Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Amtrak's new Acela train cars need an extra round of testing to ensure they can safely operate on the curvy and aging tracks of the Northeast Corridor, railroad officials said, confirming a year-long delay in the delivery of the new trains.
A prototype train that began tests on the route between Washington and Boston last year was incompatible with the corridor's track and its catenary system—the overhead wires that supply the train with electricity. The train had to be modified to work harmoniously with the infrastructure, according to Amtrak officials.
The first two of 28 Avelia Liberty high-speed train sets from the French manufacturer Alstom had been expected to enter service this spring. Amtrak now projects a spring 2022 debut, citing not only the train reconfiguration, but also delays caused by production and training interruptions during the coronavirus pandemic.
Larry Biess, who oversees the rollout of the new Acela trains at Amtrak, said Alstom modified the train's design to address the compatibility problems identified during testing.
The train would lose contact with the electrified catenary wire and could not reach the optimal speed, he said. The adjustments ensure that the device atop the train that makes contact with the wire will perform properly, Biess said.
The modifications led to extra testing, extensive computer modeling and simulation runs. Officials said the adjustments ultimately will improve how the train handles curves.
“Unfortunately for us, the tests have been an extended affair,” Biess said, noting that this work extended by several months the timeline for introducing the new trains. He said some challenges are related to the age and configuration of the infrastructure in the Northeast Corridor.
“The track was basically designed in the 1800s. It's very curvy. It presents a bit more of a challenge than the track that this train runs on in Europe,” he said. “If we were running on a straighter track, with a more modern infrastructure, it probably wouldn't have taken as long as it has.;;
https://www.washingtonpost.com/transportation/2021/06/03/amtrak-acela-new-trains/
The 1800s-design curvy track wasn't noticed when designing the new trains?
An estimated 3,000 elegant tern eggs were recently abandoned on a nesting island at the Bolsa Chica Ecological Reserve in Huntington Beach, Calif., after a drone, prohibited in the area, crashed and scared off the would-be parents.
https://www.washingtonpost.com/science/2021/06/07/drone-crash-abandoned-eggs/
By Paulina Firozi, Washington Post, June 7, 2021 at 5:57 p.m. MDT
On a nesting island at the Bolsa Chica Ecological Reserve in Southern California, thousands of elegant tern eggs dot the sands, abandoned. Now it appears the eggs will never hatch.
After a drone crashed on the reserve grounds on May 13, about 3,000 adult elegant terns were scared off, leaving about 1,500 to 2,000 eggs behind.
“It was devastating,” Melissa Loebl, an environmental scientist who manages the reserve, told The Washington Post. “That's one of the largest losses we've had.”
Drones, which California Fish and Wildlife officials say are prohibited on state reserves, can look like a “giant bird, a giant predator,” to the elegant terns, said Michael H. Horn, a professor emeritus of biology at California State University at Fullerton.
Yet another “outage” of a service that takes down multiple major resources on the net.
https://www.npr.org/2021/06/08/1004305569/internet-fastly-outage-go-down-twitter-reddit
Why is it that we, having created a dynamic, self-healing, massively available network, are constantly trying to “improve” it into a brittle and fragile state?
No, no, don't bother: I know the answer. “Convenience,” “cost savings.”
I'm beginning to think that “efficiency” is a four-letter word …
“Medical devices, too, can be biased—an issue that has gained attention during the COVID pandemic, along with many other inequities that affect health. In a recent article in Science, Kadambi, an assistant professor at the University of California, Los Angeles, Samueli School of Engineering, describes three ways that racial and gender bias can permeate medical devices and suggests a number of solutions. Fairness, he argues, should be a criterion for evaluating new technology, along with effectiveness.”
This essay identifies and characterizes types of medical device bias: physical, computational, and interpretational. These bias types are demonstrated by pulse oximeters readings and remote plethysmographs (a device used to measure volumetric tissue changes).
