The RISKS Digest
Volume 32 Issue 87

Saturday, 11th September 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Airbus flight computers shutdown
Rich Brown
AI Can Help Patients”but Only If Doctors Understand It
WiReD
USG Releases Draft Zero-Trust Guidance
PGN
‘Breach of trust’: Police using QR check-in data to solve crimes
Sydney Morning Herald
ProtonMail provides Swiss authorities with user data
Proprivacy
How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users
Propublica
Facebook made big mistake in data it provided to researchers, undermining academic work
WashPost
Brits hire ad agency to ‘protect children’ from E2EE
Henry Baker
Misbehaving Microsoft Teams ad brings down the entire Windows 11 desktop
Ars Technica
Automated Hiring Software is Mistakenly Rejecting Millions of Viable Job Candidates
Slashdot
Government says polluters can dump raw sewage into rivers as Brexit disrupts water treatment
The Independent
Russia's Yandex says it repelled biggest DDoS attack in history
Reuters
Singapore has moved from preventing cyberthreats to assuming breaches have occurred
The Straits Times
El Salvador's Bitcoin Gamble Is Off to a Rocky Start
WiReD
Revealed: LAPD officers told to collect social media data on every civilian they stop
The Guardian
Venice prepares to charge tourists, require booking
Reuters
Sydney couple scammed out of almost $1 million
Sydney Morning Herald
FOX News' Tucker Carlson defends making and selling fake covid vaccine cards
The Independent
As U.S. Prepares to Ban Ivermectin for Covid-19, More Countries in Asia Begin Using It
Naked Capitalism
Freezing his credit after yet another data breach
Rob Pegoraro
That NYC subway outage? Someone pushed the wrong button.
danny burstein
Re: fast vs slow repairs, Lights Flickered in New York City.
John Levine
Re: Autonomous Vehicles,
Richard Stein
Quote of The Day
CommonSense MD
Info on RISKS (comp.risks)

Airbus flight computers shutdown

Rich Brown <rab@freemars.org>
Tue, 7 Sep 2021 20:42:30 -0500

This report details how Airbus pilots saved the day when all three flight computers failed on landing.

https://www.theregister.com/2021/09/06/a330_computer_failure/


AI Can Help Patients”but Only If Doctors Understand It (WiReD)

“Gabe Goldberg” <gabe@gabegold.com>
Sat, 11 Sep 2021 01:11:06 -0400

Algorithms can help diagnose a growing range of health problems, but humans need to be trained to listen.

Sepsis Watch got an anthropological close up because the Duke developers knew there would be unknowns in the hospital's hurly burly and asked Elish for help. She spent days shadowing and interviewing nurses and emergency department doctors and found the algorithm had a complicated social life.

The system threw up alerts on iPads monitored by the nurses, flagging patients deemed moderate or high risk for sepsis, or to have already developed the deadly condition. Nurses were supposed to call an emergency department doctor immediately for patients flagged as high risk. But when the nurses followed that protocol, they ran into problems.

Some challenges came from disrupting the usual workflow of a busy hospital”many doctors aren't used to taking direction from nurses. Others were specific to AI, like the times Sarro faced demands to know why the algorithm had raised the alarm. The team behind the software hadn't built in an explanation function, because as with many machine learning algorithms, it's not possible to pinpoint why it made a particular call.

One tactic Sarro and other nurses developed was to use alerts that a patient was at high risk of sepsis as a prompt to review that person's chart so as to be ready to defend the algorithm's warnings. The nurses learned to avoid passing on alerts at certain times of day, and how to probe whether a doctor wasn't in the mood to hear the opinion of an algorithm. “A lot of it was figuring out the interpersonal communication,” says Sarro. “We would gather more information to arm ourselves for that phone call.”

Elish also found that in the absence of a way to know why the system flagged a patient, nurses and doctors developed their own, incorrect, explanations”a response to inscrutable AI. One nurse believed the system looked for keywords in a medical record, which it does not. One doctor advised coworkers that the system should be trusted because it was probably smarter than clinicians.

https://www.wired.com/story/ai-help-patients-doctors-understand/

What a concept, consider human factors in health care.


