Prev

RISKS Digest 31.30

Friday 21 June 2019

Pilots fret over fire safety of Dreamliner planes, also used by El AL

The Times of Israel <gabe@gabegold.com>

Date: Mon, 17 Jun 2019 15:21:16 -0400

Airline pilots have expressed concern over the safety of the Boeing 787 Dreamliner aircraft after an engine firefighting system was found to be faulty. ...

However, the Federal Aviation Administration (FAA) is not grounding 787s even though it says the switch presents a `risk to the flying public'. ...

“If there was an engine fire on a transatlantic flight and the aircraft had one of the defective fire switches, then we would have to fly with a burning wing for up to three hours before we could safely land,'' a British airline pilot, who was not identified, told the Observer. ...

The US aircraft manufacturing giant said less than 1 percent of the switches have failed and that it is assisting airlines in dealing with the issue. ...

“Engine fires are a very unlikely event and there have been no observed engine fires in the 787 fleet history,'' the spokesperson said.

https://www.timesofisrael.com/pilots-fear-for-fire-safety-of-dreamliner-planes-also-used-by-el-al-report/

Oh, OK then.

Top AI researchers race to detect deepfake videos: ``We are outgunned.''

Drew Harwell <rforno@infowarrior.org>

Date: June 14, 2019 at 4:09:14 AM GMT+9

Drew Harwell, WashPost, 12 Jun 2019 https://www.washingtonpost.com/technology/2019/06/12/top-ai-researchers-race-detect-deepfake-videos-we-are-outgunned/

Top artificial-intelligence researchers across the country are racing to defuse an extraordinary political weapon: computer-generated fake videos that could undermine candidates and mislead voters during the 2020 presidential campaign.

And they have a message: We're not ready.

The researchers have designed automatic systems that can analyze videos for the telltale indicators of a fake, assessing light, shadows, blinking patterns—and, in one potentially groundbreaking method, even how a candidate's real-world facial movements—such as the angle they tilt their head when they smile—relate to one another.

But for all that progress, the researchers say they remain vastly overwhelmed by a technology they fear could herald a damaging new wave of disinformation campaigns, much in the same way fake news stories and deceptive Facebook groups were deployed to influence public opinion during the 2016 election.

Powerful new AI software has effectively democratized the creation of convincing deepfake videos, making it easier than ever to fabricate someone appearing to say or do something they didn't really do, from harmless satires and film tweaks to targeted harassment and deepfake porn.

And researchers fear it's only a matter of time before the videos are deployed for maximum damage—to sow confusion, fuel doubt or undermine an opponent, potentially on the eve of a White House vote.

Zuckerfake

Vice <geoff@iconia.com>

Date: Thu, 13 Jun 2019 03:52:31 -0700

*A fake video of Mark Zuckerberg giving a sinister speech about the power of Facebook has been posted to Instagram. The company previously said it would not remove this type of video.*

EXCERPT:

Two artists and an advertising company created a deepfake of Facebook founder Mark Zuckerberg saying things he never said, and uploaded it to Instagram.

The video, created by artists Bill Posters and Daniel Howe in partnership with advertising company Canny, shows Mark Zuckerberg sitting at a desk, seemingly giving a sinister speech about Facebook's power. The video is framed with broadcast chyrons that say “We're increasing transparency on ads," to make it look like it's part of a news segment...

https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy

Hackers behind dangerous oil and gas intrusions are probing US power grid

Ars Technica <monty@roscom.com>

Date: Sun, 16 Jun 2019 01:02:20 -0400

https://arstechnica.com/information-technology/2019/06/hackers-behind-dangerous-oil-and-gas-intrusions-are-probing-us-power-grids/

Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters

NYTimes <monty@roscom.com>

Date: Sun, 16 Jun 2019 00:30:40 -0400

https://www.nytimes.com/2019/06/13/world/asia/hong-kong-telegram-protests.html

An attack against the messaging app Telegram and the arrest of a user show how the Hong Kong clash is unfolding digitally, with growing sophistication on both sides.