The author recommends that more diverse patient populations participate in studies to better discern their fairness and effectiveness based on bias measurements.
To accelerate medical device bias detection, perhaps there should be an FDA certified standard “bias measurement characteristic platform” that can assess these factors. These bias measurements (by gender and ethnicity) should be publicly disclosed.
How would a consumer or physician react to medical device bias labeling? Device manufacturers might reconsider their product engineering processes, adjusting device bias characteristics for specific patient cohorts.
Risk: Medical device bias measurement and disclosure
Chinese tech giant Baidu rolled out its paid driverless taxi service on Sunday, making it the first company to commercialize autonomous driving operations in China.
Unlike previous Baidu autonomous driving demonstrations in Beijing, this was the first time there was no safety driver sitting behind the wheel. Instead, a safety member was seated in the front passenger seat to deal with any emergencies.
Up to 10 Apollo robotaxis are now operating simultaneously in an area of about 3 square kilometers (1.2 square miles), picking up and dropping off passengers at eight stops in Shougang Park in western Beijing. Each ride costs 30 yuan ($4.60), and is open to passengers ages 18 to 60. […] https://apnews.com/article/beijing-technology-business-12b81749f522eff6706410cecae56716
https://thedialogue.co/wp-content/uploads/2021/06/Report-on-Expert-Stakeholder-Consultation-on-the-Indian-Encryption-Debate-The-Dialogue.pdf <https://t.co/XEoAWtOgWV?amp=3D1>
More than 800 suspected criminals have been arrested worldwide after being tricked into using an FBI-run encrypted messaging app, officials say.
The operation, jointly conceived by Australia and the FBI, saw devices with the ANOM app secretly distributed among criminals, allowing police to monitor their chats about drug smuggling, money laundering and even murder plots.
Officials called it a watershed moment.
Targets included drug gangs and people with links to the mafia.
Drugs, weapons, luxury vehicles and cash were also seized in the operation, which was conducted across more than a dozen countries. This included eight tonnes of cocaine, 250 guns and more than $48m (£34m) in various worldwide currencies and cryptocurrencies. […]
The FBI began operating an encrypted device network called ANOM, and covertly distributed devices with the chat app among the criminal underworld via informants.
https://www.bbc.com/news/world-57394831
…next step after scattering infected USB drives outside gang headquarters.
I first started to see the idea of “cyber-insurance” back in the early days (late 1980s) of malware. At that time “cyber-insurance” was just seen as cost recovery when you'd been hit with a computer virus infestation. Then the idea languished for many years. After all, most people saw cyber-insurance as a way not to do risk analysis and management, and were perturbed when they realized the insurers wanted them to do risk analysis and management before they would quote on a policy.
About a decade ago, I started to see the idea being pushed again. One again, risk management was a stumbling block, although now the insurers had gotten smart enough to sell policies that, basically, had lots of verbiage and conditions that boiled down to “if you got hit you were negligent, so we don't have to pay.”
In recent years I've been seeing an increasing push for cyber-insurance, this time specifically in regard to ransomware. (For the purposes of this posting, I don't need to go over the difference between ransomware and breachstortion, and the value of backups.) This specific promotion has gotten so aggressive that it has jumped from the tech trade press to the general media. https://lite.cnn.com/en/article/h_29b52c25ef9784bd6e4b2ca6d01a0646
In terms of ransomware, most of us in the security field know that paying is bad because a) it increases the problem, and b) it is fairly unlikely that paying the ransom will get you back in business. (Even Colonial Pipelines, having already paid the ransom, found that restoring from backup was a more effective recovery solution.) Law enforcement tends to agree, although there are some in the world of management who still seem resistant to the concept. (With the current interest in “herd immunity” for the pandemic, it is instructive to note that not paying ransom is one way to increase ransomware herd immunity. But I digress.)
The push by insurers to sell cyber-insurance for protection against ransomware (and possibly breachstortion, as well), prompts another thought: are the insurers and ransomware gangs in it together?
