The RISKS Digest
Volume 32 Issue 79

Monday, 2nd August 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

If you don't trust AI yet, you're not wrong.
NYTimes
Phantom Warships Are Courting Chaos in Conflict Zones
WiReD
Chair moved to clean in control room, bumps switch, shutting reactor in Taiwan
The Register
World's first re-progammable commercial satellite set to launch
phys.org
AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation
AVweb
On The Contours of Our Insecurity' & Related Obduracy…
Forbes
Hackers Turning to ‘Exotic’ Programming Languages for Malware Development
The Hacker News
As Cyberattacks Surge, Security Start-Ups Reap the Rewards
NYTimes
Albertans' personal information exposed after national health-care provider hacked, data put up for sale
Edmonton Journal
Human Risk Management is the FIX.
The Hacker News
Don't click links in text messages
Tom Van Vleck
Florida Sheriff's Office Now Notifying People It Will Be Inflicting Its Pre-Crime Program On Them
TexchDirt
Ancient Printer Security Bug Affects Millions of Devices Worldwide
Mayank Sharma
ML Technique Used to Pinpoint Quantum Errors
Q-CTRL and.Sydney
QR Codes Are Here to Stay. So Is the Tracking They Allow.
NYTimes
The Robocall Rebellion
NYTimes
Joint USTPC/CRA Comments to the White House's OSTP on Enhancing Scientific Integrity Policies
PGN
Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming,
Richard Thieme
Re: Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how.
John Levine
Re: YouTube fined 100 000 Euros delaying court order to restore video
Thomas Koenig
Re: “Roundoff”
Eric Ferguson
Info on RISKS (comp.risks)

If you don't trust AI yet, you're not wrong. (NYTimes)

Peter Neumann <neumann@csl.sri.com>
Fri, 30 Jul 2021 11:33:27 PDT

Frank Pasquale and Gianclaudio Malgieri, The New York Times (online on 30 Jul 2021, and in print on the opinion page, 2 Aug 2021)

https://www.nytimes.com/2021/07/30/opinion/artificial-intelligence-european-union.html

Americans have good reason to be skeptical of artificial intelligence. Tesla crashes have dented the dream of self-driving cars. Mysterious algorithms predict job applicants' performance based on little more than video interviews. Similar technologies may soon be headed to the classroom, as administrators use “learning analytics platforms” to scrutinize students' written work and emotional states. Financial technology companies are using social media and other sensitive data to set interest rates and repayment terms.

Even in areas where AI seems to be an unqualified good, like machine learning to better spot melanoma, researchers are worried that current data sets do not adequately represent all patients’ racial backgrounds. […]

In April, the European Union released a new proposal for a systematic regulation of artificial intelligence. If enacted, it will change the terms of the debate by forbidding some forms of AI, regardless of their ostensible benefits. Some forms of manipulative advertising will be banned, as will real-time indiscriminate facial recognition by public authorities for law enforcement purposes.

The list of prohibited AI uses is not comprehensive enough—for example, many forms of nonconsensual AI-driven emotion recognition, mental health diagnoses, ethnicity attribution and lie detection should also be banned. But the broader principle—that some uses of technology are simply too harmful to be permitted—should drive global debates on AI regulation. […]

The European Union is now laying the intellectual foundations for such protections, in a wide spectrum of areas where advanced computation is now (or will be) deployed to make life-or-death decisions about the allocation of public-assistance services, the targets of policing, and the cost of credit. While its regulation will never be adopted by the United States, there is much ot learn from its comprehensive approach.


Phantom Warships Are Courting Chaos in Conflict Zones (WiReD)

“Gabe Goldberg” <gabe@gabegold.com>
Fri, 30 Jul 2021 00:38:29 -0400

The latest weapons in the global information war are fake vessels behaving badly

https://www.wired.com/story/fake-warships-ais-signals-russia-crimea/


Chair moved to clean in control room, bumps switch, shutting reactor in Taiwan (The Register)

“Rob Wilcox” <robwilcoxjr@gmail.com>
Wed, 28 Jul 2021 20:18:30 -0700

We don't often think about basic house cleaning in mission critical facilities. Not cleaning is not an option for operator experience and other reasons. I wonder what the literature is on that in human factors engineering?