USG Releases Draft Zero-Trust Guidance

Peter G Neumann <neumann@csl.sri.com>
Tue, 7 Sep 2021 18:46:36 PDT

Biden Administration Releases Draft Zero-Trust Guidance The documents form a roadmap for agencies to deploy the cybersecurity architectures by the end of fiscal 2024.

Aaron Boyd, 7 SEP 2021 04:05 PM ET, NextGov https://www.nextgov.com/cybersecurity/2021/09/biden-administration-releases-draft-zero-trust-guidance/185166/

The federal government is pushing hard for agencies to adopt zero-trust cybersecurity architectures, with new guidance released Tuesday from the administration's policy arm”the Office of Management and Budget”and lead cybersecurity agency”the Cybersecurity and Infrastructure Security Agency.

The administration released several documents Tuesday for public comment, seeking feedback on the overarching federal policy from OMB and draft technical reference architecture and maturity model from CISA. The guidance follows a May executive order on bolstering cybersecurity across the federal government, which cited specific security methods and tools such as multifactor authentication, encryption and zero trust.

Zero-trust models continuously check on a user's credentials as they move throughout a network, verifying not only that they are who they claim to be but also that the user has appropriate privileges to access secure apps and data. In a mature zero-trust architecture, these checks are performed routinely, including whenever a user attempts to access different segments of the network.

“Never trust, always verify,” Federal Chief Information Officer Clare Martorana said Tuesday in a statement, echoing the zero-trust architecture refrain. “With today's zero trust announcement, we are clearly driving home the message to federal agencies that they should not automatically trust anything inside or outside of their perimeters.”

Agencies were already under mandate to develop plans to implement zero trust to meet the executive order. Now, with the new guidance and reference architectures, OMB is requiring agencies to fold new deliverables into those plans.

The memo from OMB gives agencies until the end of September 2024 to meet five “specific zero trust security goals,” all of which should be added to agency implementation plans. […]


‘Breach of trust’: Police using QR check-in data to solve crimes (Sydney Morning Herald)

“John Colville” <John.Colville@uts.edu.au>
Sun, 5 Sep 2021 21:27:44 +0000

https://www.smh.com.au/politics/federal/breach-of-trust-police-using-qr-check-in-data-to-solve-crimes-20210903-p58om8.html

The nation's privacy watchdog has called for police forces to be banned from accessing information from QR code check-in applications, after law-enforcement agencies have sought to use the contact-tracing data on at least six occasions to solve unrelated crimes.


ProtonMail provides Swiss authorities with user data (Proprivacy)

Lauren Weinstein <lauren@vortex.com>
Sun, 5 Sep 2021 18:28:11 -0700

https://proprivacy.com/privacy-news/protonmail-authorities-user-data


How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users (Propublica)

Lauren Weinstein <lauren@vortex.com>
Tue, 7 Sep 2021 09:23:17 -0700

How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users

https://www.propublica.org/article/how-facebook-undermines-privacy-protections-for-its-2-billion-whatsapp-users


Facebook made big mistake in data it provided to researchers, undermining academic work (WashPost)

Peter G Neumann <neumann@csl.sri.com>
Sat, 11 Sep 2021 10:21:17 PDT

Craig Timberg, The Washington Post, 19 Sep 2021

The error resulted from Facebook accidentally excluding data from U.S. users who had no detectable political leanings—a group that amounted to roughly half of all of Facebook's users in the United States.

https://www.washingtonpost.com/technology/2021/09/10/facebook-error-data-social-scientists/


Brits hire ad agency to ‘protect children’ from E2EE

“Henry Baker” <hbaker1@pipeline.com>
Wed, 08 Sep 2021 23:42:10 +0000

This ad campaign against Facebook's end-to-end encryption is reminiscent of President Wilson's use of modern advertising/PR techniques to ‘sell’ the U.S. on entering WWI: ‘The War to End All Wars’

