The RISKS Digest
Volume 33 Issue 53

Tuesday, 22nd November 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Russian software disguised as American finds its way into U.S. Army, CDC apps
Jan Wolitzky
How North Korea became a mastermind of crypto cybercrime
Ars Technica
U.S. NSA recommends ‘memory safe’ languages
Media Defense
Re: Rust
dmitri maziuk
Cyber Vulnerability in Networks Used by Spacecraft, Aircraft, Energy Generation Systems
Reducing Redundancy to Accelerate Complicated Computations
Vulnerabilities of electric vehicle charging infrastructure
Cybercriminals Are Selling Access to Chinese Surveillance Cameras
Code grey: Inside a ‘catastrophic’ IT failure at the Queensway Carleton Hospital
Open-Source Software Has Never Been More Important
Autonomous Vehicles Join the List of U.S. National Security Threats
Hotel barfs on two people with the same name
gcluley via Wendy M. Grossman
DeepMind says its new AI coding engine is as good as an average human programmer
The Verge
Time Has Run Out for the Leap Second
Timer on GE ovens automagically reprogrammed to gobble rather than ding
Business Wire
Akamai finds 13 million malicious newly observed domains a month
SC Media
Inside the turmoil at Sobeys-owned stores after ransomware attack
$10.7 Million Payment To Virginia In Google Privacy Settlement
VA Patch
Short Videos on Ethics in AI and Software Development
Gene Spafford
Electronic Health Record Legal Settlements
JAMA Health Forum
Is This the End Game for Cryptocurrency?
Paul Krugman via PGN et al.
Tuvalu Turns to Metaverse as Rising Seas Threaten Existence
Lucy Craymer
Smart Home Hubs Leave Users Vulnerable to Hackers
Leigh Beeson
Twitter update
Lauren Weinstein PGN-simmerized
In Memoriam: Drew Dean
Peter G. Neumann
In Memoriam: Frederick P. Brooks Jr.
Steve Bellovin
Info on RISKS (comp.risks)

Russian software disguised as American finds its way into U.S. Army, CDC apps

Jan Wolitzky <>
Mon, 14 Nov 2022 10:37:05 -0500

Thousands of smartphone applications in Apple and Google's online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

The Centers for Disease Control and Prevention (CDC), the United States' main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.

The U.S. Army said it had removed an app containing Pushwoosh code in March.

How North Korea became a mastermind of crypto cybercrime (Ars Technica)

Monty Solomon <>
Mon, 14 Nov 2022 23:57:34 -0500

Cryptocurrency theft has become one of the regimeâs main sources of regvenue. Created by a Vietnamese gaming studio, Axie Infinity offers players the chance to breed, trade, and fight Pokémon-like cartoon monsters to earn cryptocurrency. But earlier this year, the network of blockchains that underpin the game's virtual world was raided by a North Korean hacking syndicate, which made off with roughly $620 million in the ether cryptocurrency.

The crypto heist, one of the largest of its kind in history, was confirmed by the FBI, which vowed to continue to expose and combat [North Korea's] use of illicit activities—including cybercrime and cryptocurrency theft—to generate revenue for the regime.

The successful crypto heists illustrate North Korea’s growing sophistication as a malign cyber actor. Western security agencies and cyber security companies treat it as one of the world's four principal nation-state-based cyberthreats, alongside China, Russia, and Iran.

According to a UN panel of experts monitoring the implementation of international sanctions, money raised by North Korea's criminal cyber-operations are helping to fund the country's illicit ballistic missile and nuclear programs. Anne Neuberger, US deputy national security adviser for cybersecurity, said in July that North Korea “uses cyber to gain, we estimate, up to a third of their funds for their missile program.”

Crypto analysis firm Chainalysis estimates that North Korea stole approximately $1 billion in the first nine months of 2022 from decentralized crypto exchanges alone. …

U.S. NSA recommends ‘memory safe’ languages (Media Defense)

Henry Baker <>
Mon, 14 Nov 2022 19:35:38 +0000

The U.S. NSA finally came out this week to strongly endorse ‘memory-safe’ languages for most software programming, specifically mentioning C#, Go, Java, Ruby, Rust, and Swift as examples.

