Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Radiation meters in the extended Chernobyl area have been reading higher and higher, with many of them reporting numbers of 65500 nanosieverts/hr.
Which is annoyingly high, but likely (hopefully…) simply a matter of (formerly) stable contaminated dirt and dust getting kicked up from tanks running over it and shelling, etc.
But … this led to the following observation, which does add a bit more concern:
[Twitter]
“An explanation for my non-IT followers is in order.
“Digital devices often store numerical values in data cells called a ”double“ (two times 8 bits).
“The largest number it can store is (2 to the 16th, minus 1, which comes out to) 65535… which rounded down to the nearest hundred is 65500…“
more at: https://twitter.com/KirilsSolovjovs/status/1497001320015970310 https://twitter.com/DrEricDing/status/1497011166341599274
The looming shutdown of 3G networks won't impact just older phones.
With AT&T's 3G network shutting down next week, and other carriers following suit later this year, a range of products require updates to continue working, including some home alarm systems, medical devices such as fall detectors, and in-car crash notification and roadside assistance systems such as General Motors' OnStar.
Just as many mobile carriers have urged customers to swap their older 3G iPhones, Android phones, e-readers and other hand-held devices for newer models ahead of the shutdown, other businesses are urging customers to upgrade or replace some of the everyday products and services in their homes and cars before they drop connectivity.
If left unaddressed, the stakes could be high in certain cases. Millions of cars, for example, may no longer have the ability to contact first responders after a collision or receive updates such as location or traffic alerts for built-in GPS systems. Some vehicles, including Chevrolet, Buick and Cadillac, have software upgrades for drivers to connect their systems to a 4G network, but other models will reportedly lose this feature for good.
http://pge.libercus.net//.pf/showstory/202202170035/3
At a hearing before U.S. District Court Judge Charles Breyer, a lawyer for Intuit complained that “the Keller firm is able to threaten companies Intuit's not alone - into paying $3,000 in arbitration fees, for a $100 claim.
Breyer questioned whether the proposed settlement was in the best interest of consumers.
Breyer: “I did think when I looked at this, and saw that, really, that this was a way to avoid or otherwise circumscribe arbitration, that it seemed to be that Intuit was, in Hamlet's words, hoisted by their own petard, I think arbitration is the petard that Intuit now faces.” His comments were first reported by Reuters.
Breyer rejected the settlement in March 2021.
Poor Intuit, being forced to arbitrate claims…
Social media platforms on the defensive as Russian-based disinformation about Ukraine spreads
You will recall that recently Putin sent armed thugs into Google's Moscow offices when they tried to fight Putin's demand that content related to his political opponent be removed. We're not talking typical social media sanctions here—we're talking Russian thugs with guns.
- - - -
Russia retaliates on Facebook's restrictions on Russian propaganda and lies
Russia Will Restrict Access to Facebook, State Media Reports
https://www.vice.com/en/article/93bgq7/russia-will-restrict-access-to-facebook-state-media-reports
- - - -
Putin and Nazis
Putin rants about Nazis controlling Ukraine. The president of Ukraine is Jewish. Apparently, Putin believes the population of Russia are morons. He's wrong.
- - - -
Google's actions in response to the Ukrainian situation
Long thread from Google about actions being taken in response to the Ukrainian situation
https://twitter.com/googleeurope/status/1497312445303513094
- - - -
Russia is threatening to crash (since they control propulsion) the International Space Station in response to sanctions against Russia. This is assumed to be bluster, but shades of “2010: The Year We Make Contact” ('84).
https://phys.org/news/2022-02-nasa-international-space-station-dangers.html
“The ISS has been described as the most expensive single item ever constructed.[409] As of 2010, the total cost was US$150 billion. This includes NASA's budget of $58.7 billion ($89.73 billion in 2021 dollars) for the station from 1985 to 2015, Russia's $12 billion, Europe's $5 billion, Japan's $5 billion, Canada's $2 billion, and the cost of 36 shuttle flights to build the station, estimated at $1.4 billion each, or $50.4 billion in total. Assuming 20,000 person-days of use from 2000 to 2015 by two-to six-person crews, each person-day would cost $7.5 million, less than half the inflation-adjusted $19.6 million ($5.5 million before inflation) per person-day of Skylab.” See https://en.wikipedia.org/wiki/International_Space_Station#Cost, retrieved on 20FEB2022.
