RISKS Digest 30.65

Saturday 14 April 2018

Half of European flights delayed due to system failure

BBC <>

Date: Tue, 03 Apr 2018 20:27:26 -0400

The unspecified problem was with the Enhanced Tactical Flow Management System, which helps to manage air traffic by comparing demand and capacity of different air traffic control sectors.

It manages up to 36,000 flights a day. Some 29,500 were scheduled on Tuesday when the fault occurred.

When the system failed, Eurocontrol's contingency plan for a failure in the system deliberately reduced the capacity of the entire European network by 10%. It also added what it calls "predetermined departure intervals" at major airports.

Atlanta Airport Shuts Down Wi-Fi Following Cyber Attack on City

Conde-Nast <>

Date: Thu, 5 Apr 2018 08:07:49 -0400

Bridges and privacy

Gizmodo <>

Date: Tue, 03 Apr 2018 00:40:20 -0400

Here's an article about a city about to install a pedestrian bridge built with a new technique. The article doesn't mention the collapse of a pedestrian bridge with a new design which collapsed in Florida just a few weeks ago.

But of more interest to this RISKS group is the fact that they'll be installing a "series of smart sensors [...] so the bridge will actually know how many people are walking on it and how quickly they're moving." I wonder if this could be a privacy concern, especially since it's being built in "the largest and best-known red-light district in Amsterdam."

Chinese man caught by facial recognition at pop concert

BBC <>

Date: Sat, 14 Apr 2018 18:08:37 +0800


"Chinese police have used facial recognition technology to locate and arrest a man who was among a crowd of 60,000 concert goers." "China has a huge surveillance network of over 170 million CCTV cameras."

1 - (1/60000) ~= 0.999983; an impressive match rate given historically published facial recognition achievement. CIA's World Fact Book states, as of 2017, PRC population @ ~1.38B folks. 1.38 Bpeople/170 Mcameras ~= 8.1 people/camera surveillance density!

Is Science Hitting a Wall?

Scientific American <>

Date: April 7, 2018 at 5:20:24 PM EDT

Economists show that increased research efforts are yielding decreasing returns.

Once again, I'm brooding over science's limits. I recently posted Q&As with three physicists with strong opinions on the topic—David Deutsch, Marcelo Gleiser and Martin Rees—as well as this column: Is Science Infinite? Then, in March I attended a two-day brainstorming session—which I'll call The Session—with 20 or so science-y folks over whether science is slowing down and what we can do about it.

The Session was inspired in part by research suggesting that scientific progress is stagnating. In Are Ideas Getting Harder to Find?, four economists claim that “a wide range of evidence from various industries, products, and firms show[s] that research effort is rising substantially while research productivity is declining sharply.'' The economists are Nicholas Bloom, Charles Jones and Michael Webb, all from Stanford, and John Van Reenen of MIT.

As an counter-intuitive example, they cite Moore's Law, noting that the “number of researchers required today to achieve the famous doubling every two years of the density of computer chips is more than 18 times larger than the number required in the early 1970s.'' The researchers found similar trends in research related to agriculture and medicine. More and more research on cancer and other illnesses has produced fewer and fewer lives saved....

Prescribing error in EHR results in death of man

Healthcare IT <>

Date: Thu, 5 Apr 2018 22:36:41 -0700

Elon Musk: Do you trust this computer?

Ed DeWath <>

Date: April 7, 2018 at 1:19:27 PM EDT

[via Dave Farber]

Note: This item comes from friend Ed DeWath. Again, the window to view this video on YouTube is just this weekend. Have at it! DLH]

Elon Musk, YouTube, 6 Apr 2018 Do you trust this computer?

Elon Musk—who believes artificial intelligence could help trigger the next world war—has issued another severe warning about how super-intelligent machines could come to dominate the world. Those super computers could become "an immortal dictator from which we would never escape," Musk passionately warns in the new documentary "Do You Trust This Computer?"

In the documentary, directed by Chris Paine (the man behind 2006's "Who Killed The Electric Car?"), Musk joins a growing chorus of experts warning that intelligent machines are already fundamentally changing our society by amassing personal data, advancing science and medicine and beginning to create new forms of super intelligence.

Musk paid for "Do You Trust This Computer" to be streamed free on YouTube over the weekend.

Elon Musk: Do you trust this computer?

Grady Booch <>

Date: April 7, 2018 at 2:34:31 PM EDT

[Follow-up in Dave Farber's IP list]

I followed Elon's thread in Twitter, and had an extended dialog with some there after.

