The RISKS Digest
Volume 33 Issue 45

Saturday, 17th September 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Chinese and Russian ops
Two NYTimes items PGN-ed
Chinese spy convicted with help from iCloud backup of his iPhone
9to5Mac
Nuclear Power Still Doesn't Make Much Sense
NYTimes
Say Hello to Crazy-Thin Deep-Insert ATM Skimmers
Krebs on Security
Malware attack knocks out software for 6,000+ residential properties George Mannes)
????
Patent troll attacks against open-source projects are up 100% since last year. Here's why
ZDNET
Alarms over healthcare cyberattacks are getting louder
The Verge
Microsoft Teams has been storing authentication tokens in plaintext
Engadget
Trojanized versions of PuTTY utility being used to spread backdoor
Ars Technica
iPhone Lockdown Mode can be easily detected, could make you a target
9to5Mac
WatchOS 9 Breaks Spotify Streaming, Apple Watch Users Urged Not to Update
MacRumors
Text Messaging Is Cool. But Where Are Its Boundaries?
NYTimes
Watch it! Legal issues arise with home security cameras
Hiawatha Bray
DHS built huge database from cellphones/computers seized at border
WashPost
Appeals court upholds Texas law regulating social media moderation
WashPost
Biden is completely wrong about Section 230 as relates to hate speech
Lauren Weinstein
Uber wasn't using security keys
Vice
Uber's hack shows the stubborn power of social engineering
The Verge
Chess Grandmaster accused of using anal beads to cheat receives offer to clear his name by playing nude
AVClub
We're stuck with this white elephant: A Wisconsin town's big bet on electronics maker Foxconn hasn't panned out as planned
Fortune
NSA Software Supply Chain Guidance
The New Stack
Re: Artemis I launch scrubbed again, new attempt may not come until October
Martin Ward
Re: How criminals are using jammers, deauthers to disrupt WiFi
Henry Baker
Re: Major telecoms sign deal to keep some phone services running during future outages
Steve Bacher
Re: Apple and other vendors and eSIM
John levine
Re: Groove.cm Breaks the Internet
Amos Shapir Steve Bacher
Re: The Search for info, not just Dirt, on the Twitter Whistle-Blower
John Levine
Re: Facebook has no idea where to find your data
Ssteve Bacher
Re: 3D gun printing operation busted in Calgary
dmitri maziuk
Info on RISKS (comp.risks)

Chinese and Russian ops (Two NYTimes items)

Peter Neumann <neumann@csl.sri.com>
Fri, 16 Sep 2022 14:19:50 PDT
China Covert Operations May Overwhelm Us
Nigel Inkster, *The New York Times*, 16 Sep 2022
The West isn't sufficiently prepared for intelligence threats from Beijing

Russia Secretly Spent $300M to Sway Elections Around the World
Edward Wong,  *The New York Times*, 14 Sep 2022
  [At least.  That what has been detected.  PGN]


Chinese spy convicted with help from iCloud backup of his iPhone (9to5Mac)

Monty Solomon <monty@roscom.com>
Sat, 17 Sep 2022 01:19:12 -0400
https://9to5mac.com/2022/09/16/chinese-spy/


Nuclear Power Still Doesn't Make Much Sense (NYTimes)

Henry Baker <hbaker1@pipeline.com>
Fri, 16 Sep 2022 15:15:18 +0000
  I heard a Ukrainian reporter on the radio talking about the problems with
  the Ukrainian "grid infrastructure" due to the Russian occupation of the
  Zaporizhzhia nuclear plant.  Except with her Ukrainian accent, she
  pronounced it "greed infrastructure".  I think that she summed up the
  nuclear power industry precisely !!
  Truly a Kinsley gaffe (Google it) moment !

Farhad Manjoo, *The New York Times*, 16 Sep 2022
Nuclear Power Still Doesn't Make Much Sense
https://www.nytimes.com/2022/09/16/opinion/nuclear-power-still-doesnt-make-much-sense.html

I landed in London at around the same time that international energy
regulators were making emergency plans for maintaining the safety of
Ukraine's Zaporizhzhia nuclear plant, which had come under shelling from
Russian troops.  [...]

Tyson Slocum, the director of the energy program at the advocacy group
Public Citizen, summed up these problems neatly: “Nuclear power has simply
been eclipsed. It was an incredible zero-emission resource for its day.  But
for much of the energy system today, that day has long passed.''  [...]