Assume construction and total operating costs aggregate to US$ 200B today. Compare that lump sum to the ~US$ 1B per year (estimated in 2015) of revenue generated from commercial spin-offs and license royalties. See “Testimony before the Subcommittee on Space, Committee on Science, Space, and Technology, U.S. House of Representatives Hearing on America's Human Presence in Low-Earth Orbit Dr. Bhavya Lal, IDA Science and Technology Policy Institute,” May 17, page 5, retrieved on 20FEB2022. 2018https://docs.house.gov/meetings/SY/SY00/20180517/108302/HHRG-115-SY00-Wstate-LalB-20180517.pdf,
“Space station dollars are spent on the ground!” (See https://www.nytimes.com/1991/05/26/weekinreview/the-nation-can-nasa-make-space-seem-worth-the-price.html, retrieved on 20FEB2022). Indeed. Space programs employ a lot of people. No boxcar-sized return on investment cited to date, unless you count von Karman Line tourism as a big win.
There's some solid science on the ISS: The Alpha Magnetic Spectrometer, Bose-Einstein condensates, and some physiology experiments.
The ISS will be “dumped into the drink” sometime in 2031. Plenty of time to plan how to dodge any de-orbited debris that misses the intended South Pacific ocean graveyard burial.
“We measure humans by the standards that are appropriate for machines and then we tell them we need technology to make them more human. It's perverse,” said Professor Shannon Vallor, the Baillie Gifford Chair in the Ethics of Data and Artificial Intelligence at the University of Edinburgh.
Speaking at a recent panel discussion on AI, she said technology should be about enhancing people's capabilities and experiences. But, increasingly, she is seeing AI being designed to advance its performance, “and humans are being twisted into knots in order to make that possible”.'
A business corrects processes when public outrage exposes AI deployments that abuse employee capacities or cause physical harm.
Proactive monitoring of mechanized work, such as snap inspections of highly-automated, AI-driven factories or warehouses will become impractical as technological solutions penetrate deeper into manual labor.
Automated oversight of fair labor practices, as might be enforced by regulations, is problematic in that whomever (or whatever) controls the input regulatory specification determines compliance.
https://phys.org/news/2022-02-robots-mortality-adults.html
The automation of U.S. manufacturing robots replacing people on factory floors is fueling rising mortality rate among America's working-age adults, according to a new study by researchers at Yale and the University of Pennsylvania.
Industrial automation accelerates labor dislocation while human despair accumulates. How will highly industrialized societies sustain economy without consumers of automatically produced goods and services?
… Traffic jam of automated food delivery robots, apparently all stuck behind a carelessly discarded scooter. I just observed a couple of students clearing a path out of pity for the robots. This is our future, I guess.
https://twitter.com/seanhecht/status/1493432613628825600
It claims to be on track to have 100 billion facial photos in its database within a year, enough to ensure almost everyone in the world will be identifiable, according to a financial presentation from December obtained by The Washington Post.
https://www.washingtonpost.com/technology/2022/02/16/clearview-expansion-facial-recognition/
To add to the long litany of outages reported in RISKS, my afternoon work was disrupted by a regional power outage affecting 4,500 customers in southeast Palo Alto—due to a Mylar balloon on power wires, presumably near one of the retranmission sites.
One of my neighbors suggested that mylar balloons are bad for the environment and bad for electrical transmission.
As written, the bill would require that the Washington DC Board of Elections create a secure system to allow any voter to fill out and submit a ballot from their smartphone, tablet, or computer. […]
Still, the bill could face stiff opposition from experts who say that while online security options are improving, mobile voting would still be susceptible to hacking.