Auto-renting bugs

Amos Shapir <amos083@gmail.com>

Date: Fri, 14 Jun 2019 09:10:22 +0300

The city of Tel Aviv operates an in-city car renting service named Autotel <www.autotel.co.il> controlled by a smartphone application. Users download the application and register a credit card; then they can locate a car nearby and reserve it for up to 15 minutes. When reaching the car, the application is used to unlock the car (the keys are inside); and then to lock it at the end of the trip.

The following tweet by a poster identified as "Nur Lan", has been making the rounds lately (my translation): "I reserved a car in the application, and after a long walk discovered that the car is not parked where it was supposed to be on the map. While looking around, I noticed that the application indicates that the car is in motion for the past few minutes. So I pressed "end trip"; a minute later I got a call from Autotel: "We do not know how it had happened, but someone else took the car on your reservation, and now he called in to complain that the engine had turned off in the middle of the trip"

The tweet continues "There are two reasons this is a case of glorious misconduct: The first bug, which enables one user to collect another user's reservation, is mainly stupid. The second bug, which enables shutting down the engine remotely, is negligence which might be lethal. There should be no way to shut down an engine remotely, certainly not by a user's application".

"I received a compensation of 20 shekels [about $5.50] for the taxi trip. I hope that the other driver's compensation had made his near-death experience more profitable".

There were reports lately of similar occurrences being possible on some smart car models, but these at least required hacking the car's system first!

Google: Our way or the Huawei!

Henry Baker <hbaker1@pipeline.com>

Date: Wed, 12 Jun 2019 08:27:56 -0700

“Google's recent discussions with the US government actually argue that the Huawei ban is bad for national security. Google is reportedly asking for an exemption from the export ban.''

I asked Google Translate what to make of this Googledegook, and she provided several possibilities:

“Nice little Android monopoly you have there, Google; it would be a shame if anything happened to it.''

“"NSA on Huawei's new OS plans: we're forked!''

https://arstechnica.com/gadgets/2019/06/report-google-argues-the-huawei-ban-would-hurt-its-android-monopoly/

Keep your friends close, and your enemies closer—Report: Google argues the Huawei ban would hurt its Android monopoly Export ban would create a competitor to US operating systems, argues Google.

Ron Amadeo - Jun 7, 2019 8:15 pm UTC

The Trump administration would probably describe its Huawei export ban as a move that improves national security by keeping China's pet telecom company out of the US market. According to a report from The Financial Times, Google's recent discussions with the US government actually argue that the Huawei ban is bad for national security. Google is reportedly asking for an exemption from the export ban.

The argument, reportedly, is that Huawei is currently dependent on Google for its Android smartphone software, and that dependence is a good thing for the US. The Financial Times quotes "one person with knowledge of the conversations" as saying, "Google has been arguing that by stopping it from dealing with Huawei, the US risks creating two kinds of Android operating system: the genuine version and a hybrid one. The hybrid one is likely to have more bugs in it than the Google one, and so could put Huawei phones more at risk of being hacked, not least by China.

Today, non-Google Play versions of Android exist in China, but it's rare that any of them are significantly different from a Google version of Android beyond the pre-loaded app selection. Chinese manufacturers are still global smartphone distributors, so they all build Google-approved Android OSes for the non-Chinese market. What usually happens is that a single OS goes through the Google testing process, then it gets split into two versions. Internationally, it gets the Google Apps; in China, it gets a China-centric app selection.

So while these Chinese Android OSes are still technically Android forks, because they don't ship with Google Play, they are not that different from Google-approved Android. Google's control over the Android ecosystem -- even when devices don't use the Google apps—means there is still some level of security and updatability going into these devices. Google's first argument in that Financial Times report is that more secure devices are better for national security.

The second argument in the above quote is that a ban would `create two kinds of Android' and hurt Google's monopoly over Android. If you're a smartphone manufacturer looking for a smartphone OS, Android is the only game in town. The latest worldwide OS market share numbers from the IDC show an 86.6/13.3 percent share between Android and iOS, respectively, with "Other" clocking in at 0.0 percent market share. Taken as a whole, the US has a smartphone OS monopoly.

