The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 04

Monday 28 January 2019

Contents

If 5G Is So Important, Why Isn't It Secure?
Henry Baker on NYT item
Everybody Does It: The Messy Truth About Infiltrating Computer Supply Chains
The Intercept
Digital Assistants Inside Cars Raise Serious Privacy Concerns
Fortune
Toilet seat sensor tracks blood pressure, stroke volume, blood oxygenation
MobiHealthNews
The Hidden Automation Agenda of the Davos Elite
NYT
Prepare for the Smart Home Fitness Revolution
WIRED
The Prime Challenges for Scout, Amazon's New Delivery Robot
Gabe Goldberg
Why Uber wants to build scooters and bikes that can drive themselves
Ars Technica
"Our worst fears have come true," VW Group exec wrote to Audi exec.
Ars
The World Economy Runs on GPS. It Needs a Backup Plan
Bloomberg
Runner found to be a hitman after GPS Watch ties him to crime scene
Runner's World
Buy Bitcoin at the Grocery Store via Coinstar
Fortune
The Internet of human things: Implants for everybody and how we get there
ZDNet
Drone activity halts air traffic at Newark Liberty International
WashPo
How Volunteers for India's Ruling Party Are Using WhatsApp to Fuel Fake News Ahead of Elections
Time
Family says hacked Nest camera warned them of North Korean missile attack
WashPost
GoDaddy weakness let bomb threat scammers hijack thousands of big-name domains
Ars Technica
Google ordered to submit search index to state sponsorship in Russia
SearchEngineLand
Why Hackers Had Thousands of DNA Tests Delivered to Random People Over the Holidays
Fortune
The Duty to Read the Unreadable
Monty Solomon
Amazon software works best on white men, study says
WashPost
Risks of Deepfake videos
Geoff Goodfellow
Here's how you can stay clear of online scams
CNET
Data Broker That Sold Phone Locations Used by Bounty Hunters Lobbied FCC to Scrap User Consent
Motherboard
Researchers discover state actor's mobile malware efforts because of YOLO OPSEC
Ars Technica
1000 Vulnerable Cranes
Trendmicro via Henry Baker
When your landlord installs smart locks
José María Mateos
Hundreds of popular cars at risk from key compromise
BBC
Coming Soon to a Police Station Near You: The DNA 'Magic Box'
NYT
An IoT security mailing list
Firemountain via JMM
Japan to regulate foreign companies use of e-mail content
Mark Thorson
Facebook "real names" policy forces you to sign up with a fake name
Neil Youngman
Reaction to the #10YearChallenge circulating on Facebook: Nope.
Gabe Goldberg
How Reserved Storage Works in the Next Version of Windows 10
MS
Security, Compliance Add-Ons Offered to Microsoft 365 Users
GG
How Reserved Storage Works in the Next Version of Windows 10
MS via GG
US Patent for Drone delivery of coffee based on a cognitive state
GG
Did Australia Hurt Phone Security Around the World?
NYTimes
Location-Based Little Brothers
Henry Baker
How We Destroy Lives Today
NYTimes
Covington and the Pundit Apocalypse
NYTimes
Re: A Simple Bug Makes It Easy to Spoof Google Search Results
Vint Cerf
Re: How three rude iPhone users ruined an evening
Henry Baker
Cyber Security Hall of Fame Nominations now open
Spaf
Info on RISKS (comp.risks)

If 5G Is So Important, Why Isn't It Secure?

Henry Baker <hbaker1@pipeline.com>
Mon, 21 Jan 2019 09:54:06 -0800
The network must be secure enough for the innovations it promises.
https://www.nytimes.com/2019/01/21/opinion/5g-cybersecurity-china.html

  While I'm not so wild about some of Wheeler's detailed recommendations,
  he's correct that security should be a paramount goal for 5G.

Some quotes from this article and referenced reports:

"When 5G enables autonomous vehicles, do we want those cars and trucks
crashing into each other because the Russians hacked the network?"

"If 5G will be the backbone of breakthroughs such as remote surgery, should
that network be vulnerable to the North Koreans breaking into a surgical
procedure?"

"Make the Internet safe and secure for the functioning of Government and
critical services for the American people."