Say Hello to Crazy-Thin Deep-Insert ATM Skimmers (Krebs on Security)

Monty Solomon <monty@roscom.com>
Fri, 16 Sep 2022 09:57:51 -0400
A number of financial institutions in and around New York City are dealing
with a rash of super-thin *deep-insert* skimming devices designed to fit
inside the mouth of an ATM's card acceptance slot. The card skimmers are
paired with tiny pinhole cameras that are cleverly disguised as part of the
cash machine. Here's a look at some of the more sophisticated deep insert
skimmer technology that fraud investigators have recently found in the wild.

https://krebsonsecurity.com/2022/09/say-hello-to-crazy-thin-deep-insert-atm-skimmers/


Malware attack knocks out software for 6,000+ residential properties

George Mannes <gmannes@gmail.com>
Thu, 15 Sep 2022 21:26:13 -0400
I live in a New York City co-op apartment building that contracts with the
firm BuildingLink for a package of administrative & security services, such
as tracking & notification of package deliveries, repair requests,
instructions for the front desk regarding items such as permissions to
enter, and storage and check-out of apartment keys at the front desk. The
system also includes a directory of building residents, including their
apartment numbers, their phone numbers & email addresses. BuildingLink's
software is used in more than 6,000 properties worldwide, according to the
company's website.

The system was down Monday, Tuesday, and much of Wednesday following a
malware attack. Apparently, it was a nationwide outage. Some excerpts from
BuildingLink's status report page (https://status.buildinglink.com/):

12 Sep Monday:

Users are currently unable to access BuildingLink.com and custom domains,
the resident app, and the valet app.

-Users are also unable to access ConciergeLink and the GEO app if not
already logged in....

-KeyLink can currently be used with the fingerprint reader, but not with
username and password.

14 Sep afternoon

On Sunday, 11 Sep, BuildingLink was the target of a malware incident, which
impacted certain network systems.

While we are still in the early stages of an investigation, here's what we
know so far: our team acted quickly and took certain systems offline as a
precautionary measure and continue to take steps to enhance security systems
already in place. We also immediately engaged outside specialists ... to
assist us in our response and conduct a full investigation so we can fully
understand what happened.

15 Sep (this afternoon):

We have a team investigating the malware incident to determine if any data
was impacted. We will share our findings as soon as we are able.

The service interruption had no ill effects on me or anyone I know of. But
I'll be interested to learn what, if any, data concerning those 6,000+
properties and their residents was "impacted."


Patent troll attacks against open-source projects are up 100% since last year. Here's why (ZDNET)

Gabe Goldberg <gabe@gabegold.com>
Wed, 14 Sep 2022 00:34:55 -0400
In recent years, patent trolls have started attacking open-source developers
and companies. But, the open-source community is fighting back.

https://www.zdnet.com/article/patent-troll-attacks-against-open-source-projects-are-up-100-since-last-year-heres-why/


Alarms over healthcare cyberattacks are getting louder (The Verge)

Monty Solomon <monty@roscom.com>
Sat, 17 Sep 2022 00:50:09 -0400
https://www.theverge.com/2022/9/16/23356974/health-cybersecurity-devices-fbi-ransomware


Microsoft Teams has been storing authentication tokens in plaintext (Engadget)

Monty Solomon <monty@roscom.com>
Sat, 17 Sep 2022 00:54:19 -0400
https://www.engadget.com/microsoft-teams-has-been-storing-auth-tokens-in-plaintext-093510463.html


Trojanized versions of PuTTY utility being used to spread backdoor (Ars Technica)

Monty Solomon <monty@roscom.com>
Sat, 17 Sep 2022 01:09:51 -0400
https://arstechnica.com/information-technology/2022/09/trojanized-versions-of-putty-utility-being-used-to-spread-backdoor/


iPhone Lockdown Mode can be easily detected, could make you a target (9to5Mac)

Monty Solomon <monty@roscom.com>
Fri, 16 Sep 2022 23:36:38 -0400
https://9to5mac.com/2022/08/26/iphone-lockdown-mode-2/


WatchOS 9 Breaks Spotify Streaming, Apple Watch Users Urged Not to Update (MacRumors)

Monty Solomon <monty@roscom.com>
Sat, 17 Sep 2022 01:13:31 -0400
https://www.macrumors.com/2022/09/16/watchos-9-breaks-spotify-streaming/


Text Messaging Is Cool. But Where Are Its Boundaries? (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Wed, 14 Sep 2022 19:14:27 -0400
Apple and Google have added useful features to texting apps, yet the apps
still lack a major component: an effective way to set limits.