I can't wait for ‘Let your fingers do the talking’ (apologies to an acquaintance of mine) and other modern memes, or perhaps the following:

‘Can you overhear me now?’
‘Where's the pix?’
‘Just Decrypt It!’
‘Facebook: Happiest Place on Earth (if you're a pedo)’
‘Got Surveillance?’
‘Encrypt Different’
‘A Pedo is Forever’
‘Facebook: “Breakfast of Paedophiles”’
‘Look ma, no porn pix!’
‘The Uncryption!’
‘The Ultimate Decryption Machine’
‘Snap, Decrypt & Pop’
‘When it absolutely, positively has to be there in the clear’
‘You're in all hands with Facebook’
‘Like a nosey neighbor, Facebook is there’
‘The few. The proud. The spooks.’
  - - - -

James Robinson for MailOnline, 6 Sep 2021 https://www.dailymail.co.uk/news/article-9961745/Priti-Patel-new-anti-Facebook-ad-campaign-attacking-plans-encrypt-messaging-services.html

Priti Patel backs new anti-Facebook ad campaign accusing the social media giant of ‘blindfolding’ police as they investigate child sex abuse cases

Priti Patel to back charity-led advertising campaign to be launched within weeks. Campaign will attack Facebook over its plans to encrypt its messaging services Facebook say it will boost privacy for users on its platforms, including Instagram. But security chiefs have warned it will hamper investigations into paedophiles.


Misbehaving Microsoft Teams ad brings down the entire Windows 11 desktop (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Tue, 7 Sep 2021 23:40:01 -0400

Microsoft recommends a registry edit to get things working normally again.

https://arstechnica.com/gadgets/2021/09/misbehaving-microsoft-teams-ad-brings-down-the-entire-windows-11-desktop/


Automated Hiring Software is Mistakenly Rejecting Millions of Viable Job Candidates (Slashdot)

Lauren Weinstein <lauren@vortex.com>
Mon, 6 Sep 2021 10:53:54 -0700

https://slashdot.org/story/21/09/06/1646259/automated-hiring-software-is-mistakenly-rejecting-millions-of-viable-job-candidates


Government says polluters can dump raw sewage into rivers as Brexit disrupts water treatment (The Independent)

Lauren Weinstein <lauren@vortex.com>
Tue, 7 Sep 2021 23:07:29 -0700

[Well, that turned out nicely, huh?]

https://www.independent.co.uk/climate-change/brexit-raw-sewerage-water-treatment-b1915765.html


Russia's Yandex says it repelled biggest DDoS attack in history (Reuters)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 9 Sep 2021 17:19:01 -0600

https://www.reuters.com/technology/russias-yandex-says-it-repelled-biggest-ddos-attack-history-2021-09-09/

MOSCOW, Sept 9 (Reuters) - A cyberattack on Russian tech giant Yandex's servers (YNDX.O) in August and September was the largest known distributed denial-of-service (DDoS) attack in the history of the internet, the company said on Thursday.

The DDoS attack, in which hackers try to flood a network with unusually high volumes of data traffic in order to paralyse it when it can no longer cope with the scale of data requested, began in August and reached a record level on Sept. 5.

“Our experts did manage to repel a record attack of nearly 22 million requests per second (RPS). This is the biggest known attack in the history of the Internet,” Yandex said in a statement.

Yandex said it had seen 5.2 million RPS on Aug. 7, 6.5 million RPS on Aug. 9, 9.6 million RPS on Aug. 29, 10.9 million RPS on Aug. 31 and finally 21.8 million RPS on Sept. 5.

U.S. cybersecurity firm Cloudflare (NET.N), which is widely used by businesses and other organisations to help defend against DDoS attacks, said in August the largest DDoS attack it was aware of reached 17.2 million RPS earlier this year.


