RISKS Digest 30.72

Tuesday 12 June 2018

Another risk of driverless cars

PGN <>

Date: Mon, 11 Jun 2018 9:27:18 PDT

NPR reported today that Waymo is buying a slew of cars to create a driverless taxi fleet with no human overseer required in the car. Emergency takeover would be done by a fleet of well-trained remote admin personnel,
*via cell phone*.

There seem to be some massive flaws in that reasoning. One is the need for real-time response. Another is unavailable cell-phone coverage.

I recall the case of someone who used his cellphone to start his car at home, and then drove into Red Rock Canyon Park, parked, and later tried to start his car (with the presence of his cellphone). Unfortunately, he had left his wireless unlocking/starting dongle at home, and there was no cell coverage in the canyon. His wife climbed up out of the canyon, called a neighbor who could get the remote dongle out of their house, and bring it to them so that they could drive home.

Just one more example of short-sightedness and lack of awareness...

Emirates looks to windowless planes <>

Date: Wed, 06 Jun 2018 19:44:30 -0700

Aviation safety expert Professor Graham Braithwaite of Cranfield University:

“Cabin crew need to be able to see outside the aircraft if there is an emergency. Being able to see outside the aircraft in an emergency is important, especially if an emergency evacuation has to take place. Flight attendants would need to check outside the aircraft in an emergency, for example for fire, before opening a door and commencing an evacuation - and anything that needed power to do this may not be easy to get certified by an aviation safety regulator.'' Prof Braithwaite said the main obstacle in a windowless aircraft would be passenger perceptions of the technology.

However, aviation regulator the European Aviation Safety Agency said: "We do not see any specific challenge that could not be overcome to ensure a level of safety equivalent to the one of an aircraft fitted with cabin windows.

In addition to emergency evacuation slides, perhaps an emergency "peep hole" to supplement camera or screen failure?

[Perhaps the pilots would not need windows either, because everything is computer controlled? PGN]

180,000 Voters accidentally left off LA County polling place rosters

Irfan Khan <>

Date: Wed, 6 Jun 2018 5:50:18 PDT

(Irfan Khan / Los Angeles Times) Mercado de Los Angeles in Boyle Heights on Tuesday. Poll worker Shannon Diaz puts up signs as voting begins at El Mercado de Los Angeles in Boyle Heights on Tuesday.

If you are a registered voter in Los Angeles County and poll workers say they can't find your name on the roster at the polling place when you go to vote, don't worry—you can still cast a provisional ballot.

Some Angelenos needed a bit of reassurance that their votes would be counted in Tuesday's primary election after 118,522 voters' names were accidentally left off rosters due to a printing error, according to L.A. County Registrar Dean C. Logan.

About 2.3% of L.A. County's 5.1 million registered voters and 35% of the county's 4,357 precincts were affected by the error, according to figures provided by the registrar-recorder/county clerk's office, which was still trying to determine the reason for the printing error. Voters whose names are missing are being encouraged to file provisional ballots, which are verified by vote counters later.

Ontario election results Not a Number

Tony Marmic <>

Date: Fri, 8 Jun 2018 16:42:48 -0400

Early in the counting for the Ontario provincial election on Thursday evening 2018-06-07, I noticed the CBC election site displayed this dynamic table of popular vote numbers:

Party Votes Vote Share PC 389,435 40.45% NDP 333,475 34.63% LIB 174,446 18.12% GRN 48,022 4.99% OTH 17,467 NaN%

The "NaN%" survived several on-the-fly updates to the numbers.

When I checked on Friday morning, with final results in, the table was

Party Votes Vote Share PC 2,322,422 40.63% NDP 1,925,574 33.69% LIB 1,103,283 19.30% GRN 263,987 4.62% OTH 100,058 1.75%

It's not obvious to me why the first set of numbers should lead to a NaN for the "OTH" parties vote share rather than 1.81%. The page is still there at if anyone cares to investigate the code, but I don't know how long it'll last. One trusts that this code is purely for display on the CBC website, and has nothing to do with actual vote tallying...

In passing, this election was conducted with paper ballots hand marked and scanned by machine, with the ballots retained for hand recount if necessary, so pretty much Best Practice as I understand it. I don't believe any such recount has been called for.