For companies that aren't Apple, it's Android or nothing, and Google controls Android, both the direction of the OS itself and the OS's app ecosystem. Weaning Huawei off its Google dependence would theoretically lead the company to create some kind of viable, China-powered, China-controlled Android operating system that would then be distributed to the rest of the world. Android is open source, so there's nothing stopping anyone from doing this now, but part of Google's control strategy is to create tools and updates that are so good that no one wants to compete with them. Cutting Huawei off from those updates would force that company to create a competitor.

Banning Huawei from dealing with US companies is definitely a double-edged sword. Huawei would have a tough time building smartphones or an app ecosystem without the help of US-originated technology and app developers, but US hardware and software companies would lose access to the second largest smartphone maker in the world.

Really, the two outcomes here, if the export ban holds up, are that either (1) Huawei can't handle the export ban and shuts down, like ZTE did, or (2) Huawei weathers the storm and rises as a rebuilt, fully US independent smartphone company. Google's argument is basically along the lines of that old saying, “Keep your friends close and your enemies closer.''

Ron Amadeo

Ron is the Reviews Editor at Ars Technica, where he specializes in Android OS and Google products. He is always on the hunt for a new gadget and loves to rip things apart to see how they work.

Email ron@arstechnica.com // Twitter @RonAmadeo

https://www.pocket-lint.com/phones/news/huawei/148345-huawei-hongmeng-os-faster-than-android-oppo-vivo

Huawei's alternative OS said to be faster than Android, attracting the attention of other vendors

Chris Hall | 12 June 2019

Android/iPhone fun -- security, risks...

ToI and UK Mirror <gabe@gabegold.com>

Date: Mon, 17 Jun 2019 17:10:53 -0400

Israeli tech company says it can break into all iPhones ever made, some Androids | The Times of Israel

https://www.timesofisrael.com/israeli-tech-company-says-it-can-break-into-all-iphones-ever-made-some-androids/

Android warning: Dangerous malware discovered pre-installed on THESE smartphones

https://www.mirror.co.uk/tech/dangerous-malware-discovered-pre-installed-16529887

New security warning issued for Google's 1.5B Gmail/Calendar Users

Forbes <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:21:17 -0400

Google's Gmail email service is used by upwards of 1.5 billion people. The Google Calendar app, meanwhile, has been downloaded more than a billion times from the Play Store. Security researchers have this week warned that threat actors are exploiting the popularity of both in order to target users with a credential-stealing attack. Here's what you need to know.

https://www.forbes.com/sites/daveywinder/2019/06/11/new-security-warning-issued-for-googles-1-5-billion-gmail-and-calendar-users/%233d17ba95565e

How spammers use Google services

Kaspersky <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:22:08 -0400

Kaspersky, 10 Jun 2019

As you know, Google is not just a search tool, but multiple services used by billions of people every day: Gmail, Calendar, Google Drive, Google Photos, Google Translate, the list goes on. And they are all integrated with each other. Calendar is linked to Gmail, Gmail to Google Drive, Google Drive to Google Photos, and so on.

It's all very handy—register once and away you go. And there's no need to mess around moving files and data between services; Google does everything for you. The downside is that online fraudsters have learned to exploit the convenience of Google services to send spam or worse.

https://usa.kaspersky.com/blog/spam-through-google-services/17799/

This 'most dangerous' hacking group is now probing power grids

Steve Ranger <gene@shaw.ca>

Date: Tue, 18 Jun 2019 11:11:01 -0700

Steve Ranger, Cyberwar and the Future of Cybersecurity, 14 Jun 2019

https://www.zdnet.com/article/this-most-dangerous-hacking-group-is-now-probing-power-grids/ This 'most dangerous' hacking group is now probing power grids Hackers that tried to interfere with the safety systems of an industrial plant are now looking at power utilities too.

opening text:

A hacking group described at the 'most dangerous threat' to industrial systems has taken a close interest in power grids in the US and elsewhere, according to a security company.