Singapore has moved from preventing cyberthreats to assuming breaches have occurred (The Straits Times)

Richard Stein <rmstein@ieee.org>
Thu, 9 Sep 2021 13:09:12 +0800

https://www.straitstimes.com/tech/tech-news/singapore-to-work-with-estonia-on-cyber-security-helping-firms-to-go-digital

With Cybersecurity being “a ‘wicked’ problem that cannot be solved for good, Singapore decided to shift its position from preventing threats to assuming information technology systems have already been breached.”

A sobering revision to infosec defensive posture, by no less than a sovereign government. This inherent breach assumption effectively acknowledges the futility of safeguarding the information Internet-connected systems capture and maintain against recurrent cybercrime and insider exfiltration incidents.

The inherent breach assumption prioritizes the convenience enjoyed by businesses and governments, in the interests of their customers and citizens enabled via web services, as superior to privacy maintenance expectations. A sterling example of realpolitik.

The UN Human Rights charter, Article 12 states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” See https://www.un.org/en/about-us/universal-declaration-of-human-rights

An aspirational, noble statement, but ineffective against technology easily exploited for profit.


El Salvador's Bitcoin Gamble Is Off to a Rocky Start (WiReD)

“Gabe Goldberg” <gabe@gabegold.com>
Wed, 8 Sep 2021 19:32:24 -0400

Enthusiasm, fear, and light shows usher the country into the age of cryptocurrency.

https://www.wired.com/story/el-salvador-bitcoin-rocky-start/


Revealed: LAPD officers told to collect social media data on every civilian they stop (The Guardian)

Richard Forno <rforno@infowarrior.org>
September 8, 2021 23:27:13 JST

[via Dave Farber]

The Los Angeles police department (LAPD) has directed its officers to collect the social media information of every civilian they interview, including individuals who are not arrested or accused of a crime, according to records shared with the Guardian.

Copies of the “field interview cards” that police complete when they question civilians reveal that LAPD officers are instructed to record a civilian's Facebook, Instagram, Twitter and other social media accounts, alongside basic biographical information. An internal memo further shows that the police chief, Michel Moore, told employees that it was critical to collect the data for use in “investigations, arrests, and prosecutions”, and warned that supervisors would review cards to ensure they were complete.

The documents, which were obtained by the not-for-profit organization the Brennan Center for Justice, have raised concerns about civil liberties and the potential for mass surveillance of civilians without justification.

https://www.theguardian.com/us-news/2021/sep/08/revealed-los-angeles-police-officers-gathering-social-media


Venice prepares to charge tourists, require booking (Reuters)

geoff goodfellow <geoff@iconia.com>
Tue, 7 Sep 2021 17:13:12 -1000

From a control room inside the police headquarters in Venice, Big Brother is watching you.

To combat tourist overcrowding, officials are tracking every person who sets foot in the lagoon city.

Using 468 CCTV cameras, optical sensors and a mobile phone-tracing system, they can tell residents from visitors, Italians from foreigners, where people are coming from, where they are heading and how fast they are moving.

Every 15 minutes, authorities get a snapshot of how crowded the city is - alongside how many gondolas are sliding on the Canal Grande, whether boats are speeding and if the waters rise to dangerous levels.

Now, a month after cruise ships were banned from the lagoon <https://www.reuters.com/world/europe/exclusive-italy-legislate-keep-liners-out-venice-lagoon-sources-2021-07-13>, city authorities are preparing to demand that tourists pre-book their visit on an app and charge day-trippers between 3 and 10 euros to enter, depending on the time of the year.

Airport-like turnstiles are being tested to control the flow of people and, should the numbers become overwhelming, stop new visitors from getting in. […]

https://www.reuters.com/world/africa/venice-prepares-charge-tourists-require-booking-2021-09-06/


Sydney couple scammed out of almost $1 million (Sydney Morning Herald)

“John Colville” <John.Colville@uts.edu.au>
Sun, 5 Sep 2021 21:30:24 +0000

https://www.smh.com.au/national/nsw/sydney-couple-buying-property-scammed-out-of-almost-1-million-20210903-p58one.html

Anita and Nandos had just purchased the perfect investment property in Macquarie Park last year. They were in the final stages of settlement and just needed to transfer about $1 million to finalise the sale.