Florida skips gun background checks for a year after employee forgets login

Naked Security <>

Date: Tue, 12 Jun 2018 11:52:23 -0400

In Florida, the site of recent mass shootings such as at the Stoneman Douglas High School and the Pulse nightclub, more than a year went by in which the state approved applications without carrying out background checks. This meant the state was unaware if there was a cause to refuse a licence to allow somebody to carry a hidden gun—for example, mental illness or drug addiction.

The reason is dismayingly banal: an employee couldn't remember her login.

All accredited journalists at the #KimTrumpSummit get a free USB fan

YCombinator <>

Date: Mon, 11 Jun 2018 16:04:31 -0700

[Nothing to worry about!]

Oh yeah. Just plug it into your computer. For sure.

Israelis nabbed in Philippines are tip of iceberg in alleged fraud gone global

The Times of Israel <>

Date: Tue, 12 Jun 2018 13:01:51 -0400

As police raid Israeli-operated boiler rooms in Asia and Eastern Europe, local law enforcement has yet to indict a single operative from an industry that has stolen billions

Sweden Tries to Halt Its March to Total Cashlessness

Bloomberg <>

Date: Mon, 11 Jun 2018 17:53:32 -0700

via NNSquad

The move is a response to Sweden's rapid transformation as it becomes one of the most cashless societies in the world. That's led to concerns that some people are finding it increasingly difficult to cope without access to mobile phones or bank cards. There are also fears around what would happen if the digital payments systems suddenly crashed.

Cryptocurrencies Lose Billions In Value After An Exchange Is Hacked

NPR <>

Date: Mon, 11 Jun 2018 21:59:28 PDT

Coinrail virtual currency exchange was breached, and lost only $40M. Ethereum dropped, and the end result was an estimated $40B lost over the weekend to cryptocurrencies overall. (PGN-ed)

"Cryptocurrency theft malware is now an economy worth millions"

NPR <>

Date: Fri, 08 Jun 2018 20:23:45 -0700

Charlie Osborne for Zero Day (7 Jun 2018) Carbon Black research suggests that as interest in cryptocurrency rises, so does the market for weapons to steal it.

selected text:

The researchers estimate that over the past six months alone, a total of $1.1 billion has been stolen in cryptocurrency-related thefts, and approximately 12,000 marketplaces in the underbelly of the Internet are fueling this trend.

In total, there are roughly 34,000 products and services on sale that are related to cryptocurrency theft, ranging from just over a dollar in price to $224, with an average cost of around $10.

"The available dark web marketplaces represent a $6.7 million illicit economy built from cryptocurrency-related malware development and sales," the researchers say.

Quebec Halts Bitcoin Mining Power Requests Amid Booming Demand

Charlie Osborne <>

Date: Sun, 10 Jun 2018 18:06:14 -0400

Hydro-Quebec will temporarily stop processing requests from cryptocurrency miners so that it can continue to fulfill its obligations to supply electricity to the entire province.

Canada's biggest electric utility is facing unprecedented demand from blockchain companies that exceeds Hydro-Quebec's short- and medium-term capacity, according to a statement Thursday. In the coming days, Hydro-Quebec will file an application to the province's energy regulator proposing a selection process for blockchain industry projects.

Hydro-Quebec has been courting cryptocurrency miners in recent months in a bid to soak up surplus energy from dams in northern Quebec. Power rates in the province are the lowest in North America, both for consumers and industrial customers.

Always risky, getting what you want.

Then, there's this...

...which one commenter somewhere suggests should be used to mine bitcoins. Besides petaflop ratings, we need potential kWh/bitcoin comparisons.

The Spanish Liga uses the phone microphone of millions of fans to spy on bars

El Diario <>

Date: Sun, 10 Jun 2018 21:01:19 -0400

Original article (in Spanish):

Automated translation:

The Liga de F

Navy Contractor Hacked: Reams of Secret Documents Taken

WashPo <>

Date: Fri, 8 Jun 2018 17:10:09 -0400

*The Washington Post* reports "Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare - including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials. " Gee. Do you think connecting secret documents to the Internet is wise? Good thing the Manhattan Project only had a Russian spy in their midst. Otherwise the Soviets may have stolen nuclear secrets and got the bomb before 1949.

