one for a simple DDT-like debugger. when the first two IMPs were installed [UCLA & SRI], while the host systems were working on their hardware and software,, the IMP-guys there had the communication- lines up and working right away and knew it was OK because they connected their TTYs to each other and could what-we'd-call-today “DM” each other, so we knew the message machinery, line machinery, routing machinery worked.. and we were just waiting for the hosts to send an external-host-to-external-host message [the TTY and DDT used the exact same host machinery/software so we were pretty sure the IMP stuff was OK]
And I was horrified what a huge risk that machinery was. I realized [for the first time in 50+ years] how poorly designed that functionality was. In particular , since the DDT used the normal host machinery, ANY host on the network could send commands and probes to ANY IMP [indeed we did that from the NCC on IMP 5 to manage the IMPs]. BUT: ANY host. no protections. At the time, for example, I believe that the MIT ITS system allowed just anyone to [anonymously] access the ARPAnet. All it would've taken is ONE hacker knowing what I knew [damn.. and had implemented] to cause utter chaos [untraceably!!!] on the ARPAnet. E.g., could could every now and then tweak the routing table, or tell an IMP to restart or disable some functionality.
In musing about this I was thinking that many of our current woes are due to the fact that ARPAnet was built with not a single thought to security [I can attest our primary/only concern was , really, that it work]. that then oozed into the host protocols and so we are, to this day, have to deal with things like SNMP which should have been hardened, if not scrapped, before the network was let loose out from ARPA's thumb. I wonder how the ARPAnet/Internet might have been different if we'd thought about security and making the protocols robust right from the start.
Russia Appears to Carry Out Hack Through System Used by U.S. Aid Agency https://www.nytimes.com/2021/05/28/us/politics/russia-hack-usaid.html
SolarWinds hackers are back with a new mass campaign, Microsoft says https://arstechnica.com/gadgets/2021/05/microsoft-says-solarwinds-hackers-targeted-us-agencies-in-a-new-campaign/
https://www.cbc.ca/news/business/canada-post-breach-1.6042602
Canada's national mail carrier says a malware attack on one of its suppliers has impacted 44 of its biggest corporate customers across the country, and potentially up to nearly one million people.
Canada Post said in a statement Wednesday that one of its suppliers, Commport Communications, had its systems compromised in a cyberattack.
The “Rule of 48” mentioned in Michael Crichton's “Andromeda Strain” is a more general phenomenon affecting all fields of research. The “Rule of 48” refers to a 1936 citation reporting the number of human chromosomes as 48. Decades later, the original microscope photographs were examined, and the count was confirmed as 46.
WiReD published “The 60-Year-Old Scientific Screwup That Helped Covid Kill”, describing recent research into the airborne spread of virus particles, including SARS-CoV-2/COVID-19. The article documents how a questionable number became embedded in the medical and public health communities.
An interesting read, applicable to many areas other than medicine and public health.
https://www.wired.com/story/the-teeny-tiny-scientific-screwup-that-helped-covid-kill/
As Congress Dithers, States Step In to Set Rules for the Internet
Virginia, Florida, Arkansas and Maryland are among dozens of states that have introduced bills to curtail the power of Amazon, Google, Facebook and Twitter.
https://www.nytimes.com/2021/05/14/technology/state-privacy-internet-laws.html
Schadenfreude emerges when inspecting CP's “General Terms & Conditions: https://colonialoilindustries.com/2018/wp-content/uploads/gtc.pdf
See the last phrase beginning with “except to the extent proximately caused by…”
“12. Indemnification. To the extent permitted by applicable law, Buyer agrees to indemnify, defend, hold harmless and reimburse Colonial for, from and/or against all claims, suits, judgments, costs, expenses, damages and/or liabilities of any nature or kind, including reasonable attorney's fees and costs, brought against or suffered, incurred or sustained by Colonial and arising or resulting in any way from (a) Buyer's breach of this Agreement or (b) any acts, omissions, events, occurrences, spills, releases, noncompliance with laws, rules or regulations, strict liability, explosions, fires or accidents of, involving, concerning or relating in any way to the product (whether relating to handling, storage, transfer, shipping, release or use thereof or otherwise) and which occur, take place or relate to any time after the time title passes to Buyer hereunder, except to the extent proximately caused by Colonial's negligent or willful wrongful acts.”
CP was advised a few years in advance about deficient internet defenses; they apparently did not invest to correct these deficiencies. The business operations platforms—sales and inventory, customer profiling, etc—were consequently assaulted. The US East Coast commuting population experienced significant inconvenience.
Every for-profit shop with an internet footprint invokes indemnification to shield against lawsuits. Indemnification enables corporations to operate — sell products, collect, and exploit sales data—with commercial impunity.
When the corporate brand is threatened by strategic operational mistake—a failure proactively mitigate auspicious infosec weaknesses—there's almost no legal cover.
Expect a monetary settlement, a “non-admission of corporate guilt statement,” and a deferred prosecution agreement that waives employee imprisonment subject to CP's promise to prevent recurrence.
I'll wait for my free gasoline voucher.
