Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://twitter.com/LordRavenscraft/status/1524482648315473922 [That won't work in Red Rock Canyon Park (RISKS-30.72) and many other places with no wireless. PGN]
https://techxplore.com/news/2022-05-companies-envision-taxis-traffic.html Without or without pilots? Droned if you or droned if you don't!
https://techxplore.com/news/2022-05-global-cybercrime-topped-trillion-defence.html The world's economy, per GDP estimates, is estimated @ US$ ~104T per https://en.wikipedia.org/wiki/World_economy (retrieved on 11MAY2022). The essay cites a deficit of ~200K cyber-security professionals, in Europe specifically, as a possible remedy to reduce grift and cut the skim. Investing in people, training, and infrastructure is proactive and usually, with supportive leadership, effective. The outrage expressed by corporate lobbyists' to recently proposed SEC regulations (see https://www.sec.gov/files/33-11038-fact-sheet.pdf) indicates that disclosing corporate CxO cyber-skillsets for the investing public to assess might accelerate essential investments to tame the cybertheft wildfire. See "Industry Report" in https://www.washingtonpost.com/politics/2022/05/10/costa-rica-shows-damage-ransomware-can-do-country/ (retrieved on 11MAY2022) for a discussion.
David Yaffe-Bellany, Erin Griffith, and Ephrat Livni *The New York Times*, 13 May 2022, National Edition front page + A20 [PGN-ed] Bitcoin fell as low as $26,000, down 60% from its November 2021 peak, and down 20% in just the past five days. Just a few months ago, blockchain proponents were predicting the price would rise as high as $100,000 this year. "Stablecoin" TerraUSD imploded to a low of $0.23 (not backed by cash, and depending on Luna, which lost almost its entire value). Treasury's leader suggested a *regulatory framework* is needed. [See also: Cryptocurrencies Melt Down in a 'Perfect Storm' of Fear and Panic https://www.nytimes.com/2022/05/12/technology/cryptocurrencies-crash-bitcoin.html ]
Stacy-Marie Ishmael, Bloomberg, 10 May 2022, via ACM TechNews, 11 May 2022 The algorithmic stablecoin cryptocurrency does not provide greater stability than other cryptocurrencies. Conventional stablecoin issuers say their tokens are underpinned by "real" assets like cash or highly rated bonds, and can theoretically maintain stability because they can be readily swapped for cash or highly liquid cash equivalents. Algorithmic stablecoins try holding their value through a mix of instructions encoded in algorithms and active treasury management. The failure of such cryptoassets' price stability mechanisms could carry systemic ramifications for other coins and protocols, as CoinMarketCap counts roughly 18.5 billion TerraUSD stablecoins in circulation. Said Kyle Samani at the Multicoin Capital investment firm, "The biggest losers from all of this will be retail [investors] that didn't understand the risks they were taking." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e9bfx233b92x071163&
Charlie Osborne, ZDNet, 5 May 2022, via ACM TechNews, 9 May 2022 Researchers at cybersecurity software company SentinelOne reported two high-severity bugs in Avast and AVG antivirus products that have gone undetected for a decade. The researchers said the flaws have existed since 2012, and could have affected "dozens of millions of users worldwide." They found the bugs in the Avast Anti Rootkit driver, and the first vulnerability resided in a socket connection handler used by the kernel driver aswArPot.sys; hackers could hijack a variable during routine operations to escalate privileges, potentially disable security solutions, or meddle with target operating systems. The researchers described the second bug as "very similar" to the first, and rooted in the aswArPot+0xc4a3 function. Sentinel Labs on Dec. 20 informed Avast of the vulnerabilities, and the company had patched them by Feb. 11, with no active exploitation in the wild indicated. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e95ax233ad9x071942&
Javier Cordoba, ABC News, 12 May 2022 via ACM TechNews; 13 May 2022 Costa Rica has declared a state of emergency after enduring a month of ransomware attacks that have hobbled critical systems. The siege began last month when Costa Rica's Finance Ministry reported that its tax collection, customs, and other systems were affected; the hackers also targeted the nation's social security agency human resources system and its Labor Ministry. The Russian-speaking Conti gang took credit for the attack. Costa Rica's emergency declaration describes the perpetrators as "cybercriminals" and "cyberterrorists." The U.S. State Department said the gang has orchestrated hundreds of ransomware attacks over the past two years, collectively targeting more than 1,000 victims and extorting them for more than $150 million as of January 2022. ' https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e9fdx233c2dx071807&
If a Musk "new regime" ruling @Twitter permits all speech that "is legal" -- Twitter is doomed. Because the parade of legal (in the U.S.) hate speech that will flood the platform will drive away most advertisers, brands, and support services that Twitter needs to operate.