[Also noted by Jose Maria Mateos. PGN]

G Suite leaks in 10,000+ orgs: Google UX blamed, fury at no-bug defense

TechBeacon <>

Date: Thu, 7 Jun 2018 07:50:14 -0700

via NNSquad

People keep misconfiguring G Suite to leak their companies' private data. An estimated 10,000 or more organizations are affected. Google denies it's a bug, passive-aggressively telling people to RTFM. But that's not the point, is it? Given the scale of the problem, shouldn't la GOOG be fixing an obvious admin UX problem?

When you blame the users in situations like this, you've already lost the argument.

"Password reset flaw at Internet giant Frontier allowed account takeovers"

Zack Whittaker <>

Date: Fri, 08 Jun 2018 20:28:37 -0700

Zack Whittaker for Zero Day (8 Jun 2018) Password reset flaw at Internet giant Frontier allowed account takeovers A two-factor code used to reset an account password could be easily bypassed.

opening text:

A bug in how cable and Internet giant Frontier reset account passwords allowed anyone to take over user accounts.

The vulnerability, found by security researcher Ryan Stevenson, allows a determined attacker to take over an account with just a username or email address. And a few hours worth of determination, an attacker can bypass the access code sent during the password reset process.

Why a DNA data breach is much worse than a credit card leak

The Verge <>

Date: Mon, 11 Jun 2018 10:04:32 -0600

"Facebook gave some companies extended access to user data"

Stephanie Condon <>

Date: Fri, 08 Jun 2018 20:31:02 -0700

Stephanie Condon for Between the Lines (ZDNet), 8 Jun 2018 Facebook's acknowledgement of these agreements is the latest incident to shed light on the way the company has shared user data in ways users are unlikely to understand.

opening text:

In the latest revelation about Facebook's data-sharing practices, the social media giant acknowledged Friday that it gave certain companies extended, special access to user data in 2015—data that was already off limits to most developers.

Facebook bug made up to 14 million users' posts public for days

WiReD <>

Date: Thu, 7 Jun 2018 13:39:07 -0700

via NNSquad

FACEBOOK HAS FOUND itself the subject of another privacy scandal, this time involving privacy settings. A glitch caused up to 14 million Facebook users to have their new posts inadvertently set to public, the company revealed Thursday.

"Private" posts that turned out to be public. Pretty much a worst case scenario.

"Cisco fixes critical bug that exposed networks to hackers"

Zack Whittaker <>

Date: Fri, 08 Jun 2018 20:21:00 -0700

Zack Whittaker, ZDNet, 7 Jun 2018 The bug had a rare 9.8 out of 10 score on the common vulnerability severity rating scale.

opening text:

A "critical"-rated bug in one of Cisco's network access management devices could have allowed hackers to remotely break into corporate networks.

"Meet Norman, the world's first 'psychopathic' AI"

Charlie Osborne <>

Date: Fri, 08 Jun 2018 20:34:03 -0700

Charlie Osborne for Between the Lines (ZDNet) 7 Jun 2018 While you see flowers, Norman sees gunfire.

selected text:

Researchers at the Massachusetts Institute of Technology (MIT) have developed what is likely a world first—a "psychopathic" artificial intelligence (AI).

Norman is an AI system trained to perform image captioning, in which deep learning algorithms are used to generate a text description of an image.

However, after plundering the depths of Reddit and a select subreddit dedicated to graphic content brimming with images of death and destruction, Norman's datasets are far from what a standard AI would be exposed to.

The results are disturbing, to say the least.

In one inkblot test, a standard AI saw "a black and white photo of a red and white umbrella," while Norman saw "man gets electrocuted while attempting to cross busy street."

Should We Always Trust What We See in Satellite Images?

Scientific American <>

Date: Tue, 5 Jun 2018 06:21:03 -0700

The author argues that an "on the ground" confirmation is a wise precaution to verify imagery content. Image processing algorithms can render misleading impressions which affect major decisions.

"One example of the misuse of remotely sensed data was in 2003, when satellite images were used as evidence of sites of weapons of mass destruction in Iraq. These images revealed what were identified as active chemical munitions bunkers and areas where earth had been graded and moved to hide evidence of chemical production. This turned out not to be the case."