The pros of text messaging can easily turn into cons. Since texting
typically takes only a few seconds and is widely considered the most urgent,
attention-grabbing form of digital communication, itâs difficult to set
boundaries around texting with our colleagues and friends.  Texting invites
us to intrude on other peopleâs time.

https://www.nytimes.com/2022/09/14/technology/personaltech/texting-ios-android.html

Don't answer? "Do not disturb"? Off?

Plus gripes about various unrelated matters like Apple vs. Google, messaging
insecurity, complexity, can't schedule sending messages, and waxes nostalgic
for AOL Instant Messenger. Wanders unproductively far afield from messaging
boundaries.


Watch it! Legal issues arise with home security cameras (Hiawatha Bray)

Steve Bacher <sebmb1@verizon.net>
Thu, 15 Sep 2022 10:08:02 -0700
*The Boston Globe*, 14 Sep 2022
https://www.boston.com/real-estate/fall-house-hunt/2022/09/14/watch-it-legal-issues-arise-with-home-security-cameras

<https://www.hollywoodreporter.com/tv/tv-news/ed-markey-slams-amazon-wanda-sykes-ring-nation-1235205556/>

Tech giant Amazon is rolling out a new TV series about Rings, and it's not
their billion-dollar blockbuster set in Middle-Earth.

This show is called Ring Nation, and it will feature videos captured by
Amazon's Ring home security cameras. The idea of a weekly TV series
featuring surveillance videos has ticked off privacy experts, civil
libertarians, and Senator Edward Markey, Democrat of Massachusetts. But it
also proves that home security cameras are on the way to becoming as
commonplace as lawn sprinklers.

We've still got a way to go. By the end of 2021, only about 14 percent of
homes with broadband access had a network-connected security camera, while
15 percent owned a video doorbell, according to research firm Parks
Associates.
<https://www.parksassociates.com/blog/article/access-control-ecosystem--expanding-value>

But with the surge in crime
<https://time.com/6138650/violent-crime-us-surging-what-to-do/>, the
percentage is likely to rise. And a 2021 survey by the National Association
of Home Builders indicated that 70 percent of likely home buyers want
security cameras, with 27 percent calling them a âmust-haveâ feature.

When the concept was first patented by Marie van Brittan Brown
<https://lemelson.mit.edu/resources/marie-van-brittan-brown#:~:text=African American inventor Marie Van,Jamaica, Queens, New York.>
and her husband, inventors from Queens, N.Y., back in the 1960s, home-video
technology was far too cumbersome and expensive for the average homeowner.

Today, cameras cost between $100 and $400, depending on the features.  They
can shoot high-resolution video images and carry microphones that can pick
up conversations 20 feet away. Some are completely wireless and powered by
internal batteries or even solar cells, while using Wi-Fi to hook up with a
homeâs broadband system. Videos can be viewed in real time over a smartphone
connection or automatically stored in the Internet cloud for later
viewing. This type of camera --offered by major companies like SimpliSafe,
Vivint, and Ring --is something homeowners can set up easily.

But when people start pointing cameras and microphones at one another,
certain issues arise. Like, what if your next-door neighbor complains that
your camera invades his privacy? What if the microphone records people's
private conversations?

The law has little to say about such matters, according to Matthew Guariglia
<https://www.eff.org/about/staff/dr-matthew-guariglia-0>, a policy analyst
at the Electronic Frontier Foundation, an online civil liberties group.
“There isn't a lot of protection for people from household surveillance
devices,'' Guariglia said.

If your camera is pointed at a part of your neighbor's property that's in
plain view --like the driveway, front porch, or even the backyard - these
are areas where the neighbor has no reasonable expectation of privacy. And
people are watching. According to a survey Vivint released in May, nearly 25
percent of people with outdoor cameras use them to keep an eye on their
neighbors.

With one major exception: cameras that can see inside someone's home. In a
2014 ruling, the Massachusetts Supreme Judicial Court held that a homeowner
could be sued for setting up a camera that can peer through the neighbor's
windows.
<https://scholar.google.com/scholar_case?case=15557137513272157927&q=Polay+v.+McMahon&hl=en&as_sdt=40000006&as_vis=1>

And be even more careful about recording voices. Under Massachusetts law,
you can't record someone's voice without their permission.  Inadvertently
picking up a few phrases is no big deal, but using your camera to eavesdrop
deliberately could get you into trouble.

