Prev

RISKS Digest 30.53

Thursday 18 January 2018

Are Implanted Medical Devices Creating A 'Danger Within Us'?

NPR via Richard M Stein <rmstein@ieee.org>

Date: Thu, 18 Jan 2018 11:07:56 +0800

https://www.npr.org/2018/01/17/578562873/are-implanted-medical-devices- creating-a-danger-within-us

LENZER: "So I went back to the FDA certain the company was going to get slammed. I mean, here it is. Here's a device on the market over a decade after it was approved, and yet, they'd never done a study looking at deaths, nor would they release the death data. And when I brought all this to the FDA, the FDA said, it's safe. And I said, how can you say it's safe when we don't have death data? And their answer—and I have it in writing—is we never asked the company to count the number of deaths. We only asked them to characterize death."

This NPR interview reveals many worrisome issues, including corporate control fraud and an apparent failure to incorporate lessons learned for public safety benefit. Worth a read for anyone who has an implantable device, is contemplating implantation, or knows someone who has one. Given the "free market" regulatory structure for implantables—in the US at least—there is little cause for manufacturers to be concerned about selling 'high risk' devices which induce fatalities. Caveat emptor.

"DAVIES: You know, most of us ordinary patients in the world aren't going to do research about medical devices, right? We're going to trust doctors to know what works and what is safe. Broadly speaking, should we?

LENZER: "This is a terrific problem. I mean, I have a medical device implanted. I'm very happy with it, but I got to confess. I didn't research it because the truth is we are dependent on the research that comes out of these companies. And that's where I wanted to alert the public that we need to make some structural changes so that we can trust these devices. As you said, we can't individually research them because we don't have the capability to do it. Even if we read the studies that are released, we don't know that we can trust them.

"And I'll give you two examples of just how difficult the situation is. One of the people I talk about in the book is a man who was harmed by a hip implant. Well, it turns out that man is also an orthopedic surgeon who specializes in hip replacements, and yet he landed up being poisoned by his hip implant from cobalt that leaked out of the hip and destroyed his muscles and tissues and even caused some degree of heart damage.

"Another example is a Medtronic executive that I report on who had a Medtronic device implanted in her spine and suffered just terribly disabling and painful effects from that device. So even people who are insiders and who should know don't really know."

The FDA's MAUDE (Manufacturer and User Facility Device Experience Database apparently documents only 1% of historical events attributed to implantable device incidence.

Russia admits $45m satellite launch failed because programmers put in co-ordinates for the WRONG launch site

Daily Mail <geoff@iconia.com>

Date: Wed, 27 Dec 2017 11:57:04 -1000

http://www.dailymail.co.uk/sciencetech/article-5215871/Russia-says-satellite-launch-failure-programming-error.html

Phoenix Pay System Disaster Continues

John C. Bauer <johncbauer.xx@gmail.com>

Date: Tue, 02 Jan 2018 17:12:17 -0500

The problems with the Canadian federal government's Phoenix pay system are continuing apace.

The system is outlined and its problems were originally noted at:

http://catless.ncl.ac.uk/Risks/29/76#subj10.1

Things have gotten worse since the September 2016 post. The system now contains 589,000 unresolved pay problems with an average resolution time of three months. The number of problems is up from a previous number of 520,000. Evidently half of all payments issued are incorrect.

The estimated cost of "fixing" the system is now at $600M, up from an estimate of $25M in August of 2016, and still rising.

http://nationalpost.com/opinion/john-ivison-the-phoenix-fiasco-isnt-shocking-government-is-just-not-very-good-at-doing-things

Perhaps it is time to change "too big to fail" to "big enough to guarantee failure". On the other hand the wholesale condemnation of government in the above article containing the facts quoted can be seen as being over the top.

[The Phoenix was known to rise from its ashes. One wonders whether the name was chosen wisely or serendiptiously. PGN]

Ernst & Young report on Vancouver Island iHealth project mismanagment

Kelly Bert Manning <Kelly.Manning@ncf.ca>

Date: Sat, 13 Jan 2018 13:25:57 -0500 (EST)

A new Ernst & Young report has been prepared about the failed iHealth Electronic Records project at Nanaimo General Hospital. Direction of the project has been taken away from the Hospital and roll out to other Hospitals on Vancouver Island has been suspended until existing problems are fixed, if possible.

http://www.timescolonist.com/news/local/nanaimo-electronic-health-records-mismanaged-report-says-1.23143541 https://news.gov.bc.ca/releases/2018HLTH0003-000038 https://vancouverisland.ctvnews.ca/nanaimo-electronic-health-records-system-over-budget-mismanaged-report-1.3757733

"It confirmed that it wasn't only a small group of physicians, but the majority of healthcare workers who were concerned about the technology. It also showed those feelings haven't changed since a 2016 independent report by Dr. Doug Cochrane, who identified potential for errors, decreased productivity and other problems with the system."