"Trust but verify" remains a wise precaution to follow when analyzing satellite imagery.

The NSA Just Released 136 Historical Propaganda Posters

Motherboard <>

Date: Tue, 12 Jun 2018 13:20:23 -0400

Unproven facial-recognition companies target schools, promising an end to shootings

WashPo <>

Date: Fri, 08 Jun 2018 06:56:43 -0700

"Although facial recognition remains unproven as a deterrent to school shootings, the specter of classroom violence and companies intensifying marketing to local education officials could cement the more than 130,000 public and private schools nationwide as one of America's premier testing grounds—both for the technology's abilities and for public acceptance of a new generation of mass surveillance."

Mass shootings at schools in the US, while statistically rare compared to other gun-related deaths (suicide, for instance), are horrifying events. A set of companies are pitching facial recognition technology as a bromide and deterrent, though they are coy to explain how their software stacks function or enable deterrence. Exploiting fear and anxiety are long-practiced sales techniques.

The Zip Slip vulnerability: what you need to know

Naked Security <>

Date: Wed, 6 Jun 2018 20:30:31 PDT

Thanks to SRI's Steven Cheung for spotting this one.

A fun vulnerability that uses zip files to overwrite files

All the people Apple just pissed off to better protect your privacy

Fast Company <>

Date: Fri, 8 Jun 2018 12:29:03 -0400

When Apple previewed the upcoming iOS 12 and MacOS Mojave at this week's WWDC keynote,> <> <> <>

All those features deserved the applause they got from the crowd. But it was other updates—definitely less sexy and headline-grabbing—that set Apple apart from other technology giants. I'm talking about the new privacy features built into both iOS 12 and MacOS Mojave that make it so much harder for other parties to get at your personal information.

Recounting 'Horror Stories' Over Guitar Center's Warranties

NYT <>

Date: Fri, 8 Jun 2018 13:40:11 -0400

Former employees and customers at the giant music retailer described problems with how it sells protection plans, particularly in Puerto Rico.

Add Bryan Colangelo to the long list who have been burned by social media


Date: Fri, 8 Jun 2018 13:41:23 -0400

Microsoft, Github, & distributed revision control

Medium <>

Date: Tue, 5 Jun 2018 10:27:01 -0400

Originally posted here: 3D

Microsoft, Github, and distributed revision control

People legitimately criticize Github for creating artificial centralization of open source software & having a dysfunctional internal culture, and for being a for-profit company. Microsoft's acquisition may not make any of these things worse, & won't make them better. But, there's a really specific & practical reason people not already boycotting github have begun to consider it in response to the Microsoft acquisition: Microsoft's history of using deals, acquisitions, & standards committees as anticompetitive tools.

Github was never going to do much of anything beside host your projects, and since hosting your projects is its main business, it's not going to do nasty things like delete them. Microsoft, however, is absolutely willing to do that kind of thing if they decide they can get away with it. History bears this out—some of it recent. Microsoft hasn't been able to do it to the likes of IBM or Netscape since the 90s, but only because their complacency over the PC market has prevented them from being able to successfully branch out into phones or servers; however, they have been happily performing their embrace-extend-exterminate tactic on open source projects for the past fifteen years.

(Note: If Github got as big as Microsoft & had side hustles as profitable, they would do the same thing. This isn't about particular organizations being evil—capitalism forces organizations to act unethically and illegally by punishing those unwilling to break the law.)

People concerned about open source software distribution being centralized under the aegis of unreliable for-profit companies have been boycotting Github & Gitlab for years, and Google Code and Sourceforge before that. They've also been working on alternatives to central repositories.

Named data networking goes beyond simply ensuring that the owner of the hostname is not a for-profit company (liable to throw out your data as soon as they decide that it'll make them money to do so). Instead, DNS as a single point of failure goes away entirely, along with reliance on data centers.

If you're considering migrating away from Github—even if the recent news merely reminded you of problems Github has had for years—take this opportunity to migrate your repository to git-ssb or git-ipfs, instead of moving to another temporary host-tied third party thing like gitlab or bitbucket. Your commits are already identified by hashes, so why not switch to hashes entirely & use an NDN/DHT system? That way, there's no third party that could take down your commits if it goes down. The entire DNS system could die permanently & it wouldn't interrupt your development.