"5G Communications and other next generation networks designed and
architected at the outset with enhanced security, connectivity, and
availability."

"Decades of well-intentioned but disjointed activities have made the
Internet progressively less safe for the critical services which depend upon
it."

"Embrace a 'secure to market' over a 'first to market' mentality"

"Unfortunately, relying on market forces alone fails to adequately
weigh the risks imposed on third parties who rely on the networks and
services they provision."

"Problems known as 'market failures' can discourage investment and
contribute to the insecurity of the critical communications network."

"Because of negative externalities (third parties affected by insecure IoT),
the private sector may not have sufficient incentives to invest in
cybersecurity beyond their own corporate interests."

"5G will enable a massive expansion of IoT endpoints that lack the
processing power and memory needed for robust security protections.
Fortunately, 5G is at an early phase in its development and, if security is
designed in, it may be able to mitigate the cyber risk from these IoT
endpoints."

"Firms make decisions that strike a balance between the costs and benefits
of cybersecurity investments for themselves.  But they do not consider the
additional benefit to the public at large of investing in cybersecurity.
The result is a gap in cybersecurity preparedness that the market, on its
own, is unlikely to fill."

"The attack surface offered by the IoT is growing rapidly, calling for
concerted effort to improve security.  Multiple network providers are
impacted by the IoT, rendering a consistent response difficult.  In
addition, the multiplicity of price-competitive vendors hinders concerted
efforts to build in voluntary security by design into the IoT."

More:

The Trump administration's so-called "race" with China to build new
fifth-generation (5G) wireless networks is speeding toward a network
vulnerable to Chinese (and other) cyberattacks. ... We cannot allow the hype
about 5G to overshadow the absolute necessity that it be secure.  [...]

Leadership in 5G technology is not just about building a network, but also
about whether that network will be secure enough for the innovations it
promises.  And the 5G "race" is more complex and dangerous than industry and
the Trump administration portray.  When 5G enables autonomous vehicles, do
we want those cars and trucks crashing into each other because the Russians
hacked the network?  If 5G will be the backbone of breakthroughs such as
remote surgery, should that network be vulnerable to the North Koreans
breaking into a surgical procedure? ...  Nowhere in the president's
directive, for instance, was there a word about protecting the cybersecurity
of the new network.

As the President's National Security Telecommunications Advisory Committee
told him in November, "the cybersecurity threat now poses an existential
threat to the future of the Nation."  Last January, the brightest technical
minds in the intelligence community, working with the White House National
Security Council (NSC), warned of the 5G cybersecurity threat. ...

https://www.dhs.gov/sites/default/files/publications/DRAFT NSTAC_ReportToThePresidentOnACybersecurityMoonshot_508c.pdf

...  Shortly after taking office, the Trump FCC removed a requirement
imposed by the Obama FCC that the 5G technical standard must be designed
from the outset to withstand cyberattacks.  For the first time in history,
cybersecurity was being required as a forethought in the design of a new
network standard—until the Trump FCC repealed it.  The Trump FCC also
canceled a formal inquiry seeking input from the country's best technical
minds about 5G security, retracted an Obama-era FCC white paper about
reducing cyberthreats, and questioned whether the agency had any
responsibility for the cybersecurity of the networks they are entrusted with
overseeing.

https://docs.fcc.gov/public/attachments/DOC-343096A1.pdf

The simple fact is that our wireless networks are not as secure as they
could be because they weren't designed to withstand the kinds of
cyberattacks that are now common. ...


Everybody Does It: The Messy Truth About Infiltrating Computer Supply Chains (The Intercept)

José María Mateos <chema@rinzewind.org>
Sat, 26 Jan 2019 15:09:28 -0500
https://theintercept.com/2019/01/24/computer-supply-chain-attacks/

>From the article:

In October, Bloomberg Businessweek published an alarming story: Operatives
working for China's People's Liberation Army had secretly implanted
microchips into motherboards made in China and sold by U.S.-based
Supermicro. This allegedly gave Chinese spies clandestine access to servers
belonging to over 30 American companies, including Apple, Amazon, and
various government suppliers, in an operation known as a "supply chain
attack," in which malicious hardware or software is inserted into products
before they are shipped to surveillance targets.