Fujifilm reported it has refused to pay a ransom demand to the cybergang that attacked its network in Japan last week and is instead relying on backups to restore operations.
The company's computer systems are back to business as usual. https://www.verdict.co.uk/fujifilm-ransom-demand/
Goodonya, Fuji!
https://lauren.vortex.com/2021/06/05/ransomware-enemy
https://csrc.nist.gov/CSRC/media/Publications/nistir//draft/documents/NIST.IR.8374-preliminary-draft.pdf retrieved on 11JUN2021
“The Ransomware Profile aligns organizations' ransomware prevention and mitigation requirements, objectives, risk appetite, and resources with the elements of the Cybersecurity Framework. The purpose of the profile is to help organizations identify and prioritize opportunities for improving their ransomware resistance. Organizations can use this document as a guide for profiling the state of their own readiness. For example, they can determine their current state and set a target profile to identify gaps to achieve their goal.”
The Framework itemizes several commonsense measures to deploy that can minimize ransomware assault (See Section 1.1 The Ransomware Challenge.) The Framework establishes a basis for organizations to harmonize practices into a standard operational business capability.
Given historical and largely voluntary measures to tighten infosec, organizations require motivation to adopt these practices. Perhaps enforced business regulation, including restricted terms of service for indemnification, might compel shirkers to harden digital hygiene practices.
Without significant uptake of this guidance, the scourge of ransomware assault will persist and remain unchecked.
https://techxplore.com/news/2021-06-insect-computer-hybrid-disasters.html
The preprint @ https://arxiv.org/ftp/arxiv/papers/2105/2105.10869.pdf retrieved on 11JUN2021, mentioned the power source is sufficient to power the Madagascar hissing roach electronic payload for ~2H, and weighs in at ~5.5 grams. The payload consists of a CO2 sensor, a low power infrared camera, and guidance unit.
A typical ‘hisser’ weighs anywhere from ~7-25g. Only the largest individuals, per the paper, are saddled up for search and rescue duty.
In a large disaster, such as a peak-hour workday building collapse, one would a need to deploy an swarm of hissers to accelerate survivor detection. Fortunately, technology can control drone swarms.
“Swarm intelligence (SI) is the collective behavior of decentralized, self-organized systems, natural or artificial” per https://en.wikipedia.org/wiki/Swarm_intelligence (retrieved on 11JUN2021).
Risk: Search conditions. Per https://extension.okstate.edu/fact-sheets/madagascar-hissing-cockroaches-information-and-care.html (retrieved on 11JUN2021), the bugs are unionized and will initiate a “sit down” strike if the ambient temperature is less than ~70 degrees F. —
The Ivy League school said it was dismissing allegations that students had looked up online course materials during remote exams.
Dartmouth's Geisel School of Medicine says it is dropping an online cheating investigation that led the school to erroneously accuse some students, allegations that prompted an outcry among faculty, alumni and technology experts.
In March, Dartmouth charged 17 students with cheating based on a review of certain online activity data on Canvas—a popular learning management system where professors post assignments and students submit their work — during remote exams. The school quickly dropped seven of the cases after at least two students argued that administrators had mistaken automated Canvas activity for human cheating.
Now Dartmouth is also dropping allegations against the remaining 10 students, some of whom faced expulsion, suspension, course failures and misconduct marks on their academic records that could have derailed their medical careers.
“I have decided to dismiss all the honor code charges,” Duane A. Compton, the dean of the medical school, said in an email to the Geisel community on Wednesday evening, adding that the students' academic records would not be affected. “I have apologized to the students for what they have been through.”