Apparently orphaned DoD language Ada was conspicuously left out of

NSA's list, even though versions of Ada that target JVM can utilize Java JVM's GC.

Ubiquitous web language Javascript was also conspicuous by its absence, even though Javascript has a sophisticated GC.

Also curiously, NSA left out any mention of Arm's CHERI (Capability Hardware Enhanced RISC Instructions) architecture which should address NSA's performance concerns:

“Memory safety can be costly in performance … There is also considerable performance overhead associated with checking the bounds on every array access that could potentially be outside of the array.”

CHERI, can you come out tonight (Come come, come out tonight) You, ooh better ask your NSA (CHERI baby) Tell her everything is all right.

(Apologies to Frankie Valli &amp; Bob Gaudio)

With Arm's new ‘Morello’ processor, can I finally replace my Raspberry Pi with a CHERI Pi??

[Now I know what startup sound will play when CHERI Pi boots… :-) ]

While waiting, use CHERI as a QEMU virtual machine?

“Memory issues in software comprise a large portion of the exploitable vulnerabilities in existence. NSA advises organizations to consider making a strategic shift from programming languages that provide little or no inherent memory protection, suchas C/C++, to a memory safe language when possible. [Examples noted above, with html trademarks omitted here. PGN] Memory-safe languages provide differing degrees of memory usage protections, so available code hardening defenses, such as compiler options, tool analysis, and operating system configurations, should be used for their protections as well. By using memory-safe languages and available code hardening defenses, many memory vulnerabilities can be prevented, mitigated, or made very difficult for cyber-actors to exploit.”

Re: Rust (RISKS-33.52)

dmitri maziuk <>
Sun, 13 Nov 2022 20:28:23 -0600

Memory is the resource every computer program uses, but it's not the only resource.

Nobody (that I know of) managed to pull off proper object destruction in a garbage-collected language. Thus, if a program written in a garbage-collected language uses those other resources, there is no guarantee as to when it might release them. The best they can do is sometime between when the object goes out of scope, and when the program terminates. And that's just not good enough for many applications including systems programming.

That's what Rust has that automatic memory management doesn't: when a variable goes out of scope, its destructor is run, or it's dropped.

Cyber Vulnerability in Networks Used by Spacecraft, Aircraft, Energy Generation Systems (U.Michigan)

ACM TechNews <>
Wed, 16 Nov 2022 11:46:50 -0500 (EST)

Zachary Champion, University of Michigan News, 15 Nov 2022 via ACM TechNews, 16 Nov 2022

Researchers at the University of Michigan and the U.S. National Aeronautics and Space Administration (NASA) discovered a cyberattack that exploits networks used by aircraft, spacecraft, energy generation systems, and industrial control systems. The PCspooF exploit targets the time-triggered ethernet (TTE) system, which lowers costs in high-risk settings by allowing mission-critical and less-critical devices to operate on the same network hardware. PCspoof mimics switches in TTE networks to send out malicious synchronization messages masked by electromagnetic interference. The disruption gradually causes time-sensitive messages to be dropped or delayed, with potentially disastrous effects. The researchers said the exploit can be prevented by replacing copper Ethernet cables with fiber-optic cables, or by deploying optical isolators between switches and untrusted devices.

[Richard Marlon Stein noted another version, both seemingly derivative:]

A major vulnerability in a networking technology widely used in critical infrastructures such as spacecraft, aircraft, energy generation systems and industrial control systems was exposed by researchers at the University of Michigan and NASA.

It goes after a network protocol and hardware system called time-triggered ethernet, or TTE, which greatly reduces costs in high-risk settings by allowing mission-critical devices (like flight controls and life support systems) and less important devices (like passenger WiFi or data collection) to coexist on the same network hardware. This blend of devices on a single network arose as part of a push by many industries to reduce network costs and boost efficiency.

Reducing Redundancy to Accelerate Complicated Computations (TJNAF)

ACM TechNews <>
Wed, 16 Nov 2022 11:46:50 -0500 (EST)

Thomas Jefferson National Accelerator Facility (15 Nov 2022), via ACM TechNews, 16 Nov 2022

Scientists at the U.S. Department of Energy's Thomas Jefferson National Accelerator Facility and the College of William & Mary have developed a tool to optimize supercomputing time. Their MemHC framework structures the memory of a graphics processing unit (GPU) to accelerate the calculation of many-body correlation functions. The researchers created three memory management methods that reduce redundant memory operations and expedite calculation of tensor contractions 10-fold. They coded MemHC to enable memories to persist on the GPU in a manner more appropriate for calculations, reducing the GPU's input and output tasks to concentrate on communication between the GPU and its host central processing unit.