"The report found less than half of staff and physicians surveyed agreed it would be possible to work collaboratively to make IHealth a success"

One innovation to be implemented is that staff who report problems with iHealth should no longer expect workplace reprisals. The earlier Cochrane reported identified a "blame the user" response to problem reports as a root cause of failure to address the issues.

http://ihealth.islandhealth.ca/the-cochrane-report/

A report from the Vector Group had identified Nanaimo General as having a "toxic" top down bullying culture . That may have played a role in the iHealth project getting it so wrong and failing to correct problems reported by users.

https://vancouverisland.ctvnews.ca/toxic-culture-of-fear-bullying-tearing-apart-nanaimo-hospital-report-1.3670885 https://www.cheknews.ca/culture-report-says-nanaimo-hospital-is-leading-to-self-destruction-385673/

One man had to have heart surgery after notes about an infection were not visible to Physicians. He was sent home with an inappropriate prescription and readmitted when his heart problem became more grave.

A similar electronic Health Record project in the Vancouver Coastal Health Authority is also over budget, behind schedule and nowhere near as effective as expected.

http://vancouversun.com/news/politics/more-delays-cost-overruns-hit-vancouver-electronic-health-project

A common assumptions failure in these projects, and in the Federal Government's failed Phoenix system, is that improved efficiency would quickly be realised. That led to an assumption that all 3 projects could be funded out of operational budgets, because of the assumed payback. It also led to a rush to roll out flawed systems, to realise the anticipated "savings". Instead the systems require more staff time than the previous applications they were supposed to replace, have gone far over budget, and show no hope of realising operational savings by making staff more efficient. They also have operational errors and user interface issues.

It reminds me of the repeating mistake of assuming that Data Base Systems would be less expensive to operate that the sorted Master File Systems they replaced. Systems Analysts had a hard time understanding the difference between a sequential tape or disk file read and a non sequential Data Base record retrieval. In some cases they justified DB projects by a proposal to "eliminate the operational cost of sorting". My experience with CODASYL, Hierarchical, and Relational DBs is that Sorting is often a method of reducing the overhead of Direct Access I/O.

With both Phoenix and the Electronic Patient Records systems the current BC and Canadian Federal governments are dealing with the legacy of projects initiated under previous Right Wing Administrations.

There are of echoes of the project management failures of the various attempts to develop a Case Management System for the FBI in the USA.

https://www.computer.org/cms/Computer.org/ComputingNow/homepage/2012/0712/rW_CO_WhytheFBI.pdf

https://spectrum.ieee.org/riskfactor/computing/it/fbis-500-million-sentinel-case-management-system-still-has-major-operational-kinks-ig-reports

Erie, PA household electric bill for US$ 284B

WashPo <rmstein@ieee.org>

Date: Wed, 27 Dec 2017 16:51:35 +0800

https://www.washingtonpost.com/news/business/wp/2017/12/26/woman-gets-284-billion-electric-bill-wonders-whether-its-her-christmas-lights/

I'm shocked, shocked to learn this brand outrage incident occurred from a production defect escape into our maze of technology traps. Must be a feature. At least First Energy cops to the fault. This incident would make a good April Fools risks contribution, if the event wasn't true. It should qualify for "Ripley's Believe It or Not" as the most erroneous bill amount ever submitted to a consumer. Good thing First Energy uses 64-bit arithmetic to totalize their bills. [RMS]

[Also noted by Bernhard Riedel: $284.46 electricity bill turns into $284,460,000,000. http://www.bbc.com/news/world-us-canada-42489666 PGN]

Programming error results in too many winning lottery tickets

The State via Steve Golson <sgolson@trilobyte.com>

Date: Thu, 28 Dec 2017 12:40:26 -0500

http://www.thestate.com/news/local/article191818114.html

Excitement and joy turned to anger and frustration Wednesday as dozens of people expecting to collect lottery winnings instead left the South Carolina Education Lottery offices empty handed.

State lottery officials say a *programming error* with the lottery's computer vendor, Intralot, affected the Holiday Cash Add-A-Play tickets on Christmas Day.

From 5:51 p.m. to 7:53 p.m. Monday, the same play symbol was repeated in all nine available play areas on tickets, which would result in a top prize of $500, officials have said. No more than five identical play symbols should appear for a single play.

There was no word Wednesday on how many winning tickets were generated, or whether those with winning tickets would collect any prize money. The South Carolina Education Lottery is telling players who purchased Add-A-Play tickets on Christmas Day during the affected time period to hold on to their tickets until a review is completed.

I wonder how many programming errors have lead to *fewer* than expected winning tickets? Who would notice?

And it's rather ironic that this is the Education Lottery!

500 rupees, 10 minutes, and you have access to billion Aadhaar details

The Tribune India via Prashanth Mundkur <prashanth.mundkur@gmail.com>

Date: Thu, 4 Jan 2018 09:52:45 +0530

Rs 500, 10 minutes, and you have access to billion Aadhaar details Rachna Khaira, Tribune News Service, Jalandhar, January 3 2018

http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html

It was only last November that the UIDAI asserted that Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI Today, The Tribune *purchased* a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.