How Language Models Could Change Disinformation
Growing popular and industry interest in high-performing natural language generation models has led to concerns that such models could be used to generate automated disinformation at scale. This report examines the capabilities of GPT-3—a cutting-edge AI system that writes text—to analyze its potential misuse for disinformation. A model like GPT-3 may be able to help disinformation actors substantially reduce the work necessary to write disinformation while expanding its reach and potentially also its effectiveness.
For millennia, disinformation campaigns have been fundamentally human endeavors. Their perpetrators mix truth and lies in potent combinations that aim to sow discord, create doubt, and provoke destructive action. The most famous disinformation campaign of the twenty-first century—the Russian effort to interfere in the U.S. presidential election—relied on hundreds of people working together to widen preexisting fissures in American society.
Since its inception, writing has also been a fundamentally human endeavor. No more. In 2020, the company OpenAI unveiled GPT-3, a powerful artificial intelligence system that generates text based on a prompt from human operators. The system, which uses a vast neural network, a powerful machine learning algorithm, and upwards of a trillion words of human writing for guidance, is remarkable. Among other achievements, it has drafted an op-ed that was commissioned by The Guardian, written news stories that a majority of readers thought were written by humans, and devised new internet memes.
In light of this breakthrough, we consider a simple but important question: can automation generate content for disinformation campaigns? If GPT-3 can write seemingly credible news stories, perhaps it can write compelling fake news stories; if it can draft op-eds, perhaps it can draft misleading tweets. […] https://cset.georgetown.edu/publication/truth-lies-and-automation/
Operational procedures should make this sort of error impossible for one person to do. So it's never just one person's fault. -L
https://www.theregister.com/2021/05/19/salesforce_root_cause/
MICROSOFT BUILD 2021—Eight months after licensing the GPT-3 natural language AI model from OpenAI last September, Microsoft is integrating the language generator into its Microsoft Power Apps software to make it easier for enterprise workers to build no-code applications. […]
Once GPT-3 is integrated with Microsoft Power Apps, non-technical employees will be able to build a no-code Power Apps application by entering conversational language and then have it automatically transformed into the needed code using GPT-3, according to Microsoft.
Taking the old joke about, “Write your program in FORTRAN or write a story about your program in COBOL” to new levels of storytelling. Funny, announcement doesn't describe how non-technical employees will debug or enhance their stories.
I just watched the PBS NOVA program in which a Caltech professor provides experimental evidence of how the Hindenburg Zeppelin burned and crashed in 1937—a NTSB-like investigation 84 years in the making.
As a trained electrical engineer, I agree with the conclusions, but the PBS story excessively convoluted the relatively simple argument.
Here's my version on one slide:
History's Mysteries: Caltech Professor Helps Solve Hindenburg Disaster Emily Velasco, 17 May 2021 https://www.caltech.edu/about/news/historys-mysteries-caltech-professor-helps-solve-hindenburg-disaster
The NPR article begins with this statement;
“Researchers have found just 12 people are responsible for the bulk of the misleading claims and outright lies about COVID-19 vaccines that proliferate on Facebook, Instagram and Twitter.”
The NPR article explains nothing; it has an early paragraph stating a claim, and a link to a PDF which is the basis for that claim, and then the rest of the article goes on about how harmful this all is.
Reading the PDF, I'm finding it rather difficult to pick out what was actually done, and so what is actually claimed. What I'm come up with is this;
The investigators examined 10 private and 20 public anti-vaccine groups on Facebook, over a period of six weeks, and from this selected 483 pieces of anti-vaccine content which they considered representative (no basis for selection was given). They found over Facebook as a whole, these 483 pieces of anti-vaccine content had been posted or shared about 690,000 times, and that of these posts, 73% were of content which came from a group of twelve individuals.
I don't think it's stated how many of the 483 pieces of anti-vaccine content actually came from these twelve individuals. Obviously, if say 90% of them came from those twelve individuals, then selection bias at that point will strongly influence the later findings.
Also, it seems to me that the number 690,000 is a very low number of posts for all of Facebook for six weeks on such a topical matter. Given how few posts there are, I would also like to know how many of those posts were in fact part of those 30 anti-vaccine groups.
In any event, generalizing from this to the entirety to Facebook, Instagram and Twitter is wholly improper.
(Indeed, in the PDF, Instagram is in fact not investigated at all. It is mentioned as being a platform these individuals use, but the content was not examined - only Facebook and Twitter.)
I think the large majority of the PDF is emotive activism to censorship, including an actual and fairly lengthy profile of each of the accused, with a small and I have to say I found rather confusingly presented, and rather unexplained (too many “we choose as representative”) part being the investigation that was performed.
There may be something in this, but taken as it is, right now, this seems to me to be a means to an end - indeed, not entirely unlike the very disinformation it seeks to discredit in others. The origin is the “Center for Countering Digital Hate”, so we can imagine they're coming at this from a particular point of view.
[was: Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob, Popsicles (RISKS-32.65)]
Interesting note by PGN, and interesting comment be Bernie. My eyes barely twitched when I read the original post which described how to bypass the Washington Post paywall. (I just open WaPo articles in an InPrivate/Incognito browser and re-accept the cookie and “You have three free articles left” notice).