A day before they transferred the funds, the couple allegedly received what appeared to be a legitimate email from their lawyer asking them to pay the funds into a different account. Little did the couple know, scammers were allegedly impersonating their lawyer. This type of scam is known as a business email compromise (BEC) scam.


FOX News' Tucker Carlson defends making and selling fake covid vaccine cards (The Independent)

Lauren Weinstein <lauren@vortex.com>
Sun, 5 Sep 2021 14:17:32 -0700

https://www.independent.co.uk/news/world/americas/us-politics/tucker-carlson-defend-fake-vaccine-cards-b1914010.html


As U.S. Prepares to Ban Ivermectin for Covid-19, More Countries in Asia Begin Using It (Naked Capitalism)

geoff goodfellow <geoff@iconia.com>
Tue, 7 Sep 2021 13:33:10 -1000

The information war takes a dark turn as the corporate media transitions from misinformation and obfuscation to outright lies and fabrication.

The campaign against ivermectin is intensifying in the US. Until recently the health authorities appeared to be quite content merely to ridicule those who take or prescribe the drug in order to treat or prevent Covid-19. A couple of weeks ago, the FDA released a now-infamous advertorial <https://twitter.com/us_fda/status/1429050070243192839> on twitter with the heading “You are not a horse. You are not a cow. Seriously, y'all. Stop it.” The subheading: “Using the drug Ivermectin to treat Covid-19 can be dangerous and even lethal. The FDA has not approved the drug for that purpose.”

It's a subtle message that has been faithfully echoed by the corporate media: ivermectin, a tried-and-tested drug that has won its discoverers a Nobel Prize for the impact it has had on human health over the last 35 years, should only be given to animals. But now the information war is taking a darker turn, as the media transitions from misinformation and obfuscation to outright lies and fabrication.

At the end of last week, a string of American and British outlets, including The Daily Mail, Rolling Stone, Huffington Post, The Independent, Newsweek, The Guardian, and Yahoo News, ran a story about how people who had “overdosed” on the “horse dewormer” were clogging up so many beds in a hospital in Sequoyah, rural Oklahoma, that doctors were having to turn away gunshot victims. The story, sourced to local Oklahoma outlet KFOR, turned out to be completely false. On Sunday, the hospital in question released a statement <https://twitter.com/AxXiom/status/1434290777828601863/photo/1> that the doctor behind the allegations had not worked in its ER for two months. More to the point, the hospital “had not treated any patients due to complications relating to taking ivermectin.” There were no overdoses. And it had turned no patients away.

In other words, everything about the story was false. A total fabrication. Yet many of the mainstream outlets that covered the story did not retract their article. Rolling Stone simply “updated” <https://www.rollingstone.com/politics/politics-news/gunshot-victims-horse-dewormer-ivermectin-oklahoma-hospitals-covid-1220608/> its piece with the new information. The Guardian inserted a note at the bottom of its article informing readers that Sequoyah NHS had released a statement asserting that the doctor behind the allegations that formed the entire basis of the story had not worked in its ER for two months. In other words, you have to read all the way to the end of the article to find out that its entire content is total bullshit. To make matters worse, The Guardian did not even mention the hospital's categorical denials that it had treated patients for IVM overdose or that it had turned ER patients away.

The Coming Crack Down. […] https://www.nakedcapitalism.com/2021/09/as-us-prepares-to-ban-ivermectin-for-covid-19-more-countries-in-asia-begin-using-it.html


Freezing his credit after yet another data breach (Rob Pegoraro)

Gabe Goldberg <gabe@gabegold.com>
Mon, 6 Sep 2021 00:53:43 -0400
[Not cool!]