[...] But while Bloomberg's story may well be completely (or partly) wrong,
the danger of China compromising hardware supply chains is very real,
judging from classified intelligence documents. U.S. spy agencies were
warned about the threat in stark terms nearly a decade ago and even assessed
that China was adept at corrupting the software bundled closest to a
computer's hardware at the factory, threatening some of the U.S.
government's most sensitive machines, according to documents provided by
National Security Agency whistleblower Edward Snowden. The documents also
detail how the U.S. and its allies have themselves systematically targeted
and subverted tech supply chains, with the NSA conducting its own such
operations, including in China, in partnership with the CIA and other
intelligence agencies. The documents also disclose supply chain operations
by German and French intelligence.


Digital Assistants Inside Cars Raise Serious Privacy Concerns (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sat, 26 Jan 2019 18:30:14 -0500
Currently automakers say they get customer permission before they use the
individual data they collect for marketing or share it with third
parties. Volvo said in a statement that its technology “takes full account
of legal, security, and privacy obligations on a global scale'' and complies
with a European Union law that lets residents control how their personal
data is shared.

An Amazon spokesman says that the company merely shares “anonymized,
aggregated performance data to help automakers improve the customer
experience'' and that it doesn't provide personally identifiable information
to car companies or developers.

BMW shares the data it collects but says it doesn't make money from it
directly. "Let's say the person is listening to certain music, and we know
there's a big concert," says Dieter May, senior vice president of digital
products for BMW. "Then we would probably give that to our salespeople to
make an offer for a special ticket."

But even as governments and corporations begin to address security
questions, it's unclear who will control the data that is collected.

http://fortune.com/2019/01/24/the-spy-inside-your-car/

Hey, Siri—what could go wrong?

I'm sorry Dave, I can't answer that.


Toilet seat sensor tracks blood pressure, stroke volume, blood oxygenation (MobiHealthNews)

Gabe Goldberg <gabe@gabegold.com>
Wed, 23 Jan 2019 00:51:58 -0500
A recently published study found the toilet seat's readings to align with
those measured through more conventional means.

https://www.mobihealthnews.com/content/toilet-seat-sensor-tracks-blood-pressure-stroke-volume-blood-oxygenation

Risks? Privacy, multi-person households, guests...


The Hidden Automation Agenda of the Davos Elite (NYT)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sun, 27 Jan 2019 20:22:25 -1000
*This year's World Economic Forum in Davos, Switzerland, where business
leaders' public positions on automation's impact on workers did not match
the views they shared privately.*

EXCERPT:

They'll never admit it in public, but many of your bosses want machines to
replace you as soon as possible.

I know this because, for the past week, I've been mingling with corporate
executives at the World Economic Forum's annual meeting in Davos. And I've
noticed that their answers to questions about automation depend very much
on who is listening.

In public, many executives wring their hands over the negative consequences
that artificial intelligence and automation could have for workers. They
take part in panel discussions about building `human-centered AI' for the
“Fourth Industrial Revolution''—Davos-speak for the corporate adoption
of machine learning and other advanced technology—and talk about the need
to provide a safety net for people who lose their jobs as a result of
automation.

But in private settings, including meetings with the leaders of the many
consulting and technology firms whose pop-up storefronts line the Davos
Promenade, these executives tell a different story: They are racing to
automate their own work forces to stay ahead of the competition, with
little regard for the impact on workers.

All over the world, executives are spending billions of dollars to
transform their businesses into lean, digitized, highly automated
operations. They crave the fat profit margins automation can deliver, and
they see AI as a golden ticket to savings, perhaps by letting them
whittle departments with thousands of workers down to just a few dozen.

“People are looking to achieve very big numbers,'' said Mohit Joshi, the
president of Infosys, a technology and consulting firm that helps other
businesses automate their operations. “Earlier they had incremental, 5 to
10 percent goals in reducing their work force.  Now they're saying, `Why
can't we do it with 1 percent of the people we have?' ''

Few American executives will admit wanting to get rid of human workers, a
taboo in today's age of inequality. So they've come up with a long list of
buzzwords and euphemisms to disguise their intent. Workers aren't being
replaced by machines, they're being `released' from onerous, repetitive
tasks.  Companies aren't laying off workers, they're “undergoing digital
transformation.''