Should we share information about how to pick locks? I'm pretty sure we do that. Every day, in announcing vulnerabilities and the devilishly clever technology steps taken to exploit them. And, even better, in a timeless SciFi way, by theorizing from where a next class of such vulnerabilities will come, and how they may be used (for good and ill).
Of course, there's a responsible way to do that (and in my decades reading RISKS the posts here have always fallen on the responsible side; thank you, moderators).
What constitutes responsible disclosure of “Site <X>'s paywall can be bypassed?”
For that matter, what constitutes ethics in such a situation?
I'm a paying subscriber to at least four major news publications across three countries on two continents, and on all of them I still have to repeatedly deal with cookie (re-)notices, to re-log in too frequently (despite the “remember me” box having been ticked), and to suffer a raft of other repetitive, intrusive technology and user experience design failures.
Where is the ethos that says that, especially for the paying customer, site <X> has to do a good enough job to avoid repeatedly interfering with my paid use of their product, and stop wasting my time?
Two wrongs don't make a right (Despite that sometimes three lefts do …), but, NOT talking about the-secret-that-everyone-knows which isn't even so much a symptom of “I don't want to pay for it” —it is but really — it's broken and everyone knows it but why won't anyone actually fix it” … is that even unethical, in fact? Or is it a needed prod to fix these services?
With all that background, plus of course the broad availability of browser plugins, etc, meant explicitly to bypass paywalls, cookie banners, etc, I didn't see any reason why RISKS shouldn't allow such an item to be posted, and I'm unsurprised that the moderators didn't get much feedback about it.
Bernie, I'm glad you raised it, because I think that a risk that maybe we haven't discussed enough in recent years is the aggregated societal cost in wasted time and increased stress from poor user experience caused by a combination of incompetence, excessive intent to continue selling (even to those who have already bought), and failures to understand/ excessive(?) fear of regulatory action provoking excessive “security” and “compliance” friction in daily Internet use.
I have been running NoScript to block all Javascript by default on all but a few websites for many years and have been reading the occasional article from the Washington Post for many years. I would not have even known about their javascript block if I hadn't run the experiment of turning off NoScript on the web site. Note that the Post hands out and displays the complete article, along with some javascript that waits a few moments, and then covers up the article with a request for a subscription. If the javascript is not executed, then the article is not covered up. For all I know, there may be dozens of other web sites that do the same!
A real world analogy: The Washington Post says, “I have an article about XYZ, would you like to read it?”, You reply “OK, I'll have a look at it”. The Washington Post hands you the article and you start reading. Then The Washington Post hands you a piece of cardboard and says “Please cover the article I just gave you with this cardboard”. You ask “Why?” and WP answers “So that I can ask you to pay me money to take the cardboard away again”. You say “How about I just decide not to cover the article with the cardboard and carry on reading?”. “THIEF!!!” Except in my case, I didn't even hear the request to cover the article with the card. Am I still a thief?
Is it really morally wrong to choose not to execute by default every piece of code that is handed to you by any web site that you decide to visit?
It appears that Bernie Cosell <cosell@alum.mit.edu> said:
>How handy! We needed a forum on how to “share” things that we ought to pay >for. Next fun activity on RISKS—how to get ATMs to spit out money. > >NB: I don't mean to start a fight but I don't think that kind of “help” is >appropriate for RISKS.
For anyone familiar with the way that the web works, it should be obvious that freemium sites that let you view a few articles and then ask you to pay use a browser cookie to keep the article count. If you set your browser not to accept cookies from a site, there is no counter and in most cases you can see all the articles you want. A few sites are pickier and check to see if you're doing that, but mostly they don't bother, on the reasonable assumption that anyone trying that hard to bypass the paywall is unlikely ever to pay, and the harder they try to block freeloaders, the more likely they'll also accidentally block legit users.
Those of us from the previous millennium remember software on copy protected floppy disks, same idea to allow some kinds of use typical of paying customers but not other kinds typical of non-payors. The software industry eventually stopped doing that, because the copy protection annoyed the legit users, and the people who might be deterred by copy protection were unlikely to turn into paying customers. There was even a plausible argument that a certain amount of copying led to more sales as people with illicit copies found they liked the software enough to pay for documentation (there were these paper things called “manuals”) and support (using a now-forgotten kind of telephone that you couldn't lose because it was attached to the wall with a wire.)
As I've noted before, newspaper reporters like to eat, and subscriptions are a big part of how they do that. So if you tweak your browser to bypass the paywall, that has nothing to do with “freedom”. You're just being cheap.
PS: Next rant: why I don't waste a lot of time chasing down pirate PDFs of my books. But when people write and say your book is expensive, send me a PDF for free, sorry, no, that's what libraries are for.
“The Risks of Election Believability (or Lack Thereof),” the Inside Risks column in the June 2021 Communications of the ACM (CACM), and its related video, by Rebecca T. Mercuri and Peter G. Neumann, have been published online at https://cacm.acm.org/magazines/2021/6/252836-the-risks-of-election-believability-or-lack-thereof/fulltext. The video alone is at https://vimeo.com/552504677.
Please report problems with the web pages to the maintainer