Masters ticket lottery scheme involved identity theft, millions of emails

WashPost <monty@roscom.com>

Date: Tue, 18 Jun 2019 16:02:55 -0400

https://www.washingtonpost.com/sports/2019/06/18/texas-family-gamed-masters-ticket-lottery-using-identity-theft-millions-emails/

Facial Recognition: How Emotion Reading Software Will Change Driving

Fortune <gabe@gabegold.com>

Date: Wed, 12 Jun 2019 15:10:49 -0400

This will mean that automakers may come to build vehicles that may adjust comfort factors like heat, lighting, and entertainment based on visual cues from their individual occupants—features that could be especially appealing as more autonomous cars hit the roads.

“It's really important technology not only have IQ, but lots of EQ too,'' said el Kaliouby, speaking on Tuesday morning at Fortune's CEO Initiative in New York.

She added that building empathy into machines is especially important given that humans use words for only 7% of their communications. The other 93%, el Kaliouby says, consists of vocal intonations, expression, and body language.

http://fortune.com/2019/06/11/facial-recognition-cars/

Car tweaking entertainment, heat, lighting (?!) is about as appealing as a visit from one of the bad Terminators.

DJI's New Drone for Kids Is a $500 Tank That Fires Lasers and Pellets

Bloomberg <geoff@iconia.com>

Date: Thu, 13 Jun 2019 03:51:26 -0700

*The king of quadcopters is betting on a build-your-own set to get students excited about robotics.*

EXCERPT:

DJI, the world's largest drone maker, has come down to Earth.

On June 11, the company most closely associated with quadcopters plans to unveil a toaster-size robotic tank called the RoboMaster S1. Made of plastic and metal, it has four wheels, a rectangular base, and a gun turret that can swivel and fire lasers or tiny plastic pellets. Unlike DJI's flying drones, which do everything from taking pretty pictures to fertilizing fields, the RoboMaster is part teaching tool and part battle bot. The odd contraption ships as a kit that people must assemble, learning about robotics and software along the way.

“By doing the assembly process, you get to understand what each part is used for and what the principles are behind it''. says Shuo Yang, one of the lead engineers. “We want it to look like an interesting toy that then teaches basic programming and mechanical knowledge.'' Once built, the RoboMaster S1 can be used to blast away at other S1s during some good, old-fashioned at-home family combat...

https://www.bloomberg.com/news/articles/2019-06-12/dji-s-robomaster-s1-drone-tank-fires-lasers-and-pellets

Your Cadillac Can Now Drive Itself More Places

WiReD <gabe@gabegold.com>

Date: Mon, 17 Jun 2019 23:05:42 -0400

Cadillac Super Cruise, the luxury automaker's hands-off driver assistance system, will by the end of the year work on more than 200,000 miles of highway in the US and Canada, 35 percent more territory than it covered when it launched in 2017. The bulk of the new miles come from divided highways -- the sort of road where Tesla's Autopilot system has suffered two high-profile deadly crashes, and where Cadillac's engineers are confident their system can do better.

Super Cruise drivers—the system is available only on the CT6 sedan, and is moving to the CT5 sedan next year—have to trek to their dealer to get the software upgrade to take advantage of the newly added parts of the map. The process is free, and takes about an hour. After that, Cadillac will send out the updated maps via over-the-air software updates starting this summer and into the fall.

https://www.wired.com/story/your-cadillac-can-now-drive-itself-more-places/

Yum—tasty updates over-the-air. What could go wrong?

Four Ways to Avoid Facial Recognition Online and in Public

Gabe Goldberg <gabe@gabegold.com>

Date: Tue, 11 Jun 2019 16:06:51 -0400

1. Disabling Facial Recognition on Facebook

2. Use FaceShield When Uploading Photos

3. Use Hair and Makeup to Fool Facial Recognition

4. Use Clothing to Distract Facial Recognition

https://www.makeuseof.com/tag/avoid-facial-recognition/

Pretty funny. Wait, not entirely...

Breaking ground, IBM Haifa team holds live robot debate fed by crowd arguments

The Times of Israel <gabe@gabegold.com>

Date: Tue, 18 Jun 2019 17:00:26 -0400

The tech, when commercialized, could help companies and governments collect opinions, make more informed decisions.

https://www.timesofisrael.com/breaking-ground-ibm-haifa-team-holds-live-robot-debate-fed-by-crowd-arguments/

...or deliberately/inadvertently biased decisions, or decisions that common sense would rule out. And, most likely, decisions that can't be explained.

Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it.

ZDNet <gene@shaw.ca>

Date: Wed, 12 Jun 2019 09:52:58 -0700

Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it This may be the most absurd, convoluted Apple repair story you've ever heard. Chris Matyszczyk for Technically Incorrect | June 12, 2019 https://www.zdnet.com/article/apple-spent-10000-repairing-his-macbook-pro-there-was-nothing-wrong-with-it/

selected text:

Don't turn your screen brightness off. The Pro may go dark for a very long time.

"So after losing about two weeks of my time, >$10,000 in Apple warranty repairs (two logic boards, new cables, and a complete replacement of a >$7,000 computer), troubleshooting input from several Apple Geniuses, level 1 and 2 tech support from Apple Corporate, diagnostic tests at the Apple Store, and diagnostic tests twice at Apple's repair facility in Texas; what was the root issue?" says Benz, knowing how to hang a cliff hanger.

He seems, you see, to be made of determined innards. He went to yet another Apple Genius and this one proved to be true to his moniker. Or, perhaps, he just stopped and thought a little longer than his fellow experts.

You see, he diagnosed there was nothing wrong with Benz's MacBook Pro. The issue, if you want to call it that, was that the screen brightness was turned all the way off.

Autonomous vehicles don't need provisions and protocols?

Rob Slade <rmslade@shaw.ca>

Date: Fri, 14 Jun 2019 11:36:49 -0700

I'm at a conference on "Smart Cities." Lots of verbiage on IoT, etc. Last speaker of the day is pontificating on all kinds of security and technology buzzwords. And, at one point, he says that cities have to work on protocols for the provision of "autonomous vehicles."

Excuse me?

I mean, there are all kinds of transport and transit systems, and some of them involve a lot of technology, and a number of them will need provisions and protocols. But ...

What part of "autonomous" do you not understand? Autonomous means that it works by itself. It doesn't need your provision. It doesn't need your protocols. It is designed, as far as possible, to work by itself. That means your protocols are basically irrelevant.

OK, you can design some regulatory protocols if you wish. But you are one city. Even if you are New York, you are a small part of the vehicle market. The manufacturers are going to build what they think will sell. Worldwide. If you want to create a regulatory protocol, fine. Just don't expect anyone to care, if it gets in the way of functions or sales.

Info stealing Android apps can grab one time passwords to evade 2FA protections

ZDNet <gene@shaw.ca>

Date: Tue, 18 Jun 2019 11:32:01 -0700

https://www.zdnet.com/article/info-stealing-android-apps-can-now-access-passwords-to-avoid-2fa-protections/

Info stealing Android apps can grab one time passwords to evade 2FA protections Google restricted SMS controls. Hackers found a way around it. Charlie Osborne for Zero Day | 18 Jun 2019

Facebook Plans Global Financial System Based on Cryptocurrency

NYTimes <gabe@gabegold.com>

Date: Tue, 18 Jun 2019 11:07:26 -0400

https://www.nytimes.com/2019/06/18/technology/facebook-cryptocurrency-libra.html

News that sounds like a joke. WHAT could go wrong...

Libra

Rob Slade <rmslade@shaw.ca>

Date: Tue, 18 Jun 2019 12:00:36 -0700

Facebook wants to start a cryptocurrency, and become your bank. Yes, that Facebook, the one that has proven to be so untrustworthy with all the data entrusted to it so far. Now you want to give it details on all your banking transactions and purchases? Besides, with most current cryptocurrency implementations, don't you get to "unmask" all the transactions if you own the whole blockchain? And who is going to own the whole Libra blockchain?

Then there is the spin on this. Facebook is "doing good" with Libra, because almost two billion people don't have bank account, and with Libra, they can! (Only, if they don't have bank accounts now, how on earth are they going to put money into Libra, or get it out?)

And, given that estimates for Bitcoin operation (let alone mining) approximates the power and carbon footprint of a medium-sized country, what is going to happen to global warming with Facebook pushing Libra to all of it's mindless zombie hordes?