A 2017 survey by Deloitte found that 53 percent of companies had already
started to use machines to perform tasks previously done by humans. The
figure is expected to climb to 72 percent by next year.

The corporate elite's AI obsession has been lucrative for firms that
specialize in `robotic process automation', or RPA.  Infosys, which is based
in India, reported a 33 percent increase in year-over-year revenue in its
digital division. IBM's “cognitive solutions'' unit, which uses AI to help
businesses increase efficiency, has become the company's second-largest
division, posting $5.5 billion in revenue last quarter. The investment bank
UBS projects that the artificial intelligence industry could be worth as
much as $180 billion by next year.

Kai-Fu Lee, the author of `AI Superpowers' and a longtime technology
executive, predicts that artificial intelligence will eliminate 40 percent
of the world's jobs within 15 years. In an interview, he said that chief
executives were under enormous pressure from shareholders and boards to
maximize short-term profits, and that the rapid shift toward automation was
the inevitable result.

The Milwaukee offices of the Taiwanese electronics maker Foxconn, whose
chairman has said he plans to replace 80 percent of the company's workers
with robots in five to 10 years.

“They always say it's more than the stock price, But in the end, if you
screw up, you get fired.''

Other experts have predicted that AI will create more new jobs than it
destroys, and that job losses caused by automation will probably not be
catastrophic. They point out that some automation helps workers by improving
productivity and freeing them to focus on creative tasks over routine ones.

But at a time of political unrest and anti-elite movements on the
progressive left and the nationalist right, it's probably not surprising
that all of this automation is happening quietly, out of public view. In
Davos this week, several executives declined to say how much money they had
saved by automating jobs previously done by humans. And none were willing
to say publicly that replacing human workers is their ultimate goal.

“That's the great dichotomy,'' said Ben Pring, the director of the Center
for the Future of Work at Cognizant, a technology services firm. “On one
hand,'' he said, profit-minded executives “absolutely want to automate as
much as they can.  On the other hand, they're facing a backlash in civic
society.''

For an unvarnished view of how some American leaders talk about automation
in private, you have to listen to their counterparts in Asia, who often make
no attempt to hide their aims. Terry Gou, the chairman of the Taiwanese
electronics manufacturer Foxconn, has said the company plans to replace 80
percent of its workers with robots in the next five to 10 years.  Richard
Liu, the founder of the Chinese e-commerce company JD.com, said at a
business conference last year that “I hope my company would be 100 percent
automation someday.''

One common argument made by executives is that workers whose jobs are
eliminated by automation can be `reskilled' to perform other jobs in an
organization. They offer examples like Accenture, which claimed in 2017 to
have replaced 17,000 back-office processing jobs without layoffs, by
training employees to work elsewhere in the company. In a letter to
shareholders last year, Jeff Bezos, Amazon's chief executive, said that more
than 16,000 Amazon warehouse workers had received training in high-demand
fields like nursing and aircraft mechanics, with the company covering 95
percent of their expenses. [...]

https://www.nytimes.com/2019/01/25/technology/automation-davos-world-economic-forum.html


Prepare for the Smart Home Fitness Revolution (WIRED)

Gabe Goldberg <gabe@gabegold.com>
Thu, 17 Jan 2019 18:17:48 -0500
Connected fitness started out with apps, says Tonal founder and CEO Aly
Orady.  “Then we went to trackers, and then connected cardio equipment.
We're focused on the next layer, and that's intelligence.''

These devices also simulate a sense of togetherness you can't get from a
video.  Hop on the Peloton bike and you're not just slogging through a
workout, you're joining a full-fledged party led by Alex or Cody or Jenn.
One of them might ask a DJ to play records during their spin class.  Another
might wish you a happy birthday, or even send you a bouquet of flowers if
you mention the recent passing of a loved one.  (Yes, that actually
happened.)

Forget wearables. The next wave of exercise tech includes home fitness
machines that respond directly to you.

https://www.wired.com/story/smart-home-fitness-revolution/

The risk? Mistaking technology for intelligence?