Vulnerabilities of electric vehicle charging infrastructure (

Richard Marlon Stein <>
Wed, 16 Nov 2022 08:37:49 +0000

Can the grid be affected by electric vehicle charging equipment? Absolutely. Would that be a challenging attack to pull off? Yes. It is within the realm of what bad guys could and would do in the next 10 to 15 years. That's why we need to get ahead of curve in solving these issues.'

The team looked at a few entry points, including vehicle-to-charger connections, wireless communications, electric vehicle operator interfaces, cloud services and charger maintenance ports. They looked at conventional AC chargers, DC fast chargers and extreme fast chargers.

I imagine the old pay-at-the-pump skimmer is likely too. For EVs: pay-at-the-electron dispenser skim.

Cybercriminals Are Selling Access to Chinese Surveillance Cameras (Threatpost)

Gabe Goldberg <>
Fri, 18 Nov 2022 15:18:14 -0500

Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed. New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulnerable to an 11 month-old command injection flaw.

Hikvision—short for Hangzhou Hikvision Digital Technology—is a Chinese state-owned manufacturer of video surveillance equipment. Their customers span over 100 countries (including the United States, despite the FCC labeling Hikvision an unacceptable risk to U.S. national security. Last Fall, a command injection flaw in Hikvision cameras was revealed to the world as CVE-2021-36260. The exploit was given a critical rating of 10 rating by NIST. […]

Code grey: Inside a ‘catastrophic’ IT failure at the Queensway Carleton Hospital (CBC)

“Matthew Kruk” <>
Mon, 21 Nov 2022 06:48:14 -0700

Emergency room doctors, nurses and other health-care professionals who worked through the night during a major, hospital-wide computer and phone outage in Ottawa were “sticking their necks out” in an “exceptionally unsafe” environment, according to documents obtained by CBC News.

Inaccessible medical records, inoperable equipment, defective backup phones and pagers, and poor communication from administrators plagued the Queensway Carleton Hospital (QCH) for nearly 20 hours in early September when a “code grey” was declared, internal records obtained through a Freedom of Information request show.

Code grey refers to infrastructure failure. QCH called one shortly after noon on 9 Sept 2022, which lasted till 9:38 a.m. the following day.

Open-Source Software Has Never Been More Important (TechRadar)

ACM TechNews <>
Fri, 18 Nov 2022 12:15:30 -0500 (EST)

Craig Hale, TechRadar, 13 Nov 2022, via ACM TechNews, 18 Nov 2022

GitHub's Octoverse 2022 report on the state of open-source software found that 90% of Fortune 100 companies use open-source software (OSS) in some capacity. There have been 413 million OSS contributions to GitHub from the platform's 94 million users this year alone, the company noted. The report found that commercially backed OSS projects are increasing, and that around a third of Fortune 100 companies now have an open-source program office to coordinate their OSS strategies. However, as the Synopsis Open-Source Security and Risk Analysis Report for 2022 found, despite a steady 3% year-on-year decrease in vulnerabilities, more than 80% of the codebases analyzed were still found with at least one vulnerability, with 88% of the codebases investigated showing no signs of update in the past two years.

Autonomous Vehicles Join the List of US National Security Threats (WiReD)

Gabe Goldberg <>
Mon, 21 Nov 2022 18:37:52 -0500

Pfluger highlights in his letter that China could use autonomous and connected vehicles as a pathway to incorporate their systems and technology into our country's infrastructure. As Homeland Security secretary Alejandro Mayorkas told a House committee last week, there are perils of having communications infrastructure in the hands of nation-states that don't protect freedoms and rights as we do. FBI director Christopher Wray warned that China has stolen more data from the United States than all other nations combined, through increasingly sophisticated large-scale cyber-espionage operations against a range of industries, organizations, and dissidents in the United States.