Another thing: What happens to all that recorded video and audio? Most of
these systems store it online, where you can review it from any
Internet-connected device. This makes home video systems a godsend for
police forces, which routinely ask homeowners for captured footage of
possible crimes.

Lots of people are fine with this. A 2021 Consumer Reports survey indicated
that 10 percent of video doorbell users have handed over footage to the
police on request.
<https://www.consumerreports.org/consumer-protection/curbs-on-neighbors-by-ring-dont-ease-privacy-rights-concerns-a1459419637/>

Millions of people who own Ring cameras use Amazonâs social network
Neighbors to share video footage with friends—and with law enforcement.
When a crime is committed, police can log onto Neighbors and request video
footage from all nearby Ring users. Compliance is entirely voluntary, most
of the time.
<https://www.aceableagent.com/blog/amazons-ring-launches-social-network-for-neighborhood-safety/>

But Ring will also provide video recordings without the user's permission if
the police come with a search warrant. In addition, Amazon said that in the
first half of 2022, it handed over Ring videos to police 11 times without a
warrant or user permission. The company said that these were extraordinary
cases involving danger of death such as a kidnapping or an attempted murder.
<https://www.businessinsider.com/amazon-gave-police-11-ring-doorbell-videos-without-consent-2021-2022-7>

Even more worrisome is the possibility that hackers could steal your stored
videos or employees at the security company who have no right to see them
will watch them. This actually happened at Ring several years ago, leading
the company to toughen up its access policies.
<https://www.theverge.com/2019/1/10/18177305/ring-employees-unencrypted-customer-video-amazon>

If the prospect dismays you, Ring offers the option to encrypt all your
videos automatically so that only you can unlock them. Or you can opt for a
security camera that allows you to store all video on a small hard drive,
instead of keeping it online.

Of course, a local drive could be lost or damaged or a savvy thief could
cover his tracks by stealing it, which just goes to show that there's no
such thing as perfect security.


DHS built huge database from cellphones/computers seized at border (The Washington Post)

Gabe Goldberg <gabe@gabegold.com>
Fri, 16 Sep 2022 11:35:04 -0400
Contacts, call logs, messages and photos from up to 10,000 travelers' phones
are saved to a government database every year

https://www.washingtonpost.com/technology/2022/09/15/government-surveillance-database-dhs/


Appeals court upholds Texas law regulating social media moderation (WashPost)

Monty Solomon <monty@roscom.com>
Fri, 16 Sep 2022 18:16:11 -0400
The decision likely sets up a Supreme Court showdown over the future of
online speech

The 5th Circuit Court of Appeals on Friday upheld a controversial Texas
social media law that bars companies from removing posts based on a person’s
political ideology, overturning a lower court’s decision to block the law
from taking effect and likely setting up a Supreme Court showdown over the
future of online speech.

The ruling could have wide-ranging effects on the future of tech regulation,
as states throughout the country consider legislation similar to the Texas
law.

The judges ruled that while the First Amendment guarantees every person’s
right to free speech, it doesn’t guarantee corporations the right to “muzzle
speech.  [...]

https://www.washingtonpost.com/technology/2022/09/16/5th-circuit-texas-social-media-law/


Biden is completely wrong about Section 230 as relates to hate speech

Lauren Weinstein <lauren@vortex.com>
Fri, 16 Sep 2022 15:37:32 -0700
Biden is completely wrong about Section 230 as relates to hate speech

Sad to say, President Biden in new remarks has continued to demonstrate an
apparently fundamental misunderstanding of a key aspect of Section 230, in
his continuing claim that rolling back 230 would help stop hate speech. In
fact, what rolling back 230 would do is make virtually all User Generated
Content (UGC) impractical, killing most discussion entirely. Who the blazes
advises him on these issues?