It took just Rs 500, paid through Paytm, and 10 minutes in which an agent of the group running the racket created a gateway for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

What is more, The Tribune team paid another Rs 300, for which the agent provided software that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

[Rs 500 is less than $10.]

Massive security breach in India

Mark Thorson <eee@dialup4less.com>

Date: Fri, 5 Jan 2018 11:41:29 -0800

If you build it, they will come.

http://marginalrevolution.com/marginalrevolution/2018/01/security-breach-india.html

Who's liable in driverless train accident?

The Straits Times <rmstein@ieee.org>

Date: Sat, 06 Jan 2018 09:15:21 +0800

http://www.straitstimes.com/singapore/courts-crime/whos-liable-in-driverless-train-accident

Insurance premiums may deter the ubiquitous deployment of automated transport systems, especially if/when an incident swarm identifies system operators or component suppliers liable. See RISKS-29.64 [item 11] for a premium guestimate given the moral dilemma underlying deployment choice.

"LA-Tokyo flight turns back after passenger 'boards with wrong ticket'"

BBC <bernhard@netmuc.net>

Date: Wed, 27 Dec 2017 16:12:50 +0100

http://www.bbc.com/news/world-us-canada-42492467 "LA-Tokyo flight turns back after passenger 'boards with wrong ticket'"

What, then, is the purpose of these boarding scanners? Glorified passenger counters? I had always thought they were there to ensure that only the expected passengers would be on the plane.

Rise of the Robo-Judge

Dan Jacobson <jidanni@jidanni.org>

Date: Mon, 15 Jan 2018 07:12:12 +0800

https://www.linkedin.com/pulse/rise-robo-judge-artificial-intelligence-well-its-way-determining-fox/

Imagine for a second, that you enter the courtroom to see a computer in the place of a judge. You watch the trial robot as it hears the details of a case, and as the "judge-bot" absorbs the evidence, it seems to be drawing conclusions, determining through steely artificial intelligence, if the accused is guilty or not guilty. It seems a bit weird, unsettling, and may not be as farfetched as it sounds.

Hawaiian False Missile Alert Command Confirmation Bias Strikes Again

NYTimes et al. <gezelter@rlgsc.com>

Date: Sun, 14 Jan 2018 07:04:45 -0700

*The New York Times*, 13 Jan 2018 https://www.nytimes.com/2018/01/13/us/hawaii-missile.html

Vern T. Miyagi, the administrator of the agency, said that during the drill, an unidentified employee mistakenly pushed a button on a computer screen to send out the alert, rather than one marked to test it. He said the employee answered *yes* when asked by the system if he was sure he wanted to send the message. [PGN-ed]

Computer users are all too familiar with the decades old hazard of "Are you sure you want to *****?" Much havoc has ensured when a user or system manager types a command, only to reflexively confirm it. Systems have shut down, files lost, and many other serious consequences. This feature is present on a wide range of systems, including Tenex, OpenVMS, MS-DOS, and Windows (My recollection is that *IX systems do not ask for confirmation, they just "do it").

Perhaps, critical systems (e.g., Emergency Warning Systems) might be better off adopting a different approach. Users responding to a confirmation prompt all too often fall into the trap of confirming by reflex.

A better approach might be to require two operators at different consoles, separated physically by a sufficient distance, to BOTH command critical actions (e.g., sending out an all mobile phones alert). Had such a "two-person" rule applied, it is likely that two independent individuals would not have made the same error.

Bob Gezelter, http://www.rlgsc.com

[Dave Horsfall added: Now that we know that the automatic bulk alert works just fine, why was there no automatic bulk retraction designed into it? Surely right next to the Big Red Button (no, not that one) should be a Big Red "OOPS!" Button?

Lauren Weinstein added: You can excuse the good people of Hawai'i if they consider all future alerts on that system with an extreme degree of skepticism. Any system that permits an error like this needs to be ripped out by the roots and tossed into a dumpster, along with whomever is in charge of it.

Rob Wilcox noted this: http://www.hawaiinewsnow.com/story/37271628/officials-release-image-of-hiema-screen-that-triggered-incorrect-missile-alert

Gabe Goldberg had this to add: http://www.thegatewaypundit.com/2018/01/hawaiian-emergency-management-officials-hold-interview-post-notes-passwords-computer-screens/ Maybe Amazon can recommend invisible ink when Post-It notes are purchased.

PGN]

War Risk 2018 with North Korea

Rob Wilcox <robwilcoxjr@gmail.com>

Date: Mon, 15 Jan 2018 08:04:55 -0800

Many RISKS readers have a deep understanding of computer and human factor nuclear war risks discussed in the early 1980's.