So, I posted what I thought was a bit of a joke (albeit maybe a dark one) about being pathetically lonely following bereavement. https://twitter.com/rslade/status/1522345541522235392 https://www.blogger.com/blog/post/edit/626389518384655417/6860285728885858232# https://fibrecookery.blogspot.com/2022/05/ding.html https://www.facebook.com/rslade/posts/10160304212242853?notif_id=1651913627430909 https://www.blogger.com/blog/post/edit/626389518384655417/6860285728885858232# And posted it various places, including Facebook. Facebook has decided that either I am trying to raise money, or that I need to raise money. (Facebook, being obsessed with money? I think I'll have a heart attack and die from **NOT** being surprised.) Facebook has somehow flagged my post with a suggestion that I ask my "community" for "support," that is, money. They even include a link to a page that will help you create "a fundraiser on Facebook in a few quick steps." (The page opens with a grid of 15 options for different categories of fundraisers, including "Other".) I mean, I understand that you have zero privacy on Facebook. I understand that Facebook considers everything you post there to be Facebook's property. I understand that they have programs that automatically read, categorize, and harvest everything you post. But, somehow, this seems more than vaguely creepy. I assume that Facebook is, somehow, going to monetize (for themselves) any funding that anyone does raise using Facebook. (I don't know those business models, but I assume that, at the very least, any money they raise for **anyone** helps them sell themselves as a fundraising vehicle to major charities.) But flagging (I assume) the word "bereaved" and then tying it to a pitch to raise money just seems a bit beyond the pale. Facebook is trying to capitalize on my (and others') grief.
https://appleinsider.com/articles/22/05/11/eu-plans-to-require-backdoor-to-encrypted-messages-for-child-protection
[This is an old topic in RISKS—devices that are never off. PGN] WiSec has an upcoming paper on this for the specific case of iPhones: https://dl.acm.org/doi/10.1145/3507657.3528547 The full paper is available via the parallel-publication mechanism on arXiv: https://arxiv.org/pdf/2205.06114
[Note: This item comes from friend David Rosenthal. DLH] ICE 'now operates as a domestic surveillance agency,' think tank says A study by the Center on Privacy and Technology found that ICE uses data brokers to avoid restrictions. By K. Holt, Engadget, 10 Nay 2022 https://www.engadget.com/ice-surveillance-report-us-government-193206600.html Although it's supposed to be restricted by surveillance rules at local, state and federal levels, Immigration and Customs Enforcement (ICE) has built up a mass surveillance system that includes details on almost all US residents, according to a report from a major think tank. Researchers from Georgetown Law's Center on Privacy and Technology said ICE "now operates as a domestic surveillance agency" and that it was able to bypass regulations in part by purchasing databases from private companies. "Since its founding in 2003, ICE has not only been building its own capacity to use surveillance to carry out deportations but has also played a key role in the federal government's larger push to amass as much information as possible about all of our lives," the report's authors state. "By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time." The researchers spent two years looking into ICE to put together the extensive report, which is called "American Dragnet: Data-Driven Deportation in the 21st Century." They obtained information by filing hundreds of freedom of information requests and scouring more than 100,000 contracts and procurement records. The agency is said to be using data from the Department of Motor Vehicles and utility companies, along with the likes of call records, child welfare records, phone location data, healthcare records and social media posts. ICE is now said to hold driver's license data for 74 percent of adults and can track the movement of cars in cities that are home to 70 percent of the adult population in the US. The study shows that ICE, which falls under the Department of Homeland Security, has already used facial recognition technology to search through driver's license photos of a third of adults in the US. In 2020, the agency signed a deal with Clearview AI to use that company's controversial technology. In addition, the report states that when 74 percent of adults hook up gas, electricity, phone or Internet utilities in a new residence, ICE was able to automatically find out their updated address. The authors wrote that ICE is able to carry out these actions in secret and without warrants. Along with the data it acquired from other government departments, utilities, private companies and third-party data brokers, "the power of algorithmic tools for sorting, matching, searching and analysis has dramatically expanded the scope and regularity of ICE surveillance," the report states. Spending transactions reviewed by the researchers showed that, between 2008 and last year, ICE spent around $2.8 billion on "new surveillance, data collection and data-sharing initiatives." It spent approximately $569 million on data analysis, including $186.6 million in contracts with Palantir Technologies to help it make sense of its vast troves of data. Records showed that ICE also spent more than $1.3 billion on geolocation tech during that timeframe and $389 million on telecom interception, which includes tech that helps the agency track someone's phone calls, emails, social media activity and real-time Internet use. In addition, the findings suggest the agency started engaging in certain surveillance activities much earlier than previously believed. The researchers found a contract from 2008 that granted ICE access to the Rhode Island motor vehicle department's facial recognition database. Prior to that, it was understood that ICE started conducting facial recognition search es on state and local data sets in 2013.