Here is partly what I had to say:

While well-produced, it is indeed rather alarmist (and offers little balance as to the good therein); it also muddles the role of AI (many of the moments in the documentary could be said of non-AI software-intensive systems). Furthermore it radically ignores history (one gets the impression that AI began in Silicon Valley with Google/Facebook/etc.) and finally, while it hammers the emotional elements, it offers nothing actionable for the viewer.

"Flaw exposes cities' emergency alert sirens to hackers"

ZDNet <>

Date: Tue, 10 Apr 2018 10:17:07 -0700

Zack Whittaker for Zero Day, Apr 10, 2018 San Francisco—and other cities and campuses—had hackable radio-controlled sirens.

"How safe is your air-gapped PC? Attackers can now suck data out via power lines"

Liam Tung <>

Date: Thu, 12 Apr 2018 09:50:48 -0700

Liam Tung, ZDNet, 12 Apr 2018 You'll now need to monitor the power cables connecting to isolated computers holding sensitive information.

selected text:

Researchers from Israel's Ben Gurion University of the Negev have shown once again that air-gapped PCs are not safe from a determined and patient attacker.

Techniques they've proven work include a drone-assisted attack on a computer's flashing LEDs, using a CPU's low-frequency magnetic radiation to leak data through a Faraday cage, and attacking the very CCTV cameras used to monitor air-gapped computers.

[Another bonus risk in a risk with the CCTV cameras being subverted.]

DHS finds suspected phone spying in Washington

ABC News <>

Date: Tue, 3 Apr 2018 11:10:45 -0700

[DUH!] via NNSquad

For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages. The use of such cellphone-site simulators by foreign powers has long been a concern, but American intelligence and law enforcement agencies—which use such eavesdropping equipment themselves—have been silent on the issue until now.

"Windows security: Microsoft patch for Outlook password leak bug 'not a full fix'"

Liam Tung <>

Date: Wed, 11 Apr 2018 09:40:28 -0700

Liam Tung, ZDNet, 11 Apr 2018 Attackers can make Outlook leak password hashes just by previewing an RTF-formatted email.

selected text:

Microsoft has fixed an important Outlook bug it's known about for over a year, capable of leaking password hashes when users preview a Rich Text Format (RTF) email with remotely hosted OLE objects.

However, Dormann notes that Microsoft's fix for the vulnerability CVE-2018-0950 doesn't prevent all remote SMB attacks.

Microsoft is of the view that this bug is "more likely" to be exploited now that it's known.

[Really? (Did the Microsoft spokesperson think about the matter before stating this last bit?)]

The biggest Black Lives Matter page on Facebook is fake

CNN <>

Date: Mon, 9 Apr 2018 15:28:51 -0700

The page, titled simply "Black Lives Matter," had almost 700,000 followers on Facebook, more than twice as many as the official Black Lives Matter page. It was tied to online fundraisers that brought in at least $100,000 that supposedly went to Black Lives Matter causes in the U.S. At least some of the money, however, was transferred to Australian bank accounts, CNN has learned. Fundraising campaigns associated with the Facebook page were suspended by PayPal and Patreon after CNN contacted each of the companies for comment. Donorbox and Classy had already removed the campaigns. The discovery raises new questions about the integrity of Facebook's platform and the content hosted there.

Fox News accidentally puts up a poll graphic that shows how they are the least trusted network

BoingBoing <>

Date: Mon, 9 Apr 2018 15:52:04 -0700

[Oops!] via NNSquad

When host Howard Kurtz asked for a poll to be put up on the screen that asks if the media reports fake news, viewers got a look at the wrong poll - one put out by Monmouth University that asks people which network they trust more, CNN, MSNBC, or Fox News. Not surprising but a knee-slapper nonetheless, the graphic for the poll showed that people trusted CNN most, at 48%, followed by MSNBC at 45%. Fox came in last place with a mere 30% of those polled thinking that the network was trustworthy. Kurtz quickly said, "This is not the graphic we're looking for - hold off. Take that down please!"

"On Facebook, Zuckerberg gets privacy and you get nothing"

Zack Whittaker <>

Date: Wed, 11 Apr 2018 10:08:06 -0700

[Not that this is a surprise, but.]

Zack Whittaker for Zero Day, 10 Apr 2018 Opinion: Facebook's way of showing how little it cares about its users' privacy is by doing something only when it gets caught.

Facebook just can't catch a break—not that many think it should.

BuzzFeed described it best: Facebook has a "two-tier privacy system" that favors its leaders and executives.

The rest of us can, in other words, go to hell.