(The New York Times) https://www.nytimes.com/2018/01/14/world/asia/hawaii-false-alarm-north-korea-nuclear.html

Drones keep entering no-fly zones over Washington, raising security concerns

WashPo <farber@gmail.com>

Date: Sun, 14 Jan 2018 09:52:32 -0500

The Washington Post, 13 Jan 2018 https://www.washingtonpost.com/local/trafficandcommuting/drones-keep-entering-no-fly-zones-over-washington-raising-security-concerns-and-illustrating-larger-problems/2018/01/13/1030159a-db7d-11e7-b1a8-62589434a581_story.html

What Happens If Russia Attacks Undersea Internet Cables

WiReD <gabe@gabegold.com>

Date: Sat, 6 Jan 2018 14:19:02 -0500

https://www.wired.com/story/russia-undersea-internet-cables/?mbid=nl_010518_daily_list1_p1

New Rules Announced for Border Inspection of Electronic Devices

Gabe Goldberg <gabe@gabegold.com>

Date: Fri, 12 Jan 2018 16:35:40 -0500

The U.S. Customs and Border Patrol announced new restrictions on when agents can copy data from digital devices at border crossing points.

Agents now need *reasonable suspicion* in advance of searches of phones, computers, tablets, cameras or any other digital device belonging to people entering or leaving the United States. Border agents will also be restricted from accessing data stored remotely in the cloud.

The new guidance published on Friday update existing rules introduced in 2009 regarding advanced searches that can be conducted at random and without warrant. <https://www.cbp.gov/sites/default/files/assets/documents/2018-Jan/cbp-directive-3340-049a-border-search-electronic-media.pdf>

Under the new rules, border agents would still be able to conduct basic searches with or without suspicion, which entails physical examination of digital devices, such as sorting through photos and examining messages. Advanced searches based on reasonable suspicion will still be permitted and agents can still review, copy, and analyze a digital device's contents.

The directive states travelers may be asked to provide passcodes to unlock a device. If the border agent is unable to inspect the device because it is passcode or encryption-protected, the agent may detain the device for up to five days.

https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/

Is the Answer to Phone Addiction a Worse Phone?

NYTimes <monty@roscom.com>

Date: Mon, 15 Jan 2018 09:44:22 -0500

Is the Answer to Phone Addiction a Worse Phone? https://www.nytimes.com/2018/01/12/technology/grayscale-phone.html

A small group of people have turned their phone screens to shades of gray to make them less stimulating. That

Apple said a software problem caused its heating system to break, which caused icicles to form on the roof of its Chicago store

Gabe Goldberg <gabe@gabegold.com>

Date: Sat, 6 Jan 2018 14:21:12 -0500

Apple spokesman Nick Leahy said

Windows Meltdown and Spectre patches

Gabe Goldberg <gabe@gabegold.com>

Date: Thu, 11 Jan 2018 15:28:49 -0500

Microsoft has added a new and very important detail on the support

Meltdown/Spectre/GoogleZero

The Verge <neumann@csl.sri.com>

Date: Sun, 7 Jan 2018 13:43:34 PST

https://www.theverge.com/2018/1/4/16851132/meltdown-spectre-google-cpu-patch-performance-slowdown

Google just gave chipmakers some much needed good news. In a post on the company's Online Security Blog, two Google engineers described a novel chip-level patch that has been deployed across the company's entire infrastructure, resulting in only minor declines in performance in most cases. The company has also posted details of the new technique, called Retpoline, in the hopes that other companies will be able to follow the same technique. If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted.

Microsoft's patches brick AMD PCs

Money via Barry Gold <barrydgold@ca.rr.com>

Date: Wed, 10 Jan 2018 21:54:40 -0800

Microsoft came up with a security patch for the Spectre and Meltdown vulnerabilities, but if the patch is installed on a PC with an AMD chip, it's likely to turn into a boat anchor. M$ is blaming AMD for providing inadequate info on how their chips work.

http://money.cnn.com/2018/01/09/technology/business/microsoft-amd-update/index.html

Antivirus: the perfect spying tool!!

Nicole Perlroth <hbaker1@pipeline.com>

Date: Tue, 02 Jan 2018 16:39:01 -0800

What does an antivirus program do? It scans every file in your device looking for *signatures*, and then uploads those files which match the signatures for further analysis by the antivirus provider.

So hacking antivirus involves 2 steps: produce signatures for files you want to steal, and then exfiltrate those files. The hard work of scanning for those files is already automated by the antivirus program!

Both steps are trivial *if/when you're the antivirus vendor*! Duh!

But even when you're not the antivirus vendor, the antivirus technology is the perfect "evil maid" which constantly runs in the background, indexing files for later—possibly more labor-intensive—exfiltration.

Nicole Perlroth, 1 Jan 2018 How Antivirus Software Can Be Turned Into a Tool for Spying https://www.nytimes.com/2018/01/01/technology/kaspersky-lab-antivirus.html

It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool.

Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, web browser, email and file. There's good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious.