Uber wasn't using security keys (Vice)

Lauren Weinstein <lauren@vortex.com>
Fri, 16 Sep 2022 12:00:28 -0700
  [BREAKING: Reports of another data breach at Uber, with internal systems
  affected and extent unknown and/or not being made public. -L]

The Uber Hack Shows Push Notification 2FA Has a Downside: It's Too Annoying

https://www.vice.com/en/article/5d35yd/the-uber-hack-shows-push-notification-2fa-has-a-downside-its-too-annoying

  [ADDED LATER:

 Another bad sign in the Uber hack

Another really bad sign in the Uber hack—in addition to their apparently
not using security key tech for authentication—is the wide access the
hacker got inside the corp net, exactly what zero trust security systems
would have very likely prevented. -L


Uber's hack shows the stubborn power of social engineering (The Verge)

Monty Solomon <monty@roscom.com>
Sat, 17 Sep 2022 00:50:46 -0400
https://www.theverge.com/2022/9/16/23356959/uber-hack-social-engineering-threats


Chess Grandmaster accused of using anal beads to cheat receives offer to clear his name by playing nude (AVClub)

Lauren Weinstein <lauren@vortex.com>
Fri, 16 Sep 2022 09:49:29 -0700
[This is not a parody] Chess Grandmaster accused of using anal beads
to cheat receives offer to clear his name by playing nude

  [If aliens decide Earth should be removed from the galaxy, this will probably
  be one of the leading exhibits. -L]

https://www.avclub.com/hans-niemann-anal-beads-chess-grandmaster-cam-site-1849545231

  [Paul Wexelblat noted
    A first!? article submitted to both RISKS and YUCKS.
https://metro.co.uk/2022/09/14/the-internet-thinks-a-chess-grandmaster-cheated-using-anal-beads-17370756/
  to which Gene Spafford replied
    Yucks is defunct, but I did publish it in the web-heads list!
  PGN]


We're stuck with this white elephant: A Wisconsin town's big bet on electronics maker Foxconn hasn't panned out as planned (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Tue, 6 Sep 2022 19:05:15 -0400
In 2017, Terry Gou, then CEO of electronics manufacturing giant Foxconn,
announced in the White House's East Room that his firm would spend $10
billion to build a state-of-the-art megafactory in Wisconsin that would make
LCD television and computer screens. "We are committed to creating great
jobs for American people," Gou said at the press conference, promising
13,000 new jobs for Wisconsinites.

The announcement spawned the Wisconn Valley Science and Technology Park and
the aspiration that the cornfields of southeastern Wisconsin could become a
global tech hub with the help of Foxconn, best known for producing iPhones
for Apple. "We believe this will have a transformational effect on
Wisconsin, just as Silicon Valley transformed the San Francisco Bay Area,"
Wisconsin’s then-Gov. Scott Walker declared at the press conference,
alongside then-President Donald Trump and top Wisconsin lawmakers.

Now five years into the experiment, so-called Wisconn Valley has failed to
live up to expectations. Instead of a sprawling 20-million-square-foot
factory complex, Foxconn has built a far smaller campus. There is a
1-million-square-foot warehouse, a 260,000-square-foot "smart manufacturing
center," a 120,000-square-foot "multipurpose building," and a 100-foot-tall
glass globe that bulges from otherwise empty farmland like an otherworldly
"orb," says Gordon Hintz, a member of Wisconsin’s state assembly.

Nobody is quite sure what the buildings are being used for, though it’s
clearly not manufacturing. "The whole thing has just been a joke," says
Hintz.

But the town of Mount Pleasant, home to the project, isn't laughing. [...]

To pay upfront for the Foxconn site and infrastructure such as water pipes
and road upgrades, Mount Pleasant created a special district, called a tax
increment financing, or TIF, district. It allowed the town to borrow $911
million on an annual budget of $23 million. "Let's say you have an income of
$50,000," says Lawrence Tabak, author of Foxconned, a book about Foxconn's
Wisconsin factory. "That would be like buying a $10 million house and then
trying to figure out how you're going to pay the taxes and mortgage debt."

https://fortune.com/2022/08/04/foxconn-mount-pleasant-wisconsin-wisconn-valley-lcd-factory/


NSA Software Supply Chain Guidance (The New Stack)

Gabe Goldberg <gabe@gabegold.com>
Wed, 14 Sep 2022 19:01:26 -0400
The National Security Agency (NSA) and friends have released "Securing the
Software Supply Chain for Developers." The Enduring Security Framework
(ESF), a public-private working group that provides security guidance on
high-priority threats to the nation's critical infrastructure, wrote this
report.

https://thenewstack.io/nsa-software-supply-chain-guidance/


Re: Artemis I launch scrubbed again, new attempt may not come until October (Goldberg, RISKS-33.44)

Martin Ward <martin@gkc.org.uk>
Wed, 14 Sep 2022 12:19:58 +0100
Yesterday's NASA: Apollo 13 has just suffered a major explosion with loss of
fuel cells and oxygen and the Lunar Module equipment is not compatible with
the Command Module's carbon dioxide scrubbing canisters. Engineers on the
ground examine every item available to the astronauts on the spacecraft and
devise a way to fix the problem using bits of plastic, cardboard manual
covers and other items.