What's clear is that there's a trend of Facebook and its executives distancing themselves from facing up to their users and taking responsibility for their mistakes. Facebook isn't even trying to get ahead of the story—or stories, as the scandal keeps getting bigger—and only acts when it's caught with its hand in the cookie jar. And, even then, the company is only slapping a Band-Aid on to save face amid pressure from governments and shareholders—the only two things that Facebook is vulnerable to.

What better way to show how little the company cares about its users' privacy than by acting only when it gets caught.

Facebook exec: If you want privacy, expect to pay for it

NYPost <>

Date: Sat, 7 Apr 2018 00:01:08 -0700


Want privacy on Facebook? Cough up some cash. The social-media site plans to extort users who want to keep their personal data away from advertisers —by demanding they pay for the privilege, the company's second in command, Sheryl Sandberg, revealed on Friday.

I've got a better idea. Get the hell off of Facebook! "Seriously, It's Time to Ditch Facebook and Give Google+ a Try"

Facebook Suspends Another Data Analytics Firm As Scandal Widens

NPR <>

Date: Mon, 9 Apr 2018 11:40:21 -0700

via NNSquad

As the Facebook scandal over Cambridge Analytica's misuse of the personal data of millions of users continues to unfold, Facebook is suspending another data analytics firm over similar allegations. According to reporting by CNBC, Cubeyou collected data from Facebook users through personality quizzes "for non-profit academic research" developed with Cambridge University—then sold the data to advertisers.

Cambridge Analytica Could Also Access Private Facebook Messages

WiReD <>

Date: Tue, 10 Apr 2018 09:55:22 -0700

[Worse and worse] via NNSquad

The Data Consulting firm Cambridge Analytica, which harvested as many as 87 million Facebook users' personal data, also could have accessed the private inbox messages of some of those affected. Facebook slipped this previously undisclosed detail into the notifications that began appearing at the top of News Feeds on Monday. These alerts let users know whether they or their friends had downloaded a personality quiz app called This Is Your Digital Life, which would have caused their data to be collected and passed on to Cambridge Analytica. Facebook buried the disclosure in the details about what information was compromised: "A small number of people who logged into 'This Is Your Digital Life' also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you."

Protecting Democracy Using Firewalls

Mark Rockman <>

Date: Sun, 8 Apr 2018 20:37:02 -0400

In the United States federal elections are managed separately by the 50 states. Protections from hacking into voter registration rolls are left in the hands of state legislatures and understaffed IT departments. The state legislatures provide just enough money to get the elections done. They don't provide for upgrading equipment and software to keep hackers out. They don't provide guidelines on configuration. They don't advise people to change their passwords frequently nor enforce such policy nor advise rightful end users not to reply to an e-mail or phone call with a password. And how about rules against running operating systems that don't get regular patches to plug holes called "vulnerabilities." There are appliances that can be stationed between a LAN and the Internet that are very effective, if properly configured, in keeping the Russians out. SSLs and VPNs are very handy. News reports make hacking sound as if it is the inevitable result of using high technology when the problem is really with ignorance and technophobia on the part of election managers and pennywise-pound-foolish state legislatures.

A New AI "Journalist" Is Rewriting the News to Remove Bias

Kristin Houser <>

Date: April 8, 2018 at 8:15:36 AM EDT

[Note: This item comes from friend Robert Berger. DLH]

Kristin Houser, Futurism, 6 Apr 2018

Want your news delivered with the icy indifference of a literal robot? You might want to bookmark the newly launched site Knowhere News. Knowhere is a startup that combines machine learning technologies and human journalists to deliver the facts on popular news stories.

Here's how it works. First, the site's artificial intelligence (AI) chooses a story based on what's popular on the Internet right now. Once it picks a topic, it looks at more than a thousand news sources to gather details. Left-leaning sites, right-leaning sites—the AI looks at them all.

Then, the AI writes its own *impartial* version of the story based on what it finds (sometimes in as little as 60 seconds). This take on the news contains the most basic facts, with the AI striving to remove any potential bias. The AI also takes into account the trustworthiness of each source, something Knowhere's co-founders preemptively determined. This ensures a site with a stellar reputation for accuracy isn't overshadowed by one that plays a little fast and loose with the facts.