Dartmouth's decision to dismiss the charges followed a software review by The New York Times, which found that students' devices could automatically generate Canvas activity data even when no one was using them. Dartmouth's practices were condemned by some alumni along with some faculty at other medical schools.
https://www.nytimes.com/2021/06/10/technology/dartmouth-cheating-charges.html
I keep saying this again and again. This isn't rocket science. Decent 2-factor login authentication, especially FIDO/U2F keys, would block this kind of compromise, rendering that password essentially useless. And VPNs should be phased out in preference for Zero Trust platforms! -L
Trying to think of worse ideas than scanning driver's licenses into iPhones and then using the phones as a government ID. Yep, there are worse ideas, but this one scores dandy high.
A friend wrote:
Which reminds me … Apple is supposedly arranging with TSA to use the Wallet to hold your ID. Not sure what I think about that, but one of my early experiences with a boarding pass in my phone was having the phone shut off when the battery died and no backup. Not a pleasant experience. How did I not see that coming?
Someone else I know came out strongly against Apple Wallet for ID. Apple's pretty good on privacy and security so I'm not sure I agree with him.
Fortunately he likes cats, so we get along. And I'll await more info on Apple Wallet—I have stored various credit cards and memberships, not drivers license.
https://www.washingtonpost.com/technology/2021/06/06/apple-app-store-scams-fraud
This headline and subhead are nonsense:
Apple's tightly controlled App Store is teeming with scams Nearly 2 percent of Apple's top-grossing apps on one day were scams—and they have cost people $48 million
…considering this definition of “teeming”:
Teeming means completely full, especially with living things. If your grandmother's apartment is teeming with cats, she sure has a lot of them.
“Nearly 2 percent” doesn't quite fulfill “completely full” or even “a lot”. That headline is either clueless or deliberate clickbait.
A better—more accurate—headline would have been, “Apple's tightly controlled App Store holds less than 2% scam apps”. This indicates Apple works to weed out scams:
Apple says it is constantly improving its methods for sniffing out scams and usually catches them within a month of hitting the App Store. In a recent news release, Apple said it employed new tools to verify the authenticity of user reviews and last year kicked 470,000 app developer accounts off the App Store. Developers, however, can create new accounts and continue to distribute new apps.
And this makes no sense:
Apple unwittingly may be aiding the most sophisticated scammers by eliminating so many of the less competent ones during its app review process, said Miles, who co-authored a paper called The Economics of Scams.
There's plenty depressing anecdotal stories about scam apps here, along with some details about what Apple does to prevent scams, but the headline is way off the mark.
https://gizmodo.com/encrypted-messaging-app-run-by-the-fbi-leads-to-arrest-1847051248
https://www.npr.org/2021/06/08/1004305569/internet-fastly-outage-go-down-twitter-reddit
[When your test page accidentally hits prod] New York Times posts, then removes, article announcing discovery of watermelons on Mars
The company's Sidewalk mesh network goes live June 8. The good news is that you can turn it off.
Last week, Amazon said it would turn on Sidewalk <https://www.cnet.com/home/smart-home/amazon-sidewalk-will-create-entire-smart-neighborhoods-faq-ble-900-mhz/>, its mesh network that uses Bluetooth and 900MHz radio signals to communicate between devices, on June 8. I imagine that most people, even those who bought an Echo smart speaker <https://www.inc.com/jason-aten/amazon-just-announced-its-plan-to-put-smart-technology-everywhere-including-on-your-dog-seriously.html> in the past few years, have no idea what Sidewalk is.
I suspect most of those people would be even more surprised to know that it's turned on by default on every one of their devices. I'll get to that part in just a minute.
First, let's talk about Sidewalk. The idea behind is actually really smart—make it possible for smart home devices to serve as a sort of bridge between your WiFi connection and one another. That way, if your Ring doorbell, for example, isn't located close to your WiFi router, but it happens to near an Echo Dot, it can use Sidewalk to stay connected.
The same is true if your Internet connection is down. Your smart devices can connect to other smart devices, even if they aren't in your home. The big news on this front is that Tile is joining the Sidewalk network on June 14. That means that if you lose a Tile tracker, it can connect to any of the millions of Echo or Ring devices in your neighborhood and send its location back to you.