“There is currently no Internet technology available that allows for the secure transmission of voted ballots while also maintaining voter privacy and ballot verifiability,” wrote Mark Lindeman, an expert on voting security and audits with Verified Voting, a nonpartisan group that focuses on elections and technology, in a recent letter to legislators in Rhode Island considering a bill to allow ballots to be returned over the Internet.
https://dcist.com/story/22/02/21/new-bill-would-bring-mobile-voting-to-d-c/
Lots of security tools are based on Linux, and the Linux environment tends towards earlier adoption of updated security guidance. This has created a gap. Kali Linux is intentionally configured to allow older protocols, but has disabled SSLv3.
https://www.kali.org/docs/general-use/openssl-configuration/
Windows as late as Windows 10 still has SSLv3 enabled.
It would be worthwhile to ensure your security tools have the older protocols available for pen-testing.
Researchers at iSTARE have to think like the bad guys, finding critical flaws before processors go to production.
https://www.wired.com/story/intel-lab-istare-hack-chips/
The agency has withheld critical data on boosters, hospitalizations and, until recently, wastewater analyses.
https://www.nytimes.com/2022/02/20/health/covid-cdc-data.html
Two hundred and fifty-four tokens were stolen over roughly three hours
https://www.theverge.com/2022/2/20/22943228/opensea-phishing-hack-smart-contract-bug-stolen-nft
”Our new digital wallet app is going to revolutionize the way people get robbed.“
The ability to handle large numbers does not necessarily imply that those numbers are expected to occur normally.For instance, it could have been a prepackaged software routine that was general purpose enough to accommodate conceivably huge amounts.
Common Lisp, for example, has the numeric-to-English-output feature built in to the standard format function.I wrote code to implement this in the Lisp system that I built for the IBM mainframe in the 1980s, so I know how it would work. Once you have established the algorithm to handle thousand, million and billion, it is fairly straightforward to extend that to trillion and up. My code was written to handle amounts up to a vigintillion [?], with little effort.
(It is said that 80% of the code of a given program is designed to handle things that happen 20% of the time, or maybe 90%/10%. Whatever.)
I am going to assume that someone just grabbed a library that may or may not have had anything to do with money.
However, there's another risk here: just how big is a trillion? If you meant to write a check for “one trillion” in the 10^12 sense, it would be rather awkward to do so in a jurisdiction where “one trillion” means 10^18. Even in Zimbabwe that difference would have taken weeks to even out.
https://en.wikipedia.org/wiki/Trillion
In 2019 Github detailed a bug in the receivers; it's not clear if it is the same bug or its brother. In either case, Little Johnny Tables <https://xkcd.com/327/> came to mind.
<https://github.com/Hamled/mazda-format-string-bug#readme>
printf format string bug in Mazda Connect Infotainment System
Bug Description
The Infotainment System's UI (and possibly other software elements) crashes when a Bluetooth audio source sends track metadata wherein the track name (at least) includes a “%n” conversion specifier.
Example Case
When the track's title includes the string “99% Invisible” this triggers a crash. […\
Perhaps the most unusual aspect of this from a coder's perspective (this kind of bug isn't all that uncommon, unfortunately), is actually the ‘I’ itself. This is a Microsoft-invented ‘upgrade’ to the ISO standard C format specifiers, but it's almost certainly the case that Mazda's Infotainment System does not use Windows as its operating system.
It turns out that GCC and Clang (the two major compilers for open source software) have included the ‘I’ specifier as well, presumably for compatibility so people can easily move their code from Microsoft's VC++ compiler to them (and back).
Talking about code using natural languages like English is really fraught with problems! The Reply All episode that discussed this bug involved the hosts speaking with some coders about using the phrase “percent I”—but maybe everyone was assuming “%i“ which is much more common.
However for the computer, in its infinitely pedantic manner, “%i“ and “%I“ have nothing in common… which means we as coders have to be aware of that kind of difference. Without that key info, we wouldn't know to look past the ‘I’ and see that the ‘n’ is what was causing the crash. …
Please report problems with the web pages to the maintainer