Today's NASA: The batteries on the Artemis emergency detonation system
need recharging. We are on the ground, so have available the entire
resources of NASA to fix the problem. The only solution that
*this* generation of engineers on the ground can come up with
is to tow the whole rocket four miles back to the assembly building
where it can be plugged in and recharged.

As Gabe says "No suitable extension cord". Also no suitable generator
or battery pack or suitable skills to design one, apparently.


Re: How criminals are using jammers, deauthers to disrupt WiFi

Henry Baker <hbaker1@pipeline.com>
Wed, 14 Sep 2022 11:31:46 +0000
I see *two* problems:

1. WiFi CCTV cameras should always record locally (encrypted with PKE), even
when WiFi isn't working. A 256GB SD card now costs $21 at Amazon. You may
not get a real-time warning, but at least you'll still have the video
(assuming you have the decryption key).

2. WiFi operates in Part 15 unlicensed spectrum.  FCC says "Part 15 devices
may not cause any harmful interference to authorized services and must
***accept any interference*** that may be received"

It is well-known that *spread spectrum* techniques can resist jamming
(intentional or otherwise).

https://en.wikipedia.org/wiki/Spread_spectrum

"Resistance to jamming (interference). Direct sequence (DS) is good at
resisting continuous-time narrowband jamming, while frequency hopping (FH)
is better at resisting pulse jamming."

Spread spectrum techniques utilize so-called "process gain" (measured in dB)
to overcome jamming interference.  Since WiFi transmitters are limited in
the amount of power they can utilize in overcoming jammers, they could in
theory utilize more "process gain" get their signal through. However, these
techniques would dramatically reduce the transfer speed in Mbps, but at
least the signal would get through.

The good news is that ***ultra wide band*** (UWB) is coming to devices
near you.

https://www.osti.gov/biblio/1021131

"UWB offers low probability of detection (LPD), low probability of =
interception
(LPI) as well as anti-jamming (AJ) properties in signal space"

https://en.wikipedia.org/wiki/Ultra-wideband

"Ultra-wideband characteristics are well-suited to short-range applications,
such as PC peripherals, wireless monitors, ***camcorders***, wireless
printing, and file transfers to portable media players. UWB was proposed for
use in personal area networks, and appeared in the IEEE 802.15.3a draft PAN
standard. However, after several years of deadlock, the IEEE 802.15.3a task
group was dissolved in 2006. The work was completed by the WiMedia Alliance
and the USB Implementer Forum. Slow progress in UWB standards development,
the cost of initial implementation, and performance significantly lower =
than initially expected are several reasons for the limited use of UWB in =
consumer products (which caused several UWB vendors to cease operations in
2008 and 2009)."


Re: Major telecoms sign deal to keep some phone services running during future outages (CBC Canada, RISKS-33.44)

Steve Bacher <sebmb1@verizon.net>
Thu, 15 Sep 2022 13:42:11 -0700
Having telephone service independent of whatever may befall the electrical
grid is nothing new. That's how we all started out in the 20th century.  It
is a fortunate accident of history that Alexander Graham Bell preceded
Thomas Alva Edison, otherwise it might not have turned out that way.
Imagine what it would have been like during, say, the 1965 Northeast U.S.
power blackout if telephones had stopped working.


Re: Apple and other vendors and eSIM (Slade, RISKS-33.44)

"John Levine" <johnl@iecc.com>
14 Sep 2022 11:40:28 -0400
It appears that Rob Slade <rslade@gmail.com> said: >In its new line of
iPhones, Apple will be doing away with physical SIM >cards, moving instead
to a system it refers to as eSIM.  This will be a >software version of
identification of the phone handset, and will be >modifiable in order to
change to new providers. ...

Samsung introduced an eSIM watch in 2015, and since 2019 eSIM phones have
been available from Samsung, Motorola, Sony, Google, Huawei and others. The
change in the iPhone 14 is that in North America it will ship without a
physical SIM slot, just eSIM. Models sold in some countries will continue to
have both, in China just physical SIMs.