The Guosheng Nuclear Power Plant in Taiwan is about 15 miles from Taipei and on the ocean. At 985MW, it provides about 3-4% of load this week that varies between about 26,000-38,000MW

When cleaning the control room, a chair was moved, lifting an acrylic safety cover and activating the protected switch. The switch closed the main steam loop valve which caused the safety sequence to shut down the reactor without further incident.

The Register tagged their article “Surprisingly a real-life scenario and not a plotline from The Simpsons”

Preliminary report by the Taiwan Atomic Energy Council (Chinese, your browser may translate): https://www.aec.gov.tw/newsdetail/headline/5757.html

Local coverage: https://en.rti.org.tw/news/view/id/2005816

More: https://www.theregister.com/2021/07/28/taiwan_nuclear_plant_shutdown/


World's first re-progammable commercial satellite set to launch (phys.org)

“Richard Stein” <rmstein@ieee.org>
Fri, 30 Jul 2021 18:25:43 +0800

https://phys.org/news/2021-07-world-re-progammable-commercial-satellite.html

“The European Space Agency will on Friday launch the world's first commercial fully re-programmable satellite, paving the way for a new era of more flexible communications.”

“Unlike conventional models that are designed and ‘hard-wired’ on Earth and cannot be repurposed once in orbit, the Eutelsat Quantum is based on so-called software-defined technology that allows users to tailor the communications to their needs—almost in real-time.”

A pre-launch bugathon/hackathon, in addition to qualification testing and acceptance sign-off, is a reasonable recommendation.


AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation (AVweb)

“Gabe Goldberg” <gabe@gabegold.com>
Wed, 28 Jul 2021 12:30:51 -0400

According to local news sources, a teenage airline passenger “virtually” triggered a security evacuation by AirDropping an electronic image of a replica AirSoft weapon to other passengers. The incident occurred before takeoff on a United Airlines flight from San Francisco to Orlando. Security officials ultimately determined that the image had been taken well before the time of the flight and the fake gun was not on board. They also determined that no malicious intent was involved.

https://www.avweb.com/aviation-news/airdropped-image-of-airsoft-weapon-leads-to-ual-flight-evacuation/


On The Contours of Our Insecurity' & Related Obduracy…

“Robert Mathews (OSIA)” <mathews@hawaii.edu>
Thu, 29 Jul 2021 22:31:33 -0400

Thomas Brewster, Cybersecurity, FORBES, 29 Jul 2021 “Meet Paragon: An American-Funded, Super-Secretive Israeli Surveillance Startup That ‘Hacks WhatsApp And Signal’” https://www.forbes.com/sites/thomasbrewster/2021/07/29/paragon-is-an-nso-competitor-and-an-american-funded-israeli-surveillance-startup-that-hacks-encrypted-apps-like-whatsapp-and-signal

“Paragon Solutions doesn’t have a website. There’s very little information at all about them online … But it does have a cofounder, director and chief shareholder that will turn heads: Ehud Schneorson, the former commander of Israel’s NSA equivalent, known as Unit 8200. The other cofounders - CEO Idan Nurick, CTO Igor Bogudlov and vice president of research Liad Avraham - are ex-Israeli intelligence too. Also on the board is cofounding director and former Israeli prime minister Ehud Barak. They also have a significant American financial backer: Boston, Massachusetts-based Battery Ventures.”


Hackers Turning to ‘Exotic’ Programming Languages for Malware Development (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Tue, 27 Jul 2021 12:33:46 -1000

Threat actors are increasingly shifting to “exotic” programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts.

“Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,” said <https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks> Eric Milam, Vice President of threat research at BlackBerry. “That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products.”

On the one hand, languages like Rust are more secure as they offer guarantees like memory-safe programming <https://en.wikipedia.org/wiki/Rust_(programming_language)#Memory_safety>, but they can also be a double-edged sword when malware engineers abuse the same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts to activate a kill-switch <https://thehackernews.com/2020/08/emotet-botnet-malware.html> and render them powerless.

Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems. […]

https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html


As Cyberattacks Surge, Security Start-Ups Reap the Rewards (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 27 Jul 2021 22:01:00 -0400

Investors have poured $12.2 billion into cybersecurity companies so far this year, nearly $2 billion more than the total for all of 2020.

https://www.nytimes.com/2021/07/26/technology/cyberattacks-security-investors.html


Albertans' personal information exposed after national health-care provider hacked, data put up for sale (Edmonton Journal)

“Matthew Kruk” <mkrukg@gmail.com>
Fri, 30 Jul 2021 06:46:49 -0600

A listing on Marketo, a self-described “leaked data marketplace,” claimed to be selling more than 180 gigabytes of the company's data including a sample evidence package with documents referencing provincial and national organizations, including Workers' Compensation Board of Alberta, the City of Spruce Grove, Construction Labour Relations, Fortis Alberta, Alberta Motor Association, the University of Lethbridge and Bow Valley College

https://edmontonjournal.com/news/local-news/albertans-personal-information-exposed-after-national-health-care-provider-hacked-data-put-up-for-sale


Human Risk Management is the FIX. (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Thu, 8 Jul 2021 11:01:15 -1000

Humans are an organization's strongest defence against evolving #cyber threats, but security awareness #training alone often isn't enough to transform user behaviour.

Human Risk Management (HRM) is the FIX.

Checkout this new guide from @getusecure: […] https://thehackernews.com/2021/07/security-awareness-training-is-broken.html via https://twitter.com/TheHackersNews/status/1413158374057730052


Don't click links in text messages

“Tom Van Vleck” <thvv@multicians.org>
Wed, 28 Jul 2021 08:48:46 -0400

Mobile phones have hundreds of options, but there's one important one missing. If iPhones had a Messages option named “disable links in Messages” I would set it and tell everyone to set it.

The Bad Guys can send text messages that appear to be from anybody. I get a lot from banks I don't have an account at. If the Bad Guys hack somebody else's phone or email, they might get your mobile number and send you a fake text message with a link in it.

If you click this link, a web browser on you phone will be sent to a fake page of theirs. That page can infect your phone with malware, spyware, ransomware. Spoil your day/week/month.

Here is a web page that explains the problem. https://theintercept.com/2021/07/27/pegasus-nso-spyware-security/

(Are you about to click that link, without making sure the mail is really from me?)


Florida Sheriff's Office Now Notifying People It Will Be Inflicting Its Pre-Crime Program On Them (TexchDirt)

Richard Forno <rforno@infowarrior.org>
July 30, 2021 22:23:23 JST

(the agency's letter, which you can read at the link, is some grade-A Orwellin nonsense… —rick) [via Dave Farber]

https://www.techdirt.com/articles/20210724/15223647236/florida-sheriffs-office -now-notifying-people-it-will-be-inflicting-pre-crime-program-them.shtml


Ancient Printer Security Bug Affects Millions of Devices Worldwide (Mayank Sharma)

ACM TechNews <technews-editor@acm.org>
Wed, 28 Jul 2021 11:56:32 -0400 (EDT)

Mayank Sharma, TechRadar, 21 Jul 2021, via ACM TechNews, Wednesday, July 28, 2021

Cybersecurity researchers at SentinelOne have identified a highly severe privilege escalation vulnerability in HP, Samsung, and Xerox printer drivers. The vulnerability appears to have been present since 2005. The researchers said millions of devices and users worldwide likely have been impacted by the buffer overflow vulnerability, which can be exploited whether or not a printer is connected to a targeted device. SentinelOne's Asaf Amir said, “Successfully exploiting a driver vulnerability might allow attackers to potentially install programs; view, change, encrypt, or delete data, or create new accounts with full user rights.” Hackers would need local user access to the system to access the affected driver and take advantage of the vulnerability.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c145x22c913x072638


ML Technique Used to Pinpoint Quantum Errors (Q-CTRL and.Sydney)

ACM TechNews <technews-editor@acm.org>
Fri, 30 Jul 2021 12:59:24 -0400 (EDT)