The Prime Challenges for Scout, Amazon's New Delivery Robot

Gabe Goldberg <gabe@gabegold.com>
Thu, 24 Jan 2019 19:49:12 -0500
No matter who you ask, the near-future of delivery seems to involve fleets
of robots shuffling packages from stores, down sidewalks, and onto
doorsteps. Robots will lug grocery bags
<https://www.wired.com/story/nuro-grocery-delivery-robot/ from market to
kitchen; they'll begin to replace humans delivering take-out
<https://www.wired.com/story/postmates-delivery-robot-serve/ and dropping
off parcels. And soon, your Amazon Prime packages may show up courtesy of
Scout, Amazon's new six-wheeled autonomous delivery robot built to withstand
the sidewalk.

https://www.wired.com/story/amazon-new-delivery-robot-scout/

I'm in a DC suburb (VA) with spotty/inconsistent sidewalks. Is that a bigger
or smaller risk than cities with funloving teenagers? Article didn't say
what defensive weapons these things carry, whether they're self-righting if
tipped over, and if they can signal distress.


Why Uber wants to build scooters and bikes that can drive themselves (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Wed, 23 Jan 2019 00:47:55 -0500
Uber is looking to hire people to help it develop autonomous scooter and
bike technology, according to Wired-editor-turned-robotics-entrepreneur
Chris Anderson.  The goal would be to allow bikes and scooters to "drive
themselves to charging or better locations." People interested in joining
the project can fill out this form
<http://t.uber.com/micromobility_robotics>..

https://arstechnica.com/cars/2019/01/uber-wants-bicycles-and-scooters-that-can-drive-themselves-to-recharge/

The risks? If you have to ask...


"Our worst fears have come true," VW Group exec wrote to Audi exec.

Monty Solomon <monty@roscom.com>
Mon, 21 Jan 2019 19:44:13 -0800
Four Audi executives were indicted on Thursday.

http://arstechnica.com/tech-policy/2019/01/need-for-a-large-trunk-and-a-high-end-sound-system-pushed-audi-to-cheat/


The World Economy Runs on GPS. It Needs a Backup Plan (Bloomberg)

Gabe Goldberg <gabe@gabegold.com>
Sun, 20 Jan 2019 00:42:47 -0500
https://www.bloomberg.com/news/features/2018-07-25/the-world-economy-runs-on-gps-it-needs-a-backup-plan


Runner found to be a hitman after GPS Watch ties him to crime scene (Runner's World)

Tim Lavoie <tim.lavoie@gmail.com>
Fri, 18 Jan 2019 20:36:22 -0800
https://www.runnersworld.com/uk/news/a25945315/mark-fellows-runner-hitman-murder/


Buy Bitcoin at the Grocery Store via Coinstar (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Fri, 18 Jan 2019 16:50:44 -0500
Don't count on using spare quarters, dimes and pennies in this case, though.
Bitcoin via Coinstar can only be purchased with paper money (as much as
$2,500).  Investors will go to one of the company's participating machines
and select the `Buy Bitcoin' option on the screen, entering their phone
number.

http://fortune.com/2019/01/18/buy-bitcoin-grocery-store-coinstar/

Right next to lottery ticket vending machines.

Coming next? Cash lottery winnings out as bitcoin?


The Internet of human things: Implants for everybody and how we get there (ZDNet)

Gabe Goldberg <gabe@gabegold.com>
Sun, 27 Jan 2019 23:36:38 -0500
For most adults, I do not see more than basic data stored on an implant
itself—it would be a serial number/unique ID, which would be linked to
the cloud provider, where encrypted user information would be stored or
federated. This virtual wallet would contain credit cards, virtual ID cards
for health insurance, corporate IDs, licenses, and permits.

https://www.zdnet.com/article/the-internet-of-human-things-implants-for-everybody-and-how-we-get-there/

What could go wrong?


Drone activity halts air traffic at Newark Liberty International

Monty Solomon <monty@roscom.com>
Wed, 23 Jan 2019 02:05:24 -0500
A spokesman for the Federal Aviation Administration said that two drones
were spotted near Teterboro Airport.

https://www.washingtonpost.com/transportation/2019/01/22/drone-activity-halts-air-traffic-newark-liberty-international-airport/


How Volunteers for India's Ruling Party Are Using WhatsApp to Fuel Fake News Ahead of Elections

José María Mateos <chema@rinzewind.org>
Sun, 27 Jan 2019 12:42:14 -0500
http://time.com/5512032/whatsapp-india-election-2019/

>From the article:

Ahead of national elections in April and May, India's political parties are
pouring money into creating hundreds of thousands of WhatsApp group chats to
spread political messages and memes. Prime Minister Narendra Modi's ruling
Bharatiya Janata Party (BJP) has drawn up plans to have three WhatsApp
groups for each of India's 927,533 polling booths, according to
reports. With each group containing a maximum of 256 members, that number of
group chats could theoretically reach more than 700 million people out of
India's population of 1.3 billion.