Hotel barfs on two people with the same name (gcluley)

“Wendy M. Grossman” <>
Fri, 18 Nov 2022 18:38:45 +0000

A hotel computer could not cope with two men named Brian Cox checking in on the same day:

DeepMind says its new AI coding engine is as good as an average human programmer (The Verge)

Martin Ward <>
Mon, 14 Nov 2022 14:07:20 +0000

If an AI is as good as an average human programmer, then the average human programmer is no better than an AI which doesn't actually understand anything about what it is doing.

For some time now I have suspected that the average human programmer just fiddles with the code until it seems to work and calls it “done”, without having any real understanding of exactly what the program is supposed to do or how the implementation actually works. This is my rather cynical take on “test-driven development, or TDD”.

The above research appears to provide scientific confirmation of my view. If an AI can perform as well as an average programmer, then given that the AI has no understanding of the program or its implementation and is just fiddling with the code until it appears to work (i.e., until it passes the provided set of acceptance tests), then it seems that the average human programmer also has no understanding and is also just fiddling with the code until it appears to work.

According to the Wikipedia page on TDD, step 3 is “Write the simplest code that passes the new test”. A suitable candidate for this is code which scans the test data file for the provided input parameters and returns the required output (as given in the test file). Step 3 says explicitly “Inelegant or hard code is acceptable, as long as it passes the test.” So, this hard coding should be acceptable. The suggested implementation also follows the principles of keep it simple, stupid (KISS) and You aren't gonna need it. (YAGNI) It has the further advantage of passing any additional tests that may be added to the test harness in the future.

Time Has Run Out for the Leap Second (NYTimes)

“Matthew Kruk” <>
Sat, 19 Nov 2022 22:52:14 -0700

Roughly every four years, an extra day gets tacked onto the end of February, a time-keeping convention known as the leap year. The practice of adjusting the calendar with an extra day was established by Julius Caesar more than 2,000 years ago and modified in the 16th century by Pope Gregory XIII, bequeathing us the Julian and Gregorian calendars.

That extra day is a way of aligning the calendar year of 365 days with how long it actually takes Earth to make a trip around the sun, which is nearly one-quarter of a day longer. The added day ensures that the seasons stay put rather than shifting around the year as the mismatch lengthens.

Humanity struggles to impose order on the small end of the time scale, too. Lately the second is running into trouble. Traditionally the unit was defined in astronomical terms, as one-86,400th of the mean solar day (the time it takes Earth to rotate once on its axis). In 1967 the world’s metrologists instead began measuring time from the ground up, with atomic clocks. The official length of the basic unit, the second, was fixed at 9,192,631,770 vibrations of an atom of cesium 133. Eighty-six thousand four hundred such seconds compose one day.

But Earth's rotation slows ever so slightly from year to year, and the astronomical second (like the astronomical day) has gradually grown longer than the atomic one. To compensate, starting in 1972, metrologists began occasionally inserting an extra second ” a leap second—to the end of an atomic day. In effect, whenever atomic time is a full second ahead, it stops for a second to allow Earth to catch up. Ten leap seconds were added to the atomic time scale in 1972, and 27 more have been added since.

Adding that extra second is no small task. Moreover, Earth's rotation is slightly erratic, so the leap second is both irregular and unpredictable. Fifty years ago, those qualities made inserting the leap second difficult. Today the endeavor is a technical nightmare, because precise timing has become integral to society’s highly computerized infrastructure.

Timer on GE ovens automagically reprogrammed to gobble rather than ding (Business Wire)

Jan Wolitzky <>
Sat, 19 Nov 2022 07:03:41 -0500

A former colleague reports that his smart GE oven got an automatic software upgrade. Now, when the timer runs down, instead of a chime, it makes a sound like a turkey.™-Launches-First-of-Its-Kind-Turkey-Mode-to-Ease-Cooking-Stress-for-the-Most-High-Pressure-Meal-of-the-Year

(And when your expensive oven is hacked and bricked, does it honk to tell you your goose is cooked?)

Akamai finds 13 million malicious newly observed domains a month (SC Media)

Gabe Goldberg <>
Thu, 17 Nov 2022 17:02:29 -0500

Akamai researchers on Wednesday reported that based on a newly observed domain (NOD) dataset, they have flagged almost 79 million domains as malicious in the first half of 2022. The researchers say this equals approximately 13 million malicious domains per month, representing 20.1% of all the NODs that successfully resolved.