By downloading security software, consumers also run the risk that an untrustworthy antivirus maker—or hacker or spy with a foothold in its systems—could abuse that deep access to track customers' every digital movement.

"In the battle against malicious code, antivirus products are a staple," said Patrick Wardle, chief research officer at Digita Security, a security company. "Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect." Mr. Wardle would know. A former hacker at the National Security Agency, Mr. Wardle recently succeeded in subverting antivirus software sold by Kaspersky Lab, turning it into a powerful search tool for classified documents. Mr. Wardle's curiosity was piqued by recent news that Russian spies had used Kaspersky antivirus products to siphon classified documents off the home computer of an NSA developer, and may have played a critical role in broader Russian intelligence gathering.

"I wanted to know if this was a feasible attack mechanism," Mr. Wardle said. "I didn't want to get into the complex accusations. But from a technical point of view, if an antivirus maker wanted to, was coerced to, or was hacked or somehow subverted, could it create a signature to flag classified documents?"

That question has taken on renewed importance over the last three months in the wake of United States officials' accusations that Kaspersky's antivirus software was used for Russian intelligence gathering, an accusation that Kaspersky has rigorously denied.

Last month, Kaspersky Lab sued the Trump administration after a Department of Homeland Security directive banning its software from federal computer networks. Kaspersky claimed in an open letter that "DHS has harmed Kaspersky Lab's reputation and its commercial operations without any evidence of wrongdoing by the company."

For years, intelligence agencies suspected that Kaspersky Lab's security products provided a back door for Russian intelligence. A draft of a top-secret report leaked by Edward J. Snowden, the former National Security Agency contractor, described a top-secret, NSA effort in 2008 that concluded that Kaspersky's software collected sensitive information off customers' machines.

The documents showed Kaspersky was not the NSA's only target. Future targets included nearly two dozen other foreign antivirus makers, including Checkpoint in Israel and Avast in the Czech Republic. [...]

[Excellent long item PGN-truncated for RISKS. The print version (2 Jan 2018) has a different headline: Spies Exploit The Software That Protects.]

Infected USB sticks handed out at security conference

Taipei Times <eee@dialup4less.com>

Date: Sun, 7 Jan 2018 10:20:18 -0800

Apparently, infected inadvertently and not targeted at the conference. Quickly discovered.

http://www.taipeitimes.com/News/taiwan/archives/2018/01/08/2003685393

Cybersecurity in self-driving cars: University of Michigan releases threat identification tool

Mike Chinni <mchinni@optonline.net>

Date: Mon, 8 Jan 2018 13:51:08 -0500

"These three hypothetical scenarios-posited in a new white paper by University of Michigan researchers working with Mcity-illustrate the breadth of the cybersecurity challenges that must be overcome before autonomous and connected vehicles can be widely adopted. While every new generation of auto tech brings new security risks, the vulnerabilities that come along with advanced mobility are both unprecedented and under-studied, the paper states.

The white paper introduces a tool called the Mcity Threat Identification Model, which could help academic and industry researchers analyze the likelihood and severity of potential threats. The new model outlines a framework for considering: the attacker's skill level and motivation; the vulnerable vehicle system components; the ways in which an attack could be achieved; and the repercussions, including for privacy, safety and financial loss.

The tool is believed to be the first of its kind focused on automated vehicles. Mcity, led by U-M, is the nation's largest public-private partnership working to advance connected and automated mobility."

http://ns.umich.edu/new/releases/25354-cybersecurity-in-self-driving-cars-u- m-releases-threat-identification-tool

BlackBerry Jarvis Checks Autonomous Car Software for Security Flaws

EWeek <gabe@gabegold.com>

Date: Thu, 18 Jan 2018 00:35:01 -0500

Enterprise software vendor BlackBerry is jumping into the autonomous vehicle marketplace with a new cyber-security application called Jarvis that aims to tighten security around the complex computing code that controls driver-less vehicles.

BlackBerry Jarvis, which the company says is a "cloud-based, static binary code scanning" application, can be used by automakers to quickly and deeply scan and evaluate the voluminous and critical software code used in autonomous vehicles, cutting such scanning from 30 days down to about seven minutes, according to BlackBerry. [...]

"Jarvis is a game-changer for OEMs because for the first time they have a complete, consistent, and near real-time view into the security posture of a vehicle's entire code base along with the insights and deep learning needed to predict and fix vulnerabilities, ensure compliance, and remain a step ahead of bad actors."

Jarvis can be used to evaluate the hundreds of software applications that are used in autonomous vehicles, according to BlackBerry. [...]

In the future, Jarvis could also be used to help secure critical applications in other industries, including healthcare, industrial automation, aerospace and defense, according to BlackBerry.