HPCwire, 29 Jul 2021, via ACM TechNews, Friday, July 30, 2021

Researchers at Australia's University of Sydney (USYD) and quantum control startup Q-CTRL have designed a method of pinpointing quantum computing errors via machine learning (ML). The USYD team devised a means of recognizing the smallest divergences from the conditions necessary for executing quantum algorithms with trapped ion and superconducting quantum computing equipment. Q-CTRL scientists assembled custom ML algorithms to process the measurement results, and minimized the impact of background interference using existing quantum controls. This yielded an easy distinction between sources of correctable “real” noise and phantom artifacts of the measurements themselves. USYD's Michael J. Biercuk said, “The ability to identify and suppress sources of performance degradation in quantum hardware is critical to both basic research and industrial efforts building quantum sensors and quantum computers.” https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2c1c7x22c9a9x073991&


QR Codes Are Here to Stay. So Is the Tracking They Allow. (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 27 Jul 2021 21:51:21 -0400

Fueled by a desire for touchless transactions, QR codes popped up everywhere in the pandemic. Businesses don’t want to give them up.

https://www.nytimes.com/2021/07/26/technology/qr-codes-tracking.html


The Robocall Rebellion

Monty Solomon <monty@roscom.com>
Fri, 30 Jul 2021 00:31:50 -0400

https://www.nytimes.com/2021/07/28/opinion/the-robocall-rebellion.html


Joint USTPC/CRA Comments to the White House's OSTP on Enhancing Scientific Integrity Policies

Peter Neumann <neumann@csl.sri.com>
Wed, 28 Jul 2021 20:10:22 PDT

The White House's Office of Science and Technology Policy (OSTP) made formal Request for Information To Improve Federal Scientific Integrity Policies in June 2021. https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies A joint response has been submitted to OSTP from the Computing Research Association and USTPC. https://www.acm.org/binaries/content/assets/public-policy/cra-acm-comments-si-ftac-rfi.pdf.


Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming, (Max Fisher, RISKS-32.78)

“Richard Thieme” <rthieme@thiemeworks.com>
Thu, 29 Jul 2021 10:02:35 -0500

Max Fisher writes of the disinformation industry as if his illumination is news. After I wrote an article about a cyber sleuth who worked online 25 years ago for an English magazine, Hill and Knowlton, the global PR firm, thought I lived in London (we had not acclimated yet to the global presence of everyone on the Internet) and asked me to come by for a talk. They wanted to do “brand defense” on the Internet, which meant impersonating multiple people in Usenet groups and the like, all forerunners of current practices. This is not new news. I wrote long ago that “truth and lies are Siamese twins, joined at the lips,” and began with speech — or before, with deceptive gestures, as chimps have been seen to do.


Re: Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how. (NBC News, RISKS-32.78)

“John Levine” <johnl@iecc.com>
28 Jul 2021 01:01:09 -0400

The bitcoin mining hardware is physically located at the power plant.

The retail price I pay for power is about 5.4c/kwh for supply and 5.2c/kwh for delivery. While it's certainly cheaper for wholesale customers I think that the supply and delivery charges are about equal, so if the miners had to pay for delivery, it wouldn't be worth it.


Re: YouTube fined 100 000 Euros delaying court order to restore video (RISKS-32-78)

“Thomas Koenig” <tkoenig@netcologne.de>
Wed, 28 Jul 2021 07:57:24 +0200
> It seems like hubris for the “Higher Regional Court at Dresden”
> to expect that everyone in the world will recognize that title
> and recognize the court's authority.

They were served with court papers, and as I wrote, they had representation at court. You have to be qualified lawyer to appear before the “Oberlandesgericht”, to give it its proper title, and the court order would be communicated to them.

> It should take a reasonable time to investigate such a message for
> authenticity.

It is simply not credible that a company would confuse a court order communicated through their own lawyers with some random crackpot e-mail.


Re: “Roundoff” (RISKS-32.78)

Eric Ferguson <e.ferguson@antenna.nl>
Wed, 28 Jul 2021 12:54:11 +0200

Whether the times are truncated to the lower number of decimals or correctly rounded makes no systematic difference when comparing results. The truncated values are on average exactly 0,5 part of the smallest digit value smaller than the rounded values. Both expand the smallest difference between the input values into a full one unit of the smallest digit value in the shortened number, but do so at different places in the continuum of input values.

As long as you are only comparing results from the same data set, there will be no systematic bias. But if you compare truncated times with rounded times, or compare totals of added times, there can be systematic bias.

Please report problems with the web pages to the maintainer

x
Top