For some of the more political stories, the AI produces two additional versions labeled Left and Right. Those skew pretty much exactly how you'd expect from their headlines:

* Impartial: U.S. to add citizenship question to 2020 census
* Left: California sues Trump administration over census citizenship question
* Right: Liberals object to inclusion of citizenship question on 2020 census

Some controversial but not necessarily political stories receive Positive and Negative spins:

* Impartial: Facebook scans things you send on messenger, Mark Zuckerberg admits
* Positive: Facebook reveals that it scans Messenger for inappropriate content
* Negative: Facebook admits to spying on Messenger, scanning' private images and links

Even the images used with the stories occasionally reflect the content's bias. The Positive Facebook story features CEO Mark Zuckerberg grinning, while the Negative one has him looking like his dog just died.

Knowhere's AI isn't putting journalists out of work, either.

Editor-in-chief and co-founder Nathaniel Barling told Motherboard that a pair of human editors review every story. This ensures you feel like you're reading something written by an actual journalist, and not a Twitter chatbot. Those edits are then fed back into the AI, helping it improve over time. Barling himself then approves each story before it goes live. “The buck stops with me,'' he told Motherboard.

This human element could be the tech's major flaw. As we've seen with other AIs, they tend to take on the biases of their creators, so Barling and his editors will need to be as impartial as humanly possible—literally—to ensure the AI retains its impartiality.

People must retain control of autonomous vehicles

Nature <>

Date: Fri, 6 Apr 2018 08:35:39 -0700


Policymakers need to work more closely with academics and manufacturers to design appropriate regulations. This is extremely challenging because the research cuts across many disciplines. Here, we highlight two areas -- liability and safety—that require urgent attention.

Waze's crazy routing over a 32% grade road

Gabe Goldberg <>

Date: Sat, 7 Apr 2018 11:47:13 -0400

It's a common story of small towns and residents living on once-quiet streets are sometimes annoyed by the influx of traffic that Waze, traffic way-finding apps, and

Relevant Comic?

Freefall <>

Date: Tue, 03 Apr 2018 14:12:54 -0700

Scotty and La Forge never had this problem: What a tangled Web we weave.

"LG's 'Software Upgrade Center' feels slightly too familiar"

J.R. Raphael <>

Date: Fri, 13 Apr 2018 10:09:10 -0700

JR Raphael, Computerworld. 12 Apr 2018 How many times can a company cry wolf before we all stop listening?

selected text:

By my calculations, seeing this morning's news that LG is opening up a "Software Upgrade Center"—the industry's "first such facility aimed at providing customers worldwide with faster, timelier smartphone operating system and software updates" (!)—could result in three distinct reactions.

First is the woefully uninformed, overly positive reception—the one LG clearly hopes to elicit with its over-the-top press release: "Whoa! Look at LG! It's breaking new ground and showing just how committed to customers it really is."

Second is the guardedly optimistic view: "Look, I know LG has never been the best with Android upgrades, but it always tries. Maybe this will be a new beginning. Maybe things are about to get great!"

And third is the seriously skeptical view: "Riiiiight. LG always talks a good game with Android upgrades, but it never actually delivers. Looks like more of the same ol' silliness we see every year."

Me? As someone who's tracked and analyzed Android upgrades closely since the start, I tend to veer more toward that final view of skepticism.

As a certain smart-alecky writer once put it, the company truly does excel at one thing in this domain: being the first to announce a new OS rollout. ["announce" was in italics.]

Richest 1% on target to own two-thirds of all wealth by 2030

Michael Savage <>

Date: Sat, Apr 7, 2018 at 3:42 PM

[Note: This item comes from friend Robert Berger. DLH]

Michael Savage, *The Guardian*, 7 Apr 2018 World leaders urged to act as anger over inequality reaches a `tipping point'

The world's richest 1% are on course to control as much as two-thirds of the world's wealth by 2030, according to a shocking analysis that has lead to a cross-party call for action.

World leaders are being warned that the continued accumulation of wealth at the top will fuel growing distrust and anger over the coming decade unless action is taken to restore the balance.

An alarming projection produced by the House of Commons library suggests that if trends seen since the 2008 financial crash were to continue, then the top 1% will hold 64% of the world's wealth by 2030. Even taking the financial crash into account, and measuring their assets over a longer period, they would still hold more than half of all wealth.

Since 2008, the wealth of the richest 1% has been growing at an average of 6% a year—much faster than the 3% growth in wealth of the remaining 99% of the world's population. Should that continue, the top 1% would hold wealth equating to $305 trillion—up from $140 trillion today.

Analysts suggest wealth has become concentrated at the top because of recent income inequality, higher rates of saving among the wealthy, and the accumulation of assets. The wealthy also invested a large amount of equity in businesses, stocks and other financial assets, which have handed them disproportionate benefits.