IT analysts said Jarvis is intriguing and could be a valuable tool for autonomous vehicle makers. http://www.eweek.com/security/blackberry-jarvis-scans-for-security-flaws-in-autonomous-car-software

It's magic, no question about that... and maybe it's recursive, can scan itself for flaws. GG

Firms buy insurance 'in mad panic' as cyber-attacks soar

BBC <rmstein@ieee.org>

Date: Wed, 17 Jan 2018 14:56:41 +0800

http://www.bbc.com/news/business-42687937

"One of the biggest issues in cyber-insurance is how to price it effectively and cover indirect as well as direct costs a company suffers following a cyber-attack," says Nik Whitfield, chief executive of Panaseer, a cyber risk assessor.

"He anticipates companies like his offering cyber risk assessment services to insurers. Firms seeking insurance would be happy to be assessed in the hope of securing lower premiums, he argues.

"Such a service would be the equivalent of a telematics box in your car which tells the insurance company how well you're driving," says Mr Whitfield.

How many business and institutional entities are ill-equipped and too poorly funded to sponsor essential defensive operations to actively suppress brand outrage incidents? What happens when the cyber-insurer recommended changes (ala outsource to a vendor) fails to suppress an incident? What happens to the insurer when incident swarm drains claim reserves? Filing cabinets and paper might be due for a strong comeback in light of the Internet of Mistakes.

Health Care Is Hemorrhaging Data. AI Is Here to Help

WiReD <gabe@gabegold.com>

Date: Tue, 2 Jan 2018 00:02:51 -0500

https://www.wired.com/story/health-care-is-hemorrhaging-data-ai-is-here-to-help/

Could be good news, could be bad news. Likely some of each. We'll see...

Romanian Hackers Compromised DC Security Cameras Prior to Inauguration

TRK <gabe@gabegold.com>

Date: Thu, 4 Jan 2018 11:36:54 -0500

Washington, DC—Two Romanian nationals have been arrested and charged with hacking into approximately 123 computers that control outdoor surveillance cameras for the *DC Metropolitan Police Department* in connection with a Ransomware scheme just before Donald Trump's inauguration last January. According to documents recently unsealed, Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, of Romania, were arrested on Dec. 15, at the airport in Bucharest, Romania. Both have been charged with conspiracy to commit wire fraud and conspiracy to commit various forms of computer fraud. Isvanca remains in custody in Romania and Cismaru is on house arrest there pending further legal proceedings. “This case was of the highest priority due to its impact on the Secret Service's protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration,'' the
*U.S. Attorney's Office* in DC said in a statement. All surveillance cameras were restored prior to the inauguration. https://www.justice.gov/usao-dc/pr/two-romanian-suspects-charged-hacking-metropolitan-police-department-surveillance-cameras <http://trk.cp20.com/click/lruj4-d6mci4-7fgw0x81/>

Indiana Hospital Hacked for Ransom: An Argument for Decentralized Data

Dan Jacobson <jidanni@jidanni.org>

Date: Mon, 15 Jan 2018 14:37:56 +0800

https://decentralized.tv/indiana-hospital-hacked-ransom-argument-decentralized-data/

Chanticleer to use blockchain for its rewards program

Gabe Goldberg <gabe@gabegold.com>

Date: Thu, 4 Jan 2018 10:35:32 -0500

Insane blockchain magic fairy dust...

The speculative mania on anything related to cryptocurrencies is happening again in the new year.

Chanticleer Holdings, an owner of burger restaurants, said Tuesday it will use blockchain-related technology for its customer rewards program. The company also owns 9 Hooter's restaurants and is a minority investor in Hooter's of America.

"We wanted to expand our existing loyalty program with something that really changes the way our customers can leverage their rewards; Mobivity Merit is real cryptocurrency, leveraging the same infrastructure and principles of Bitcoin, Ethereum, Ripple, Litecoin, and more, and will enable our customers to make use of their rewards in entirely new ways," Michael Pruitt, chairman, president and CEO of Chanticleer Holdings, said in a release <https://globenewswire.com/news-release/2018/01/02/1277006/0/en/Chanticleer-Holdings-to-Deploy-Mobivity-s-Blockchain-Technology-to-Power-Cryptocurrency-Rewards-Program.html>.

Chanticleer Holdings rose nearly 50 percent in Tuesday trading to almost $4 a share. The Nasdaq-traded stock had a market value of only $8 million through Friday so it's clearly buyer beware.

https://www.cnbc.com/2018/01/02/chanticleer-to-use-blockchain-for-its-rewards-program.html

How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com

Dan Jacobson <jidanni@jidanni.org>

Date: Thu, 28 Dec 2017 05:12:13 +0800

https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac It begins with a text message from Verizon 11:31 PM...

Egypt's grand mufti says bitcoin 'forbidden' by Islam

The Times of Israel <gabe@gabegold.com>

Date: Wed, 3 Jan 2018 17:11:03 -0500

https://www.timesofisrael.com/egypts-grand-mufti-says-bitcoin-forbidden-by-islam/

The risk? Using a forbidden currency.

