Prev

RISKS Digest 30.25

Tuesday 18 April 2017

How fake news and hoaxes have tried to derail Jakarta's election

BBC <lauren@vortex.com>

Date: Mon, 17 Apr 2017 22:29:26 -0700

via NNSquad http://www.bbc.com/news/world-asia-39176350

In Indonesia, the rise of fake news, hoaxes, and misleading information online has cast a pall over an already bitterly divided election in the capital, Jakarta. BBC Indonesian's Christine Franciska looks at why activists are describing this as a dark era in Indonesia's digital life.

Critics See Signs of Interference in French Vote

Andrew Higgins <neumann@csl.sri.com>

Date: Tue, 18 Apr 2017 8:39:30 PDT

Andrew Higgins, *The New York Times*, 18 Apr 2017 State-run Russian News Operations Disperse Slanted Reports

Voters Cite Turkish Leader's Record as He Claims a Slim Victory

Patrick Kingsley <neumann@csl.sri.com>

Date: Tue, 18 Apr 2017 8:49:11 PDT

Patrick Kingsley, *The New York Times*, 18 Apr 2017

Noting irregularities, opposition party seeks recount. The pro-Kurdish party noted that as many as 3M votes lacked an official stamp and should be invalidated. Teams of European observers also had complaints. Unlevel playing field with Erdogan's "state of emergency". Opposition party people arrested. "No" campaigners physically intimidated, rallies limited. That seems to be a recipe for a "fair" election rather than a "good" one or an "excellent" one—if you subscribe to the other meaning of "fair". [PGN-ed]

Biased Bots: Human Prejudices Sneak Into Artificial Intelligence Systems

Princeton <technews-editor@acm.org>

Date: Mon, 17 Apr 2017 12:16:09 -0400 (EDT)

Princeton University 13 Apr 2017 via ACM TechNews 17 Apr 2017

Researchers at Princeton University have demonstrated how machines can be reflections of their creators' biases. They determined common machine-learning programs, when fed ordinary human language available online, can obtain cultural prejudices embedded in the patterns of wording. "We have a situation where these artificial intelligence [AI] systems may be perpetuating historical patterns of bias that we might find socially unacceptable and which we might be trying to move away from," warns Princeton professor Arvind Narayanan. The team experimented with a machine-learning version of the Implicit Association Test, the GloVe program, which can represent the co-occurrence statistics of words in a specific text window. The test replicated the broad substantiations of bias found in select Implicit Association Test studies over the years that relied on human subjects. Coders might hope to prevent the perpetuation of cultural stereotypes via development of explicit, math-based instructions for machine-learning programs underpinning AI systems. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-13472x2118efx072995&

The tiny changes that can cause AI to fail

BBC <lauren@vortex.com>

Date: Sat, 15 Apr 2017 09:38:57 -0700

BBC via NNSquad http://www.bbc.com/future/story/20170410-how-to-fool-artificial-intelligence

The year is 2022. You're riding along in a self-driving car on a routine trip through the city. The car comes to a stop sign it's passed a hundred times before - but this time, it blows right through it. To you, the stop sign looks exactly the same as any other. But to the car, it looks like something entirely different. Minutes earlier, unbeknownst to either you or the machine, a scam artist stuck a small sticker onto the sign: unnoticeable to the human eye, inescapable to the technology. In other words? The tiny sticker smacked on the sign is enough for the car to "see" the stop sign as something completely different from a stop sign. It may sound far-fetched. But a growing field of research proves that artificial intelligence can be fooled in more or less the same way, seeing one thing where humans would see something else entirely.

Shadow Brokers: a mysterious hacker or group of hackers released the Microsoft apocalypsed that wasn't

Robert Hackett <gabe@gabegold.com>

Date: Sat, 15 Apr 2017 23:55:15 -0400

Robert Hackett

On Friday the Shadow Brokers, a mysterious hacker or group of hackers, released the Microsoft apocalypse that wasn't.

What originally appeared to be one of the most damaging releases in recent memory of zero-day exploits, or hacking tools that take advantage of previously unknown software vulnerabilities, fell from the sky with the shrieking ferocity of a MOAB bomb and landed with the soft thud of a dud. Unknown to members of the information security community all through the day, Microsoft had quietly patched the majority of the Windows flaws in a security update last month, preventing the NSA-crafted espionage tools from being abused by opportunistic attackers after their leak. The company only announced that fact late in the evening.

Prior to Microsoft's hysteria-neutering blog post, security pros had been tearing apart the leaked cache of digital weapons, running the attack code on their test systems, and warning the world about the potential danger of anyone connected to the Internet with a Windows-based computer. That the researchers were running slightly outdated, un-patched versions of Microsoft's software only became apparent after the company made its late-night announcement.

Given that Microsoft seemed to miraculously fix the hitherto unknown bugs just a month prior to their exposure leads any sane onlooker to the conclusion that the U.S. government must have alerted the company to these problems earlier and on the sly, preempting fallout. (A customary acknowledgment for the researcher who reported the bugs was conspicuously absent from Microsoft's post, hmm.) If so, this coordinated disclosure represents a major policy coup. Instead of sticking its head in the sand (as critics often accuse the intelligence community of doing), the spy set appears to have worked with the tech sector, taking proactive measures to defuse the situation before it could get out of hand.

This is the right approach; kudos to all involved. To stay protected, make sure your systems—Windows 7 or later—are up to date with the latest patches, dear readers. And a Happy Easter to those who celebrate.

Hackers have just dumped a treasure trove of NSA data. Here's what it means.