In a blog post, the Akamai researchers explained that whenever a domain name is queried for the first time in the last 60 days, the researchers consider it an NOD. The NOD dataset lets the researchers zoom in on the long-tail rgistered domain names, typos, and domains that are only very rarely queried on a global scale.

NOD data lets Akamai classify a new domain very early in the threat lifecycle. All of its NOD-based detection systems and rules are fully automated. The researchers say that once a new NOD gets identified, the time needed for Akamai to classify it as malicious is measured in minutes—not hours or days. All of this gets done with no human intervention, which lets Akamai mitigate the new DNS threats quickly, according to the researchers.

Inside the turmoil at Sobeys-owned stores after ransomware (CBC)

Matthew Kruk <>
Tue, 15 Nov 2022 06:53:11 -0700 -attack-1.6650636

Employees of Empire Co., the parent company of Sobeys, have begun to speak out about the turmoil unfolding inside the grocery chain since a ransomware attack began plaguing its computer systems earlier this month.

Workers from across the country say some stores have run short of items because orders cannot be placed as usual, while at others, food that had gone bad initially either piled up or was frozen because it couldn't be removed from the inventory system.

Pharmacies were unable to fill new prescriptions for a week, customers cannot redeem loyalty points or use gift cards, and staff were concerned last week they wouldn't get paid because the payroll system is down.

“It's basically been a mess—the word that can best describe it—just a mess,” said one employee who works in the front end at a Safeway in western Canada.

$10.7 Million Payment To Virginia In Google Privacy Settlement (VA Patch)

Gabe Goldberg <>
Sun, 20 Nov 2022 16:21:07 -0500

Virginia was part of a record $391.5 million settlement with Google over the company's user privacy practices. Here is the state's share.

Almost $400M, wow—that'll sure teach Google a lesson about privacy. They might have to look under TWO executive suite couch cushions to find it.

Short Videos on Ethics in AI and Software Development

Gene Spafford <>
Wed, 16 Nov 2022 10:28:03 -0500

Purdue has just released a series of short videos on ethics related to AI and software development. I can definitely recommend this if you are interested in the topics, and especially if you haven't thought much about this topic.

The lead video is by Vint Cerf. I am also featured in the series.

Electronic Health Record Legal Settlements (JAMA Health Forum)

Richard Marlon Stein <>
Tue, 15 Nov 2022 00:33:50 +0000

“Six EHR vendors reached settlement agreements totaling $379.8 million (Table). Settlements for 5 of the 6 vendors involved alleged kickbacks, which are payments from the vendor to clinicians. Most kickbacks were related to product promotion, and 1 was related to influencing clinicians to prescribe opioids. Settlements for 4 of 6 vendors involved alleged misrepresentation of EHR capabilities to falsely certify their product. One vendor allegedly miscalculated rates of electronic record sharing, which were used in incentive program attestation. Based on available Centers for Medicare & Medicaid Services attestation data, the EHR products associated with these 6 settlements were used by 76831 unique clinicians during the years of alleged misconduct.”

The “Gang of 6” EHR vendors: eClinicalWorks, Greenway Health LLC, Practice Fusion Inc, Viztek LLC, athenahealth Inc, CareCloud Health Inc.

EHR manipulation and fake EHR product feature certification for profit.

Difficult to confidently estimate patient impact. Unsettling to learn physician prescriptions are steered by prioritizing profit over patient needs. I doubt the DoJ would investigate and indict 77Kphysicians for their willing participation.

Per-prescription kickback as a service (PKAAS)? Patients should consult their physicians.

Is This the End Game for Cryptocurrency? (Paul Krugman)

Peter G Neumann <>
Fri, 18 Nov 2022 10:26:14 PST

Paul Krugman, The New York Times, National Edition, Opinion, A25. 18 Nov 2022 (PGN-excerpted)

We should ask why crypto[currency] institutions were created in the first place.

… These exchanges are—wait for it—financial institutions, whose ability to attract investors depends on—wait for it again—those investors' trust. In other words, the crypto ecosystem has basically evolved into exactly what it was supposed to replace: a system of financial intermediaries whose ability to operate depends on their perceived trustworthiness.