OK, Libra is going to be a "stablecoin," and therefore mining isn't an issue, but how extensively has it been tested before you release it for trial by every hacker in the world? OK, yes, the major credit cards are on board (is SET coming back?), but is it really ready for prime time?

Porn trolling mastermind Paul Hansmeier gets 14 years in prison.

Ars Technica <monty@roscom.com>

Date: Sun, 16 Jun 2019 01:04:05 -0400

Subject: Porn trolling mastermind Paul Hansmeier gets 14 years in prison. (Ars Technica)

https://arstechnica.com/tech-policy/2019/06/porn-trolling-mastermind-paul-hansmeier-gets-14-years-in-prison/

Mudslide warning system depends on proper boundary file

Dan Jacobson <jidanni@jidanni.org>

Date: Sat, 15 Jun 2019 08:07:12 +0800

No matter how good a mudslide warning system is, if a government boundary file places cell towers in the wrong district, phones in district B will get warnings intended for district A, and phones in district A won't get any warnings at all.

Mom used phone tracking app after daughter missed curfew, found her pinned under car 7 hours later

FoxNews <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:14:44 -0400

http://www.fox13news.com/news/mom-used-phone-tracking-app-after-daughter-missed-curfew-found-her-pinned-under-car-7-hours-later

In Stores, Secret Surveillance Tracks Your Every Move

NYTimes <geoff@iconia.com>

Date: Sun, 16 Jun 2019 01:54:02 -0700

*As you shop, `beacons' are watching you, using hidden technology in your phone.*

EXCERPT:

Imagine you are shopping in your favorite grocery store. As you approach the dairy aisle, you are sent a push notification in your phone: 10% off your favorite yogurt! Click here to redeem your coupon. You considered buying yogurt on your last trip to the store, but you decided against it. How did your phone know?

Your smartphone was tracking you. The grocery store got your location data and paid a shadowy group of marketers to use that information to target you with ads. Recent reports have noted how companies use data gathered from cell towers, ambient Wi-Fi, and GPS. But the location data industry has a much more precise, and unobtrusive, tool: Bluetooth beacons.

These beacons are small, inobtrusive electronic devices that are hidden throughout the grocery store; an app on your phone that communicates with them informed the company not only that you had entered the building, but that you had lingered for two minutes in front of the low-fat Chobanis.

Most location services use cell towers and GPS, but these technologies have limitations. Cell towers have wide coverage, but low location accuracy: An advertiser can think you are in Walgreens, but you're actually in McDonald's next door. GPS, by contrast, can be accurate to a radius of around five meters (16 feet), but it does not work well indoors.

Bluetooth beacons, however, can track your location accurately from a range of inches to about 50 meters. They use little energy, and they work well indoors. That has made them popular among companies that want precise tracking inside a store....

https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireless-tracking-privacy.html

[Also noted by Gabe Goldberg. PGN]

Was your flight delay due to an IT outage? What a new report on airline IT tells us.

ZDNet <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:18:27 -0400

... From 2015 through 2017, most airline IT outages were serious enough to disrupt flights, according to a government agency, but the full impact of the industry's IT problems is hard to calculate.

https://www.zdnet.com/article/was-your-flight-delay-due-to-an-it-outage-what-a-new-report-on-airline-it-tells-us/

Patients frustrated over computer system outage at Abrazo Health Hospitals

AZFamily <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:16:23 -0400

https://www.azfamily.com/news/patients-frustrated-over-computer-system-outage-at-abrazo-health-hospitals/article_099c9d74-8f23-11e9-8030-2b5b391b080a.html

Power outage at Greensboro apartments has unintended consequence, reveals alleged Medicaid scheme

Monty Solomon <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:17:30 -0400

https://www.greensboro.com/power-outage-at-greensboro-apartments-has-unintended-consequence-reveals-alleged/article_5f215b6e-3713-567d-908a-7873cfea3a6b.html

Is Target still down? Chain says registers working now after outage.