New polling by Opinium suggests that voters perceive a major problem with the influence exerted by the very wealthy. Asked to select a group that would have the most power in 2030, most (34%) said the super-rich, while 28% opted for national governments. In a sign of falling levels of trust, those surveyed said they feared the consequences of wealth inequality would be rising levels of corruption (41%) or the “super-rich enjoying unfair influence on government policy'' (43%).

The research was commissioned by Liam Byrne, the former Labour cabinet minister, as part of a gathering of MPs, academics, business leaders, trade unions and civil society leaders focused on addressing the problem.

The actor Michael Sheen, who has opted to scale back his Hollywood career to campaign against high-interest credit providers, was among those supporting the calls.

The hope is to create pressure for global action when leaders of the G20 group of nations gather for a summit in Buenos Aires in November. Byrne, who organised the first OECD global parliamentary conference on inclusive growth, said he believed global inequality was “now at a tipping point''.

“If we don't take steps to rewrite the rules of how our economies work, then we condemn ourselves to a future that remains unequal for good. That's morally bad, and economically disastrous, risking a new explosion in instability, corruption and poverty.''

In a sign of the concern about the accumulation of wealth in the hands of so few, the move has gained support from across the political divide.

George Freeman, the Tory MP and former head of the prime minister's policy board, said: “While mankind has never seen such income inequality, it is also true that mankind has never experienced such rapid increases in living standards. Around the world billions of people are being lifted out of poverty at a pace never seen before. But the extraordinary concentration of global wealth today—fueled by the pace of technological innovation and globalisation—poses serious challenges.

“If the system of capitalist liberal democracy which has triumphed in the west is to pass the big test of globalisation—and the assault from radical Islam as well as its own internal pressures from post-crash austerity—we need some new thinking on ways to widen opportunity, share ownership and philanthropy. Fast.''

Demands for action from the group include improving productivity to ensure wages rise and reform of capital markets to promote greater equality. [...]

The dots do matter: how to scam a Gmail user

James H Fisher <>

Date: Sat, 7 Apr 2018 18:40:51 -0700


Where is the security flaw here? Some would say it's Netflix's fault; that Netflix should verify the email address on sign up. But using someone else's address on signup only cedes control of the account to that person. Others would say that Netflix should disallow the registration of, but this would force Netflix and every other website to have insider knowledge of Gmail's canonicalization algorithm. Actually, the blame lies with Gmail, and specifically Gmail's "dots don't matter" feature. The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set.

This has been a problem with Gmail for ages. Even if you are not scammed by crooks exploiting this, it can be a vector for yet more spam, not all of which Gmail will detect. Gmail users have long needed a way to control this feature, and to specify precisely which dotted forms should be considered as their valid Gmail addresses.

"A bad day with mobile 2FA"

Evan Schuman <>

Date: Mon, 09 Apr 2018 10:45:47 -0700

Evan Schuman, Computerworld, 9 Apr 2018 Texting confirmation numbers is a very weak link; texting them to my landline is just dumb. The Zen of Mobile

selected text:

One of my favorites—a small and little-known site—asked for my login and password. I complied, and it then escalated to 2FA. It didn't give me any options about the second factor (which is mobile 2FA problem number one) and insisted on texting me a confirmation number.

I waited but nothing arrived. So I asked it to do it again and again. Nothing. That's when I realized that the site was likely trying to text my landline. And that is mobile 2FA problem number two: If you're asking for my phone number so that you can text me sometime down the road, tell me that, and I'll give you my cellphone number. Otherwise, you'll get the number I most often answer, my landline, and it will do you no good when it's really needed.

And this is where problem number one bumps up against problem number two: If texting doesn't work, users need another option, at the very least a support number to call.

But wait, there's more. I next tried to post to Google Plus. Thoughts of my recent 2FA problem flitted through my head, but I thought to myself, fear not, Google uses an excellent 2FA that doesn't rely on texting confirmation numbers. It knows that process is far too susceptible to man-in-the-middle attacks. No, for Google, I have a trusty USB fob. And when I tried logging in, it insisted on the fob. But it was just not my 2FA day; when the fob was inserted, nothing happened.

And that's when I learned that I was giving Google too much credit for being security-conscious. When Google couldn't see the fob, it just defaulted to a texted confirmation number. (It turned out that a laptop reboot made the invisible USB device visible again.)

Companies need to have a human-managed backup to security so that legitimate users aren't locked out with no way back in. If you can't justify a call center, then at least have an email address pop up—and make sure that inbox is watched aggressively.

2FA is a great idea, but companies need to think through these issues better. For starters, if you want a mobile phone number, just say so.