I don't see any new threat here other than that if you have an account with
a North American carrier that doesn't offer eSIM, you lose. But in practice
other than some small MVNOs they all do. For people who travel and use
different SIMs in different countries, eSIMs are a pain to swap, but that's
not new either.

I would also have expected to hear of eSIM security attacks but so far I
haven't. Maybe there are easier was to attack a phone, like SIM swapping.


Re: Groove.cm Breaks the Internet (RISKS-33.44)

Amos Shapir <amos083@gmail.com>
Wed, 14 Sep 2022 11:54:25 +0300
I just had a similar experience with Microsoft's help team for Outlook.  I
usually read my mail on Outlook's site, using Firefox.  There's a bug which
sometimes makes messages disappear from the Inbox.  I reported it to
Microsoft's help team and had a nice chat.

When they heard that this problem does not happen on Chrome (or maybe I just
don't use it often enough to encounter the bug), their reaction was
something like "Oh, then it's a browser problem, Bye!"

My comment that such a major application should work well on all major
browsers, was simply ignored.


Re: Groove.cm Breaks the Internet (RISKS-33.44)

Steve Bacher <sebmb1@verizon.net>
Thu, 15 Sep 2022 13:49:03 -0700
Regarding the practice of websites mandating Chrome: Yes, it's bad, but in a
practical sense that's the world many of us are already living in. How often
have you complained about some web site feature that isn't working for you
in (e.g.) Firefox, only to be told by support that that's the way it is and
you need to use Chrome to avoid the problem?


Re: The Search for info, not just Dirt, on the Twitter Whistle-Blower (RISKS-33.44)

"John Levine" <johnl@iecc.com>
14 Sep 2022 12:14:48 -0400
Ronan Farrow is a good reporter, but this time, quite unusually, he totally
blew it.

The people looking for info about Mudge are not Musk and his allies looking
to discredit him. They are investment bankers and hedge funds using the
expert networks they've been using for decades to figure out what their TWTR
stock is worth. They only care whether Mudge is credible to see if he's
going to have an effect on the outcome of the trial in Delaware. If Twitter
wins, their stock is worth about $50, and if Musk wins, more like
$20. (Informed observers say he won't.)  The companies that connect
investors with experts they pay for business info are nothing new or
unusual, nor should it be surprising that the people asking about Mudge are
doing so.

Matt Levine noted this in his Bloomberg newsletter yesterday, as did Andrew
Ross Sorkin in his NY Times Dealbook column today. The latter offered a link
to an old story from 2001 about how the expert networks work:

https://www.nytimes.com/2001/12/23/business/investing-it-s-not-what-they-know-but-whom.html

They call me every few months, generally with a client who wants to
understand Verisign's relationship with ICANN and USDoC.


Re: Facebook has no idea where to find your data (RISKS-33.44)

Steve Bacher <sebmb1@verizon.net>
Thu, 15 Sep 2022 13:39:17 -0700
Failure to document programs/routines is commonplace in the IT sector, and
it is unarguably nice to have documentation of how programs/routines work
and where their outputs are stored.  But the fact is that programs get
modified over time and the documentation doesn't always keep pace.  In many
cases the doc wasn't accurate to begin with.

So there is something to be said for "self-documenting" code, if one is
skilled enough to be able to read it.


Re: 3D gun printing operation busted in Calgary (RISKS-33.44)

dmitri maziuk <dmitri.maziuk@gmail.com>
Wed, 14 Sep 2022 20:31:20 -0500
I've seen it a number of times, on 3D printing sites and "gun nut" sites,
that it costs $2-3 in filament to print a pistol frame/receiver good for a
thousand-ish shots. But that is it: *filament* for *pistol frame*. No wear
and tear on the printer, no electricity bill, no barrel, pin, springs, nor
any other parts that make a working pistol, included.  (Some rifle receivers
apparently can be printed too, but require better quality filament and more
of it.) Nor the program cost: some a free, many are not.

I lived in Australia during its much hyped gun buy-back and saw pictures of
heaps of rust for which the government had to pay, by law, a "fair market
price of a weapon". So I don't really doubt that Houston "buy back program
gone LOL/wrong" in many cases.

But I do very much doubt the "$3 gun".

Please report problems with the web pages to the maintainer

x
Top