How The Banks Bought Bitcoin

Lightning Network <jidanni@jidanni.org>

Date: Fri, 05 Jan 2018 23:54:37 +0800

Lightning Network by Decentralized Thought http://bitthink.info/ https://www.youtube.com/watch?v=UYHFrf5ci_g "-This is the finished version of my original video "The truth about the lightning network"

-Treat this video as a menu to start at. As i add videos i will link the relevant ones. Upcoming videos on Bitcoins censorship by r/theymos, Blockstreams connections to the banks, How Blockstream took over Bitcoins development, as well as videos on Asicboost, Jihan Wu, Roger Ver and a variety of other topics."

Your Mother's Maiden Name Is Not a Secret

NYTimes <gabe@gabegold.com>

Date: Thu, 28 Dec 2017 12:44:22 -0500

NYTimes There has been no shortage of incidents proving that website security questions are far from secure.

https://www.nytimes.com/2017/12/28/opinion/sunday/internet-security-questions.html

...and yet they're still widely used.

Risks of not using a bookstore?

Newsweek <msb@vex.net>

Date: Wed, 10 Jan 2018 07:03:18 -0500

http://www.newsweek.com/fire-fury-books-michael-wolff-trump-world-war-774048

[People accidently bought the wrong book, with the same title but a completely different subtitle. The name of the book is not a secret either. (Snide comment on the previous item on your mother's maiden name.) PGN]

Why you'll fire Siri and do the job yourself

ComputerWorld <genew@telus.net>

Date: Tue, 09 Jan 2018 12:09:51 -0800

https://www.computerworld.com/article/3246088/artificial-intelligence/why-you-ll-fire-siri-and-do-the-job-yourself.html

Mike Elgan, Computerworld, 6 Jan 2018 Why you'll fire Siri and do the job yourself: In the world of AI, the best virtual assistant might turn out to be your virtual self.

selected text:

A company based in Pasadena, Calif., called ObEN built a 3D AI avatar technology that produced what it calls a personal AI (PAI).

I spoke to ObEN co-founder and CEO Nikhil Jain this week. He told me ObEN's technology generates a 3D computer-generated representation of the user's face with a single selfie.

ObEN also learns to copy your voice. Once it's got your voice down, it can do things with your voice that you cannot speak Chinese, for example, or sing.

That *personality* is based not only on how you speak, but on what you know as well. It's even possible to add knowledge manually.

In the perfect ObEN universe, different simultaneous instances of your PAI would be off scheduling meetings, answering questions, negotiating rates and even telling bedtime stories to your children, according to Jain, while you are freed up to focus on the stuff that requires human attention and experience.

At the end of the day, the user can review everything the PAI did that day.

Consider Amy, the x.ai virtual assistant. Amy is AI that interacts via email and schedules meetings. Amy has a personality and can make decisions in an email conversation, such as the meeting participants and the Amy virtual assistant negotiating available times for meetings. Amy is a virtual person, and many people who encounter Amy assume they're interacting with a real human.

Possible issues:

1) Review it? If you are so busy that you think you need one of these AI avatars, would you really review everything?

2) Imagine the court case if someone believes something that a professional's AI avatar said—thinking it was the professional -- and acts on it and suffers loss. [GW]

Always allow removing comments

Dan Jacobson <jidanni@jidanni.org>

Date: Wed, 10 Jan 2018 02:30:52 +0800

https://github.com/fetlife/android/issues/407 Simple copy and paste errors might result in users posting Personally Identifiable Information, bank account passwords, family records, love letters, even entire resumes.

With no way to quickly delete [what he now sees that he just accidentally posted], in some cultures that could be pure suicide. What was seen as a liberating website suddenly becomes the worst Outing Machine.

Just as one would not want the member database hacked leaking private information, this leak should be plugged too.

Five copyright claims against youtube video of white noise

BBC via Mark Thorson <eee@dialup4less.com>

Date: Sun, 7 Jan 2018 11:12:36 -0800

http://www.bbc.com/news/technology-42580523

[If I discover a new largest prime number, could I copyright that? MT

Probably not under the old rules when I grew up, where you had to show an implementation! Today it is a different story. Almost any patent application may be issued, leaving it to the lawsuits and the lawyers. PGN]

The Geography of Risks

Spencer Cheng <spencer@morphbius.com>

Date: Wed, 27 Dec 2017 13:35:14 -0500

I have been reading comp.risks for at least 30 years. It has been an incredible source of insight, amusement and food for thought. Like all self-selecting groups, there is a risk that the submitters and readers of comp.risks shares too many similar concerns and educational background.

With the explosive growth of the Internet over the last few decades, the nature of risks also changes across national and cultural boundaries. What is a risk in the West, may be much less relevant outside the West.