How the body could power pacemakers and other implantable devices

Charles Q. Choi <>

Date: Mon, 11 Jun 2018 16:54:09 PDT

[From ocean wave motions to lungs! Great idea. PGN]

Charles Q. Choi, *The Washington Post*, 9 Jun 2018

In I Sing the Body Electric, poet Walt Whitman waxed lyrically about the action and power of beautiful, curious, breathing, laughing flesh. More than 150 years later, MIT materials scientist and engineer Canan Dagdeviren and colleagues are giving new meaning to Whitman's poem with a device that can generate electricity from the way it distorts in response to the beating of the heart.

Despite tremendous technological advances, a key drawback of most wearable and implantable devices is their batteries, whose limited capacities restrict their long-term use. The last thing you want to do when a pacemaker runs out of power is to open up a patient just for battery replacement.

The solution may rest inside the human body—rich in energy in its chemical, thermal and forms.

The bellows-like motions that a person makes while breathing, for example, can generate 0.83 watts of power; the heat from a body, up to 4.8 watts; and the motions of the arms, up to 60 watts. That's not nothing when you consider that a pacemaker needs just 50 millionths of a watt to last for seven years, a hearing aid needs a thousandth of a watt for five days, a smartphone requires one watt for five hours.

Increasingly, Dagdeviren and others are investigating a plethora of ways that devices could make use of these inner energy resources and are testing such wearable or implantable devices in animal models and people.

Good vibrations

One energy-harvesting strategy involves converting energy from vibrations, pressure and other mechanical stresses into electrical energy. This approach, producing what is known as piezoelectricity, is often used in loudspeakers and microphones.

To take advantage of piezoelectricity, Dagdeviren and colleagues have developed flat devices that can be stuck onto organs and muscles such as the heart, lungs and diaphragm. Their mechanical properties are similar to whatever they are laminated onto, so they don't hinder those tissues when they move.

So far, such devices have been tested in cows, sheep and pigs, animals with hearts roughly the same size as those of people. “When these devices mechanically distort, they create positive and negative charges, voltage and current—and you can collect this energy to recharge batteries, You can use them to run biomedical devices like cardiac pacemakers instead of changing them every six or seven years when their batteries are depleted.''

Scientists are also developing wearable piezoelectric energy harvesters that can be worn on joints such as the knee or elbow, or in shoes, trousers or underwear. People could generate electricity for electronics whenever they walk or bend their arms.

Body heat

A different energy-harvesting approach uses thermoelectric materials to convert body heat to electricity. “Your heart beats more than 40 million times a year,'' Dagdeviren notes. All that energy is dissipated as heat in the body—it's a rich potential source to capture for other uses.

Thermoelectric generators face key challenges. They rely on temperature differences, but people usually keep a fairly constant temperature throughout their bodies, so any temperature differences found within are generally not dramatic enough to generate large amounts of electricity. But this is not a problem if the devices are exposed to relatively cool air in addition to the body's continuous warmth.

Scientists are exploring thermo-electric devices for wearable purposes, such as powering wristwatches. In principle, the heat from a human body can generate enough electricity to power wireless health monitors, cochlear implants and deep-brain stimulators to treat disorders such as Parkinson's disease.

Static and dynamic

Scientists have also sought to use the same effect behind everyday static electricity to power devices. When two different materials repeatedly collide with, or rub against, one another, the surface of one material can steal electrons from the other, accumulating a charge, a phenomenon known as triboelectricity. Nearly all materials, both natural and synthetic, are capable of creating triboelectricity, giving researchers a wide range of choices for designing gadgets.

Nanotechnologist Zhong Lin Wang of Georgia Tech:

“The more I work with triboelectricity, the more exciting it gets, and the more applications it might have. I can see myself devoting the next 20 years to it.''

Having better risk-based analysis for your banks and credit cards

David Strom <>

Date: Mon, 11 Jun 2018 11:58:20 -0500

David Strom's Web Informant, 11 Jun 2018 [TNX to Gabe Goldberg]

When someone tries to steal money from your bank or credit card accounts, these days it is a lot harder, thanks to a number of technologies. I recently personally had this situation. Someone tried to use my credit card on the other side of Missouri on a Sunday afternoon. Within moments, I got alerts from my bank, along with a toll-free number to call to verify the transactions. In the heat of the moment, I dialed the number and started talking to my bank's customer service representatives. Then it hit me: what if I were being phished? I told the person that I was going to call them back, using the number on the back of my card. Once I did, I found out I was talking to the right people after all, but still you can't be too careful.