USA Today <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:10:14 -0400

https://www.usatoday.com/story/money/2019/06/15/target-registers-down-shoppers-reporting-outage-saturday/1465476001/

Instagram Outage Follows Disruption To PlayStation Network

Deadline <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:15:25 -0400

https://techcrunch.com/2019/06/13/spotify-outage-not-related-to-todays-update-company-is-working-on-a-fix/

The PlayStation Network Is Back Up. Here's the Latest on the PSN Outage

Digital Trends <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:13:40 -0400

https://deadline.com/2019/06/instagram-outage-follows-disruption-to-playstation-network-1202632448/

In the Wiggle of an Ear, a Surprising Insight into Bat Sonar

Scientific American <monty@roscom.com>

Date: Sat, 15 Jun 2019 20:16:45 -0400

https://www.digitaltrends.com/gaming/playstation-network-psn-down-outage-updates/

'RAMBleed' Rowhammer attack can now steal data, not just alter it

ZDNet <rmstein@ieee.org>

Date: Mon, 17 Jun 2019 16:43:01 -0700

https://www.scientificamerican.com/article/in-the-wiggle-of-an-ear-a-surprising-insight-into-bat-sonar/

"...the two researchers developed an artificial horseshoe bat ear out of silicon, with devices called 'fast actuators' that move different parts of the ear in the same way bats do. These movements also added Doppler shifts to incoming sounds."

Bats apply Doppler shift detection from echolocation stimulus to locate meals, navigate, and dodge flying or static obstacles.

The research suggests that delivery drones might someday be equipped with artificial bat ears to assist drone navigation of the sky. The sky is "complicated and unpredictable": trees, telephone poles, aircraft, birds, bugs—all kinds of obstacles that can interfere with drone delivery.

Delivery zones with buried power lines, and sparse foliage or tree cover might only require GPS navigation to complete their route. But a heavy population center or a suburban landscape with telephone poles, or tree-lined streets might require echolocation and GPS to reach their destination.

Correlating GPS and echolocation signals to reach fixed coordinates presents a complicated, challenging problem.

Cruise missiles (CMs) can achieve payload delivery using nap-of-the-earth navigation and RADAR, though CMs are unlikely concerned with telephone poles, foliage, road signs, bill boards, etc.

Risk: Ultrasonic sensor overload, sensor image correlation failure.

Ransomware halts production for days at major airplane parts manufacturer

Catalin Cimpanu <gene@shaw.ca>

Date: Wed, 12 Jun 2019 09:43:20 -0700

https://www.zdnet.com/article/rambleed-rowhammer-attack-can-now-steal-data-not-just-alter-it/ 'RAMBleed' Rowhammer attack can now steal data, not just alter it Academics detail new Rowhammer attack named RAMBleed. By Catalin Cimpanu for Zero Day | June 11, 2019—17:00 GMT (10:00 PDT) |

opening text:

A team of academics from the US, Austria, and Australia, has published new research today detailing yet another variation of the Rowhammer attack.

The novelty in this new Rowhammer variety—which the research team has named RAMBleed—is that it can be used to steal information from a targeted device, as opposed to altering existing data or to elevate an attacker's privileges, like all previous Rowhammer attacks, have done in the past.

Study finds that a GPS outage would cost $1 billion per day

Ars Technica <gene@shaw.ca>

Date: Fri, 14 Jun 2019 10:05:38 -0700

Catalin Cimpanu for Zero Day | June 12, 2019

https://www.zdnet.com/article/ransomware-halts-production-for-days-at-major-airplane-parts-manufacturer/ Ransomware halts production for days at major airplane parts manufacturer Nearly 1,000 employees sent home for the entire week, on paid leave.

opening text:

ASCO, one of the world's largest suppliers of airplane parts, has ceased production in factories across four countries due to a ransomware infection reported at its plant in Zaventem, Belgium.

Re: GPS Degraded Across Much of U.S

jared gottlieb <monty@roscom.com>

Date: Sun, 16 Jun 2019 01:51:40 -0400

https://arstechnica.com/science/2019/06/study-finds-that-a-gps-outage-would-cost-1-billion-per-day/

Did I Tweet that?