A *great* note by Moshe Vardi. Sorry for late dissemination: ACM, Ethics, and Corporate Behavior https://cacm.acm.org/magazines/2022/3/258894-acm-ethics-and-corporate-behavior/fulltext
"Bad design can kill: Missile defense and user fatigue" ttps://www.youtube.com/watch?v=gaiVjJWOUWE Russian Cruiser Moskva was sank by the Ukrainian Army. This was a significant win for Ukraine, because the Moskva was the Flagship of the Russian Navy, and its sinking is an irreplaceable loss, since Russia can't build ships due to various problems in its shipyards, as well as sanctions. Now, of course, most of us reading this are glad this happened, but what does it have to do with Risks? I'm glad you asked. Here's why. There is a significant weakness in Russian defense systems, and it may be the reason or a significant reason why the Moskva failed to defend itself against incoming missiles: he user interface of the operator consoles, and operator fatigue. There are some who say the reason the Moskva was sunk was due to holes in radar coverage (like thinking ship's radar only provides 180 degrees of coverage), and thus the ship was blind to the approaching missiles. This opinion is a misunderstanding how ship's radar works. Instead, it is argued the problem was because the radar operators missed seeing the missiles, and might actually not have been paying attention. Russian military doctrine generally makes soldiers follow the exact plan and not to deviate. This does not promote innovative or "out of the box" thinking. But, however, life has a nasty habit of making plans ineffective or useless. Russian ships tend to be heavily dependent on manual operation. Data from tracking systems is subject to human interpretation, and data in one system has to be transferred by hand. Russian navigation radar tends to be of the classic concentric circles, with refresh caused by a rotating line circling around the radius of the display, technology that was state of the art -- back in the 1980s. Now, it is not that old stuff doesn't work, it is capable of very good performance. The problem is, it's labor-intensive. To be effective in this environment, crews must be of high quality and performance, in order for these manual systems to work. which then moves to the elephant in the room: operator fatigue. Now, in exercises and otherpractice drills, people are often very alert because the exercises are timed and the crew know something is going to happen. On real-world missions, the assumption is that there won't be any events. So imagine a sailor in the combat information center in a Russian warship is watching a green, circular "rotating cursor" radar display, for hours on end. Modern radar displays provide much more information, in ways that aren't effectively hypnotic. The average person—or even the average sailor -- probably could not stare at that display for 30 solid minutes and maintain focus. Now, consider that sailor is staring at that screen, eight hours a day for seven weeks, and nothing happened. I think it is very likely that it would be difficult to maintain focus. So operator fatigue sets in. Consider that, with incoming missiles, the operator has about two minutes from first appearance of a dot on the radar until the missile hits. This demands immediate action to engage the missile, not enough time to call battle stations or their commanding officer for orders. So, after weeks of intense boredom, the operator might be distracted, half asleep, or smoking. The operator might not have seen the missile for maybe a minute, or never saw it at all, and even if the alarm was sounded, there is now not enough time to stop the missile from striking the ship. In short, only a well-trained crew and defined procedures to handle the attack could have saved them. So, this is one example of the potential risk of badly designed operator interfaces.
> The most illuminating aspect of Proof of Stake is that it shows that many > blockchain technologists/boosters are entirely innocent of any knowledge > of business, or, at least, the history of business failures and frauds. Considering that they equally don't know economic history, such as why every country abandoned the gold standard, why deflation makes countries miserable, and why hyperinflation was always a political decision, it's not surprising.
[Thanks to Elinor Mills. PGN] Free *Washington Post* article: https://wapo.st/3yn5L2u Kicking off Squirrel Week 2022 with some squirrels in the news "Meanwhile, in early March, the power went out in 4,000 homes in three New Orleans neighborhoods. A squirrel got the blame. <https://www.wwltv.com/article/news/local/orleans/first-bird-now-squirrel-second-animal-related-power-outage-in-week/289-280c3d91-68a0-47dd-91d3-3f41af6d925b> We look out here and we can see the squirrels, Jim Bulling told WWL-TV squirrels commuting along the power lines." Bulling lives across the street from a substation and every morning watches...
[See RISKS-33.02,03,05,06 for earlier items on this. PGN] WASHINGTON—The FBI informed the Israeli government in a 2018 letter that it had purchased Pegasus, the notorious hacking tool, to collect data from mobile phones to aid ongoing investigations, the clearest documentary evidence to date that the bureau weighed using the spyware as a tool of law enforcement. The FBI's description of its intended use of Pegasus came in a letter from a top FBI official to Israel's Ministry of Defense that was reviewed by *The New York Times(. Pegasus is produced by an Israeli firm, NSO Group, which needs to gain approval from the Israeli government before it can sell the hacking tool to a foreign government. https://www.nytimes.com/2022/05/12/us/politics/fbi-pegasus-spyware-israel.h= tml
Please report problems with the web pages to the maintainer