Author writes: The text message I was especially uninterested in receiving hit my phone Sunday morning. “T-Mobile has determined that unauthorized access to some business and/ or personal information related to your T-Mobile business account has occurred,” it read. “This may include SSN, names, addresses, phone numbers and dates of birth.”

T-Mobile's texted non-apology for a data breach affecting tens of millions of subscribers went on to note that “we have NO information that indicates your business or personal financial/ payment information were accessed,” as if those data points were the ones I couldn't reset with a phone call or three.

https://robpegoraro.wordpress.com/2021/08/27/not-cool-freezing-my-credit-after-yet-another-data-breach/


That NYC subway outage? Someone pushed the wrong button.

danny burstein <dannyb@panix.com>
Fri, 10 Sep 2021 17:48:16 +0000 ()

Con Ed (electrical utility) had a system-wide very short hiccup.

The NYC subway “Rail Control Center”, a fortress structure near midtown built 1985ish to, well, control everything (much, much, more advanced than the ones shown in The Taking of Pelham 1-2-3) was kicked. Emergency power, etc., kicked in, but…

While the subway system itself had full 3rd rail power along with station lighting, etc., the control signals for half the lines were dead for hours, meaning trains were stuck on the trackbed, with passengers stuck inside as well.

(There's really no excuse for not crawling, slowly, to the next station).

MTA worker sparked mayhem on 8 subway lines, Hochul finds NY Post, with the Governor's report:

An MTA worker accidentally pressing a button “most likely” caused the massive disruption of subway service for hours on multiple lines last month, an outside investigation ordered by Gov. Kathy Hochul found.

The reports, conducted by a pair of engineering firms, revealed that the loss of power at the New York City Transit Rail Control Center was caused by a manual off switch on one of the building's power distribution units, according to a press release from the governor.

The findings suggest that the emergency push button might have been mistakenly pressed, since a plastic protector designed to prevent accidental activation of it was missing, according to the summary of the investigation.

https://nypost.com/2021/09/10/mta-worker-sparked-mayhem-on-8-subway-lines-hochul-finds/


Re: fast vs slow repairs, Lights Flickered in New York City. (NYTimes, RISKS-32.85)

“John Levine” <johnl@iecc.com>
6 Sep 2021 15:17:43 -0400
> Why Did the Subways Grind to a Halt?

In recent years the NY subway has shut down sections of line for a weekend exactly so they can do maintenance and upgrade work that would take months otherwise.


Re: Autonomous Vehicles, (Kruk, RISKS-32.86)

“Richard Stein” <rmstein@ieee.org>
Mon, 6 Sep 2021 08:54:40 +0800
> As a first start, somebody please slap his face and say, “wake up and
> join reality”.

A slap on the face will not deter Musk, or others of his ilk who are incentive-driven to create dubious products. Restricting usage of indemnification from terms of service might.

Indemnification is like a morality car wash for businesses: it excuses the embodiment intellectual property through a commercial transaction, even if the product can harm public safety or health. Indemnification establishes commercial impunity: the right to sell a product without personal responsibility for it. See http://www.thedevilsdictionary.com/c.html#CORP_ for the “precise” definition.

Ever read the terms of service for a product? A layperson's interpretation of corporate terms of service reads like: “We take your money, and you can't hold us accountable for using our product when/if something goes wrong and you experience injury (or worse), unless we are truly negligent and liable. So: prove it, and maybe we'll settle, maybe not.”

Laws enable, and regulations accelerate, the manufacturing and deployment of technology-based products; some products possess troublesome features, others are abominations.

Legislation and rigorous regulatory enforcement is needed to control the incentives that technology-based products exploit while the resultant public risk accrues and compounds.


Quote of The Day (CommonSense MD)

geoff goodfellow <geoff@iconia.com>
Thu, 9 Sep 2021 08:45:17 -1000

“In my 30+ years of practice, I've never before come across a disease for which censorship was one of the main treatments.”

https://twitter.com/CommonSenseMD1/status/1435795248513437702

Please report problems with the web pages to the maintainer

x
Top