[...] [A]ccording to researchers, as well as screenshots of group chats from
as recently as January seen by TIME, these WhatsApp group chats frequently
contain and disseminate false information and hateful rhetoric, much of
which comes from forwarded messages. Experts say the Hindu nationalist BJP
is fueling this trend, although opposition parties are using the same
tactics.


Family says hacked Nest camera warned them of North Korean missile attack

Monty Solomon <monty@roscom.com>
Wed, 23 Jan 2019 02:03:34 -0500
The hack may have been the result of a compromised password.

https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/


GoDaddy weakness let bomb threat scammers hijack thousands of big-name domains

Monty Solomon <monty@roscom.com>
Wed, 23 Jan 2019 02:39:47 -0500
https://arstechnica.com/information-technology/2019/01/godaddy-weakness-let-bomb-threat-scammers-hijack-thousands-of-big-name-domains/


Google ordered to submit search index to state sponsorship in Russia (SearchEngineLand)

Lauren Weinstein <lauren@vortex.com>
Wed, 16 Jan 2019 11:32:32 -0800
via NNSquad
https://searchengineland.com/google-ordered-to-submit-search-index-to-state-sponsorship-in-russia-310533

  Russian information agency Roskomnadzor is requiring Google and Bing to
  subject their results to government censorship.  (Yandex has reportedly
  already complied.) A law passed last year in the country mandates that
  search engine results be filtered through the federal state information
  system (FGIS).  Russia increases Internet censorship. The new Russian
  situation is comparable to Chinese rules requiring Internet companies to
  censor results to block officially undesirable or threatening
  information. In addition to censoring online content, China is using
  Internet and mobile technology to spy on its citizens.


Why Hackers Had Thousands of DNA Tests Delivered to Random People Over the Holidays (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sat, 19 Jan 2019 21:03:42 -0500
http://fortune.com/2019/01/17/hackers-send-dna-test-kits/

The risk? Complex scams leveraging business/marketing practices...


The Duty to Read the Unreadable

Monty Solomon <monty@roscom.com>
Sat, 26 Jan 2019 11:40:28 -0500
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3313837

Abstract

The duty to read doctrine is a well-recognized building block of U.S.
contract law.  Under this doctrine, contracting parties are held responsible
for the written terms of their contract, whether or not they actually read
them. The application of duty to read is especially interesting in the
context of consumer contracts, which consumers generally do not read.

Under U.S. law, courts routinely impose this doctrine on consumers. However,
the application of this doctrine to consumer contracts is one-sided. While
consumers are excepted to read their contracts, suppliers are generally not
required to offer readable contracts. This asymmetry creates a serious
public policy challenge. Put simply, consumers might be expected to read
contracts that are, in fact, rather unreadable. This, in turn, undermines
market efficiency and raises fairness concerns.

Numerous scholars have suggested that consumer contracts are indeed written
in a way that dissuades consumers from reading them. This Article aims to
empirically test whether this concern is justified. The Article focuses on
the readability of an important and prevalent type of consumer agreements:
the sign-in-wrap contract. Such contracts, which have already been the focal
point of many legal battles, are routinely accepted by consumers when
signing up for popular websites such as Facebook, Amazon, Uber, and Airbnb.

The Article applies well-established linguistic readability tests to the 500
most popular websites in the U.S. that use sign-in-wrap agreements. We find,
among other things, that effectively reading these agreements requires, on
average, more than 14.5 years of education. This result is troubling, given
that the majority of U.S. adults read at an 8th-grade level. These empirical
findings hence have significant implications for the design of consumer
contract law.