That's definitely a nice benefit, but it's also where things get a little murky from a privacy standpoint. That's because other people's devices, like your neighbor's, can also connect to your network. […]
The FBI's recovery of Bitcoins paid in the Colonial Pipeline ransomware attack showed cryptocurrencies are not as hard to track as it might seem.
Pipeline Investigation Upends Idea That Bitcoin Is Untraceable https://www.nytimes.com/2021/06/09/technology/bitcoin-untraceable-pipeline-ransomware.html
https://medicalxpress.com/news/2021-06-non-allergenic-joints-relief.html
[For the ‘old bones’ at risk reading this stream…]
“More than one million joints are replaced in the United States every year, and the vast majority of artificial joints improve function and provide tremendous benefit. However, about 10% of these, or about 100,000 joint replacements, will fail per year. Many fail due to infection or mechanical issues, which can be diagnosed by surgeons. However, a significant portion of those failures have no clear cause. For more than 10 years, Dr. Pacheco and her colleagues have been identifying allergies as a cause of these failed artificial joints and recommending replacement with non-allergenic components. The current paper outlines the causes of allergic reactions among patients with failed joints and the success of replacements with non-allergenic components.”
Allergic reaction to nickel fabricated into the implanted device requires a simple blood test (the Lymphocyte Proliferation to Nickel test). Implant bone cements are chemically analogous to “super glue.” There's a suite of skin tests to assess patient sensitivity.
Proactive test for allergic responses appears more effective than a diminished post-operative outcome requiring a duplicate arthroscopy to correct.
> Krueger-Dunning lives …
And the Dunning-Kruger syndrome exposes itself for all to see.
While I consider the issue to be really important, I would suggest that you really look at what is really going on.
The text in RISKS was taken from the businessinsider, EXCEPT that the 2nd paragraph in original reads
In the March 2020 incident, a Kargu-2 quadcopter autonomously attacked a person during a conflict between Libyan government forces and a breakaway military faction, led by the Libyan National Army's Khalifa Haftar, the Daily Star reported.
> https://www.businessinsider.com/killer-drone-hunted-down-human-target-without-being-told-un-2021-5?r=US&IR=T
not
> The March 2020 incident saw a KARGU-2 quadcopter autonomously attack a human > during a conflict between Libyan government forces and a breakaway military > faction, led by the Libyan National Army's Khalifa Haftar, the Daily Star > reported.
New Scientist (see 1st paragraph) actually says
Military drones MAY have autonomously attacked humans…
Daily Star (see 2nd paragraph) says
An autonomous weaponised drone hunted down a human target last year and is thought to have attacked them without being specifically ordered to…
Both New Scientist and Daily Star base their articles on the UN Report, which can be found at
and which is slightly more vague about the occasion.
The best summary, quoting DIRECTLY from the report is from NPR at
RISK: presenting information which was “improved” by the well-meaning chain of sources.
OK, a quick review, and recommendation.
“Soap and Water and Common Sense,” by Dr. Bonnie Henry. The title comes from a quote from the Canadian physician Sir William Osler: soap and water and common sense are the best disinfectant. Dr. Henry's book is a readable overview of infectious diseases, their various agents, causes, precautions and cures.
Although written in 2009, the advice, that basic and simple precautions are more effective than relying on using (and misusing) the advances of modern medicine, is sound for the pandemic.
Since I wrote “Cybersecurity Lessons from CoVID-19” using the illustrations of the pandemic to point out important security principles, I note that Dr. Henry's book also points out a great many significant concepts vital to information security. The importance of the basic foundations, the reliance on the simple over the complex, and even the fact that the pursuit of efficiency puts you at a risk which you must then address are all crucial.
Highly recommended. (Both for public hygiene, and for students of security.)
Please report problems with the web pages to the maintainer