This heat-of-the-moment reaction is what the criminals count on, and how they prey on your heightened emotional state. In my case, I was well into my first call before I started thinking more carefully about the situation, so I could understand how phishing attacks can often work, even for experienced people.

To help cut down on these sorts of exploits, banks use a variety of risk-based or adaptive authentication technologies that monitor your transactions constantly, to try to figure out if it really is you doing them or someone else. In my case, the pattern of life didn't fit, even though it was a transaction taking place only a few hundred miles away from where I lived. Those of you who travel internationally probably have come across this situation: if you forget to tell your bank you are traveling, your first purchase in a foreign country may be declined until you call them and authorize it. But now the granularity of what can be caught is much finer, which was good news for me.

These technologies can take several forms: some of them are part of identity management tools or multi-factor authentication tools, others come as part of regular features of cloud access security brokers. They aren't inexpensive, and they take time to implement properly. In a story I wrote last month for CSOonline < I discuss what IT managers need to know to make the right purchasing decision.

In that article, I also talk about these tools and how they have matured over the past few years. As we move more of our online activity to mobiles and social networks, hackers are finding ways at leveraging our identity in new and sneaky ways. One-time passwords that are being sent to our phones can be more readily intercepted, using the knowledge that we broadcast on our social media. And to make matters worse, attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications.

Of course, all the tech in the world doesn't help if your bank can't respond quickly when you uncover some fraudulent activity. Criminals specifically targeted a UK bank that was having issues with switching over its computer systems last month knowing that customers would have a hard time getting through to its customer support call centers. The linked article documents how one customer waited on hold for more than four hours, watching while criminals took thousands of pounds out of his account. Other victims were robbed of five and six-figure sums after falling for phishing

Having better risk-based analysis for your banks and credit cards

Phil Smith III <Phil Smith III <phsiii@gmail.>

Date: Tue, 12 Jun 2018 15:44:00 -0400

What continues to bug me is that banks don't ask, “Did you call this number from the back of your card?'' Those of us who did will say “Of course'', but we aren't the ones to worry about. I've gotten calls from banks asking me about transactions; when I said “I will call you back'', they said “Fine, of course.'' But they SHOULD have started the call with “This is TBTF Bank, calling about a questionable transaction on your Visa card. To ensure that this is a legitimate conversation, please call us back at the number on the back of your card.''

Re: Securing Elections

Chris Drewe <>

Date: Mon, 11 Jun 2018 22:22:41 +0100

This is similar in Britain (not that I'm a constitutional expert). Candidates stand for election in each electoral area, and we vote for which one we want to serve as our Member of Parliament. The winner is the one with most votes—the 'first-past-the-post' system. Usually one of the big parties gets a majority of MPs so forms the government directly, but sometimes (as at the present time) the biggest party needs a support agreement with a smaller party to get a majority. While this may seem like an elected dictatorship, it's obvious who is in charge, and we get the chance to vote them out at the next election.

By contrast, as I understand it, mainland European countries often have a large number of small parties so coalitions are the usual arrangement. The problem here is that much policy-making may be hidden in behind-the-scenes deals between parties, i.e. a party may have to support something that it doesn't want to get something that it does, or vice-versa. This can give unstable governments as in Italy as the original poster said, or the opposite when an election just changes a few of the elected representatives and everything continues as as before. The EU seems to be based on the European model, with a large bureaucracy notionally governed by a small, unfocused elected assembly, which may account for the fractious relationship between the UK and the EU; indeed, a cynic such as myself may feel that the aim is to create the impression of democracy rather than giving power to voters.

As British MPs are elected regionally, there's no direct correlation between the total number of votes gained by parties and the numbers of their MPs, so there are periodic campaigns to adopt some kind of proportional representation system, though this brings various other problems. A bigger problem is potential voter-identity fraud, a frequent topic in RISKS. There's talk of requiring voters to show some proof of identity at polling stations, but what, as there's no particular official UK identity document?