Rob Slade <jared@netspace.net.au>

Date: Sun, 16 Jun 2019 19:06:52 -0600

This event seems to be a software bug in a system processing GPS data. A bulletin from one manufacturer discussing one model of a commercial aviation GPS receiver, (https://www.duncanaviation.aero/files/intellegence/GPS_CustomerComm_FINAL.pdf

Our team has been actively working to determine a root cause. We found that a software design error resulted in the system misinterpreting GPS time updates due to a leap-second event, which typically occurs once every 2.5 years within the U.S. Government GPS satellite almanac update. Our GPS-4000S-100 version software's timing calculations have reacted to this leap second by not tracking satellites upon power-up and subsequently failing. The U.S. Government distributed a regularly scheduled almanac update with this leap second on 0:00GMT, Sunday, June 9, 2019, and the failures began to occur soon after. The next scheduled update by the U.S. Government to the GPS constellation is set for next Sunday, June 16 at 00:00Z. At this time, we do not believe this update will have the time

failures began to occur soon after. The next scheduled update by the U.S. Government to the GPS constellation is set for next Sunday, June 16 at 00:00Z. At this time, we do not believe this update will have the time information that triggers this error. We are testing additional impact of this next almanac update. ...>>

Handling leap seconds is a software risk which has affected many systems beyond GPS receivers (a few of which have appeared in comp.risks). GPS receivers have had other time concerns, perhaps most recently the 6 April 2019 week number rollover if a receiver used the legacy 10bit value and firmware updates were not available or applied.

What the almanac update issue was nor why it would be experienced using the one update is not clear. There has not been a leap second for more than two years and none is currently planned (IERS Bulletin C ...announcements of the leap seconds… https://datacenter.iers.org/data/latestVersion/16_BULLETIN_C16.txt

Testing of this receiver's software is extended by the 'power-up’ pre-condition mentioned in the bulletin; an aircraft manufacturer's notice illustrates the complexity of this unit's initiation https://support.cessna.com/custsupt/contacts/pubs/ourpdf.pdf%3Fas_id%3D50304

Bull and backdoors

Rob Slade <rmslade@shaw.ca>

Date: Sat, 15 Jun 2019 10:22:39 -0700

A researcher has noted that Twitter reference URLs can be manipulated to make it appear someone said/tweeted something when they actually didn't.

https://www.bleepingcomputer.com/news/security/twitter-urls-can-be-manipulated-to-spread-fake-news-and-scams/

So, I tweeted a warning: https://www.twitter.com/rslade/status/1087839317534363648

Well, of course, actually, no I didn't. If you look closely at the resulting page, you'll see it isn't my account at all. Twitter doesn't care what account you put in the URL: it just cares about the tweet status ID.

Donald Trump is so concerned that he retweeted my warning: https://www.twitter.com/realDonaldTrump/status/1087839317534363648

So did the Queen: https://www.twitter.com/RoyalFamily/status/1087839317534363648

Ross Anderson's non-visa

Rob Slade <rmsladeshaw.ca>

Date: Fri, 14 Jun 2019 09:34:06 -0700

We're binge-watching a TV show called "Bull." (For years I've had to be careful about watching movies and TV with a high tech or security theme, since they make so many mistakes. Apparently, having spent a couple of decades teaching American law to Americans, I now have to avoid legal TV shows and movies as well.)

In one episode (s3e4) they have a computer expert (someone who can program) giving testimony. He is to explain a "backdoor."

Now, as everyone here knows, a backdoor (aka trapdoor) is a technical means of circumventing a technical control or safeguard, usually to do with access control. There are some legitimate uses for backdoors, generally in development, but they are generally considered a "bad thing" in production. The "expert" explains that a backdoor is a means of evading a control, but it's a (presumably technical, because he programmed it) means of evading a policy or regulatory control.

This piece of dialogue is a really interesting mix of fact and serious misunderstanding. Yes, a backdoor is a means of evading a control. But the backdoor and the control are of different types. Generally a technical evasion cannot evade a policy or regulatory control (although it might obfuscate the issue). To someone who only partially understands the situation, it might seem reasonable, but, in fact, in reality it makes no sense at all.

(Oh, come on. I wrote a *dictionary*, and you expect me to put up with this?)

(Yes, I know. This is why you don't want to watch technically themed movies and TV shows with me. Gloria has to put up with these kinds of interruptions and explanations *a lot*.)