Henry Farrell <dewayne@warpspeed.com>

Date: Sun, Apr 16, 2017 at 6:47 AM

Henry Farrell, 15 Apr 2017 https://www.washingtonpost.com/news/monkey-cage/wp/2017/04/15/shadowy-hackers-have-just-dumped-a-treasure-trove-of-nsa-data-heres-what-it-means/

A group of hackers called the Shadow Brokers has just released a new dump of data from the National Security Agency. This is plausibly the most extensive and important release of NSA hacking tools to date. It's likely to prove awkward for the U.S. government, not only revealing top-secret information but also damaging the government's relationships with U.S. allies and with big information technology firms. That is probably the motivation behind the leak: The Shadow Brokers are widely assumed to be connected with the Russian government. Here's what the dump means.

What information has been released?

The release is only the most recent in a series of Shadow Broker dumps of information. However, it is by far the most substantial, providing two key forms of information. The first is a series of zero-day exploits for Microsoft Windows software. Zero-day exploits are attacks that take advantage of unknown vulnerabilities in a given software package. Exploits against commonly used software such as Windows are highly valuable =94 indeed, there is a clandestine international market where hackers sell exploits (sometimes through middlemen) to intelligence agencies and other interested parties, often for large sums of money. Intelligence services can then use these exploits to compromise the computers of their targets.

Second, information in the dump seems to show that the NSA has penetrated a service provider for SWIFT, an international financial messaging service. Specifically, it appears to have penetrated a SWIFT Service Bureau that provides support for a variety of banks in the Middle East.

Why are zero-day exploits important?

The leak of the zero-day exploits is important for two reasons. First, once the existence of a zero-day exploit is revealed, it rapidly loses a lot of its value. Zero-day exploits work reliably only when they are held secret. Microsoft may already have fixed many of these vulnerabilities (there are conflicting reports from Microsoft and security companies UPDATE: NOW SECURITY RESEARCHERS APPEAR TO HAVE WITHDRAWN THEIR CLAIMS). However, if it hasn't, or if the attacks provide information to hackers that can b= e used to generate more attacks, unscrupulous hackers might be able to take advantage. In a worst-case scenario, there may be a period when it's as if criminal hackers suddenly acquired super powers in an explosion, as in the TV show The Flash, and started using them for nefarious ends.

Second, and as a consequence, trust between the United States and big software companies may be seriously damaged. Some weeks ago, Adam Segal of the Council on Foreign Relations wrote a report talking about how the U.S. government needs to rebuild a relationship with Silicon Valley that had been badly damaged by the Edward Snowden revelations. Now, the damage is starting to mount up again.

Most people think of the NSA as a spying agency and do not realize that it has a second responsibility: It is also supposed to protect the security of communications by U.S. citizens and companies against foreign incursions. When the United States learns of a zero-day exploit against software used by Americans, it is supposed to engage in an equities process, in which the default choice should be to inform the software producer so that it can fix the vulnerability, keeping the zero-day secret only if a special case can be made for it. [...]

Car parking app shares 2000 customers' private details after company suffers glitch

The Telegraph <monty@roscom.com>

Date: Tue, 18 Apr 2017 09:54:39 -0400

http://www.telegraph.co.uk/news/2017/04/15/car-parking-app-customers-personal-data-shared-others-company/

California Secession Bid Fails: Leader Is Living in Russia

KABC <lauren@vortex.com>

Date: Tue, 18 Apr 2017 13:28:57 -0700

via NNSquad http://www.kabc.com/news/california-secession-bid-fails-leader-is-living-in-russia/

Supporters of one long-shot bid to make California an independent nation ended their effort on Monday, while another group said it will launch a new campaign for a statewide vote next year, reports the AP. The Yes California Independence Campaign faltered after its president, Louis Marinelli, revealed ties to Russia.

Inside the Tech Support Scam Ecosystem

OnTheWire <lauren@vortex.com>

Date: Sun, 16 Apr 2017 10:11:37 -0700

OnTheWire via NNSquad

https://www.onthewire.io/inside-the-tech-support-scam-ecosystem/

"So far, we collected more than 25K scam domains and thousands of scam phone numbers and we [have] evidence that this threat is not going to decrease soon and it still has an increasing trend," Miramirhani said.

REFERENCE: User Trust Fail: Google Chrome and the Tech Support Scams -- https://lauren.vortex.com/2017/01/12/user-trust-failure-google-chrome-and-the-tech-support-scams

Why one Republican voted to kill privacy rules: Nobody has to use the Internet

Ars Technica <gabe@gabegold.com>

Date: Sat, 15 Apr 2017 23:33:49 -0400

A Republican lawmaker who voted to eliminate Internet privacy rules said, "Nobody's got to use the Internet" when asked why ISPs should be able to use and share their customers' Web browsing history for advertising purposes.

https://arstechnica.com/tech-policy/2017/04/dont-like-privacy-violations-dont-use-the-internet-gop-lawmaker-says/

The risk? People like that.

Re: Autonomous Electric Vehicle impact on Economy

Amos Shapir <amos083@gmail.com>

Date: Tue, 18 Apr 2017 12:49:06 +0300

Parking meter? How quaint. I'm now using a phone application called Pango which identifies where a user is parked (in a garage or on a street) when it's turned on, and charges the account for parking fees when it's turned off (in garages it can do this automatically, I prefer manual mode). Additional payments could be charged to the account the same way.

> But if we are to have autonomous cars zooming past too fast to see the signs, marketing to reach riders of the autonomous vehicles may need a sea change of technology rethinking.

The Waze navigation application (recently acquired by Google) already has this feature, flashing ads on the screen for businesses while a user approaches them or drives by.