In which case, what is the point? Why should an industry that at best has simply reinvented conventional banking have any fundamental value? …

As boosters love to remind us, previous predictions of crypto's imminent demise have proved wrong. Indeed, the fact that Bitcoin and its rivals aren't really usable as money needn't mean that they become worthless—you can, after all, say the same thing about gold.

But if the government finally moves in to regulate crypto firms, which would, among other things, prevent them from promising impossible-to-deliver returns, it's hard to see what advantage these firms would have over ordinary banks. Even if the value of Bitcoin goes to zero (which it still might), there's a strong case that the crypto industry, which loomed so large just a few months ago, is headed for oblivion.

I cross-posted this to our Bay Area cryptographers' list. Here are two replies:

Dave Jevans: Hopefully this is the beginning of effective enforcement of existing regulations and the appropriate extension of transparency regs. While unfortunate, the FTX debacle shows the lack of enforcement of existing regs.

Crypto[currency] will be much stronger after this, as banks enter the custodial market. They have charters, audits, BSA officers, training, oversight, transparency to the board, and insurance.

Steven Sprague: They are all learning still. Tokens are api messages for software with embedded value. Cost of audit for on chain events can slowly approach zero. Value of audited stuff is higher than un-audited.

Tuvalu Turns to Metaverse as Rising Seas Threaten Existence (Lucy Craymer)

ACM TechNews <>
Fri, 18 Nov 2022 12:15:30 -0500 (EST)

Lucy Craymer, Reuters, 15 Nov 2022 via ACM TechNews, 18 Nov 2022

The Pacific island nation of Tuvalu said it intends to replicate itself in the metaverse to preserve its history and culture amid threatened submersion by rising sea levels. Tuvalu foreign minister Simon Kofe told the COP27 climate summit, “Our land, our ocean, our culture are the most precious assets of our people and to keep them safe from harm, no matter what happens in the physical world, we will move them to the cloud.” Kofe hopes the digital version of Tuvalu will allow the country to continue as a state, even if the ocean covers it completely. He said seven governments have agreed to continue recognizing Tuvalu even if it is covered in water, adding that its submersion would be challenging from the standpoint of international law.

Smart Home Hubs Leave Users Vulnerable to Hackers (Leigh Beeson)

ACM TechNews <>
Mon, 21 Nov 2022 12:03:24 -0500 (EST)

Leigh Beeson, UGA Today, 15 Nov 2022, via ACM TechNews 21 Nov 2022

The ChatterHub system developed by University of Georgia (UGA) researchers can expose smart home hub users to hackers by revealing the activity of various hubs nearly 90% of the time. UGA's Kyu Lee said, “We were able to use machine learning technology to figure out what much of the activity is without even having to decrypt the information.” Lee said the information smart hubs send to individual devices can be deciphered by “using patterns, the size of the packet, and the timing of the packet.” Hackers can acquire this information without positioning ChatterHub close to the hub, nor do they require prior knowledge of the types of smart devices to which it is connected or the hub's manufacturer to breach the system remotely.

Twitter update (PGN-simmerized)

Lauren Weinstein <>
Tue, 22 Nov 2022 14:42:36 -0800

Without warning Musk apparently disables Twitter SMS 2-factor authentication [14 Nov 2022]

Musk publicly mocks the employees he has fired [15 Nov 2022]

Musk mocks fired employee, saying that the person had “tragic case of adult onset Tourette's” [15 Nov 2022]

Facebook says now that he's a candidate, nothing Trump says will be fact checked.

Musk and NASA: It's well past time to be asking why NASA continues to rely on on a toxic and disgusting person like Musk. In the end, they will almost certainly come to regret it, given his escalating bizarre behavior. -L [15 Nov 2022]

Fact check: 20 false and misleading claims Trump made in his announcement speech. He even lied about the price of turkeys. -L [16 Nov 2022]

Musk's ultimatum to Twitter employees [16 Nov 2022]: Let's look at Musk's Twitter ultimatum to employees last night logically. He gives them a link to click by Thursday if they agree to work long hours and be hardcore and (unwritten but assumed) not question his genius or motives or personality or obnoxiousness. If employees don't accept that, they're out with three months severance. Now, this is a binary choice. Choice one provides no assurance that Musk won't fire you on a whim for any reason whatsoever however fantastical or paranoid. On the other hand, choice two guarantees three months pay. In any normal environment, a myriad of factors would enter into this decision. But given Musk's temperament and behavior, the decision is considerably simplified. And it amounts to this: If you can manage it financially, take the three months pay and GET THE HELL OUT OF THERE NOW!