The first real discussion I can find on comp.risks about IMSI-catchers is RISKS-27.33 in 2013. Coincidentally, I was in Beijing around that time and chatting with a PhD student friend who was complaining about the number of SMS UCEMs they were getting. When I inquired further as to they don't just block the sender, it turns out there are plenty of fake base stations in all Chinese urban areas whose raison d'etre is to inject Macau gambling UCEM into every phone it can connect to. The sender number is generated and changes with every UCEM. The cellular operators are not in a position to block these pop-up -catchers. I was told these IMSI catchers were quite cheap to get and operate.

While the risk associated with 3PLA capturing and recording every message to/from every phone is an accepted reality in China, there is an additional layer of risks associated with your smartphone being constantly under attack by anyone who could afford a cheap UCEM injector which as far as I know doesn't to exist in Western Europe and North America.

I gave this only as an example of risks affected by geographical and Societal context which can easily be diluted or transformed across societal boundaries. It behooves us as computer professionals interested in various computer-related risk to society, to remember that the Internet is not a homogeneous cultural community of interest. The severity and relevance of any risk must be placed in geographical, societal or cultural context.

How Adding Accelerometers to Keys Will Thwart Car Thieves

IEEE Spectrum <gabe@gabegold.com>

Date: Thu, 4 Jan 2018 09:42:55 -0500

During last week's MEMS and Sensors Executive Congress in San Jose, Calif., designers, researchers, and industry representatives argued for putting MEMS devices, like accelerometers and microphones, and a wide variety of other sensors in just about everything. We heard about an electric snowboard with traction control, voice-controlled garbage cans, and accelerometers placed on the nose to listen for speech in noisy environments.

But sometimes the simplest example is the most memorable. In this case, that was a MEMS accelerometer—like the one in your step-counter—that thwarts car thieves.

https://spectrum.ieee.org/view-from-the-valley/transportation/sensors/how-accelerometers-will-soon-thwart-car-thieves

Re: The Unstoppable Momentum of Self-Driving Cars

Amos Shapir <amos083@gmail.com>

Date: Thu, 28 Dec 2017 18:48:59 +0200

The Las Vegas bus incident demonstrates a basic problem of autonomous cars, which no one seems to have addressed yet.

As every student driver learns within the first few lessons, operating a vehicle is the easier part; but driving is essentially teamwork. A driver must not just be aware of what other drivers do, but more important, has to use social skills to predict what they wish to do and what are going to do.

It's no accident that in many languages, terms used to describe driving originate from the realm of social behavior (e.g. "conduct").

So it seems that the main problem of driving robots is that they have learned to control vehicles, but have not yet learned how to drive.

Re: Vehicle Satellite Navigation

Chris Drewe <e767pmk@yahoo.co.uk>

Date: Thu, 28 Dec 2017 22:28:45 +0000

Where I live, five major roads on the east side of town all converge on a single roundabout (traffic circle), which obviously gets congested especially in rush hours. To help the flow there's a flyover (overpass) linking two of the roads directly; this is a rather spindly structure suitable for cars and small vans only, and it's only one lane wide, so the direction of traffic is switched according to demand—usually into town in the morning and out of town in the afternoon—from a control room with CCTV monitoring of the surrounding roads. The are mechanically-operated signs at each end, showing either a 'no entry' symbol (if closed), or '30' (speed limit) and car and van symbols (if open) as appropriate.

Of course from time to time drivers miss the signs and go the wrong way resulting in a near miss or head-on collision, usually without major casualties luckily as speeds are low, though recovering wrecked vehicles 20 feet (6m) in the air can be a challenge. This has been happening for decades, however in early 2017 the local newspaper reported an increase in incidents in recent years, suggesting that satellite navigation systems could be to blame, with a quick check on several models showing that some tell drivers to use the flyover without checking that it's actually open in their direction first. A representative from one of the makers was quoted as saying that switched-direction roads are used in several parts of the world and navigation systems can handle these, but only if they operate to a regular schedule, which this one doesn't.

As I see it, there are two issues here: (1) is it possible/feasible for satellite navigation systems to handle changing road conditions, both for fixed locations like this and/or wider-ranging difficulties like wildfires? And (2) how much detail should navigation systems actually provide for drivers? Telling them to stop at red lights, give way to other vehicles (having a crash is rarely a good idea), avoid hitting pedestrians, etc. seems a little unnecessary.

[There's a vaguely similar item in RISKS-30.52: Navigation Apps Are Turning Quiet Neighborhoods Into Traffic Nightmares (Lisa Foderaro)]

In the UK there are occasional proposals for road pricing with the aim of reducing traffic congestion while raising valuable funds for road improvements—the per-mile rate would vary with higher charges for busier roads at busier times. Somebody pointed out that if this made major highways quieter because heavy traffic used country lanes in the middle of the night, would it count as success or failure..? (Presumably smartphone apps or whatever would be developed to calculate lowest-cost routes and times for specific journeys.)

Similar approach in London, UK: http://www.telegraph.co.uk/news/2017/12/31/block-streets-stop-smart-apps-turning-sleepy-roads-polluted/ Block off streets to stop smart apps turning sleepy roads into polluted rat runs, say campaigners