He's just making up crap again: Elon Musk finally makes up his mind on Twitter Blue: You'll be an ‘official’ celeb or company if enough verified people follow you [16 Nov 2022]

It's being reported that at least 100s of employees decided to take up Musk on his “leave and get 3 months pay” offer, with scrambling to try keep crucial employees from leaving. Offices will reportedly be closed until the 21st. Rumor is there's paranoia of employee sabotage. [17 Nov 2022]

Musk says hate tweets will no longer be taken down: In tweet, Musk says hate tweets will no longer be taken down, merely deboosted and demonetized, but findable. That spells the end of Twitter. Q.E.D. -L [18 Nov 2022]

Elon and the app stores: If Musk leaves hate speech up on Twitter, even “unboosted” and unmonetized as he now says he's planning to do, he will most likely be violating the terms of the Apple App Store and Google (Android) Play Store, and of course various EU regulations. -L [18 Nov 2022]

Report: Head of Twitter ad sales out of Twitter—again: Robin Wheeler, who reportedly resigned as head of Twitter ad sales but was convinced by Elon to un-resign, apparently is out of the company (again) just over a week later. You can't make this stuff up. -L [18 Nov 2022]

What do the app stores say about hate speech? If Elon plans to keep hate speech up on Twitter, no matter how he talks of not “boosting” it or making it harder to find, he will run up against not only EU regulations but also the iPhone and Android app stores. Let's see what Google says:

“We don't allow apps that promote violence, or incite hatred against individuals or groups based on race or ethnic origin, religion, disability, age, nationality, veteran status, sexual orientation, gender, gender identity, caste, immigration status, or any other characteristic that is associated with systemic discrimination or marginalization.” [19 Nov 2022]

Musk posts obnoxious “semi-pornographic” NSFW Trump-related tweet [20 Nov]

Elon's Hellhole: Elon Musk's Twitter Reinstates Anti-Trans Activists on Same Weekend as Club Q Attacked

In Memoriam: Drew Dean

Peter G Neumann <>
Mon, 21 Nov 2022 10:48:05 PST

One of our long-time younger RISKS contributors (since Feb 1996), Drew Dean passed away on 23 August 2022 at 52, while doing the recreational thing he loved most on his annual vacation—wind-surfing. His funeral was on 17 Nov 2022, and we held an very caring celebration of his life on 19 Nov 2022 at SRI, for friends, colleagues, and Drew's sisters and their spouses. Drew was beloved by many of us. He made many important contributions to computer science and system trustworthiness—and to our lives—and will really be missed.

The published obituary: The program for last Saturday's SRI event, and A Chronological Timeline of Drew's professional life:

A Kudoboard for Drew, which already has some wonderful contributions that are much more personally diverse than anything else that might be included in RISKS. It will be particularly meaningful to those of you who knew Drew:

In Memoriam: Frederick P. Brooks Jr. (Steve Bellovin)

ACM TechNews <>
Mon, 21 Nov 2022 12:03:24 -0500 (EST)

Steven Bellovin, CircleID, 19 Nov 2022, via ACM TechNews 21 Nov 2022

Computer scientist Frederick P. Brooks Jr., who passed away on 17 Nov 2022, earned the ACM A.M. Turing Award in 1999 for his landmark contributions to computer architecture, operating systems, and software engineering. Columbia University's Steven Bellovin recalled Brooks' time at IBM, where he led the design of the S/360 mainframes, which comprised five models with distinct performance characteristics, sharing a common architecture-defined instruction set. At the University of North Carolina at Chapel Hill, Brooks focused on computer graphics and protein modeling, and pioneered virtual reality by using a remote manipulator arm to “grab” and move atoms with accompanying force feedback.

Please report problems with the web pages to the maintainer