Amazon software works best on white men, study says (WashPost)

Monty Solomon <monty@roscom.com>
Sun, 27 Jan 2019 23:31:33 -0500
The new research is raising concerns about how biased results could tarnish
the artificial-intelligence technology's exploding use by police and in
public venues, including airports and schools.

https://www.washingtonpost.com/technology/2019/01/25/amazon-facial-identification-software-used-by-police-falls-short-tests-accuracy-bias-new-research-finds/


Risks of Deepfake videos

geoff goodfellow <geoff@iconia.com>
Sun, 27 Jan 2019 20:14:31 -1000
If you see a video of a politician speaking words he never would utter, or a
Hollywood star improbably appearing in a cheap adult movie, don't adjust
your television set—you may just be witnessing the future of "fake news."
"Deepfake" videos that manipulate reality are becoming more sophisticated
due to advances in artificial intelligence, creating the potential for new
kinds of misinformation with devastating consequences. As the technology
advances, worries are growing about how deepfakes can be used for nefarious
purposes by hackers or state actors. "We're not quite to the stage where we
are seeing deepfakes weaponized, but that moment is coming," Robert Chesney,
a University of Texas law professor who has researched the topic, told
AFP. Chesney argues that deepfakes could add to the current turmoil over
disinformation and influence operations. "A well-timed and thoughtfully
scripted deepfake or series of deepfakes could tip an election, spark
violence in a city primed

EXCERPTS:

If you see a video of a politician speaking words he never would utter, or
a Hollywood star improbably appearing in a cheap adult movie, don't adjust
your television set—you may just be witnessing the future of "fake news."

"Deepfake" videos that manipulate reality are becoming more sophisticated
due to advances in artificial intelligence, creating the potential for new
kinds of misinformation with devastating consequences.  As the technology
advances, worries are growing about how deepfakes can be used for nefarious
purposes by hackers or state actors.

"We're not quite to the stage where we are seeing deepfakes weaponized, but
that moment is coming," Robert Chesney, a University of Texas law professor
who has researched the topic, told AFP.  Chesney argues that deepfakes could
add to the current turmoil over disinformation and influence operations.  "A
well-timed and thoughtfully scripted deepfake or series of deepfakes could
tip an election, spark violence in a city primed for civil unrest, bolster
insurgent narratives about an enemy's supposed atrocities, or exacerbate
political divisions in a society," Chesney and University of Maryland
professor Danielle Citron said in a blog post for the Council on Foreign
Relations.

Digital manipulation may be good for Hollywood but new "deepfake" techniques
could create a new kind of misinformation, according to researchers.  Paul
Scharre, a senior fellow at the Center for a New American Security, a think
tank specializing in AI and security issues, said it was almost inevitable
that deepfakes would be used in upcoming elections.

A fake video could be deployed to smear a candidate, Scharre said, or to
enable people to deny actual events captured on authentic video.
With believable fake videos in circulation, he added, "people can choose to
believe whatever version or narrative that they want, and that's a real
concern." [...]
https://www.afp.com/en/news/717/misinformation-woes-could-multiply-deepfake-videos-doc-1cn3in2


Here's how you can stay clear of online scams (CNET)

Gabe Goldberg <gabe@gabegold.com>
Thu, 17 Jan 2019 14:51:21 -0500
  [Scammers everywhere]

CNET Magazine: Don't get fooled like he was.

The story doesn't end here, because Hal said he never had an eBay
account. It turns out, he'd been scammed too. In his case, it was by an
online "girlfriend" he'd never met ” not even through video chats. Hal was
the unwitting victim of a well-known scheme to dupe people into forwarding
items bought in their name outside the country.

https://www.cnet.com/news/heres-how-you-can-stay-clear-of-online-scams/

Scammers are creative. Of course, old scams still work too—I just heard
that friend-of-friend fell for "grandson kidnapped" routine—had never
heard of it.  Was told to wrap $2000/$3000 in separate bundles, send via
FedEx, did.  Fortunately, her son—a cop!—was able to intercept the
package.


Data Broker That Sold Phone Locations Used by Bounty Hunters Lobbied FCC to Scrap User Consent - Motherboard

Gabe Goldberg <gabe@gabegold.com>
Sun, 27 Jan 2019 16:09:12 -0500
Zumigo, which sold the location data of American cell phone users, wanted
the FCC to remove requirements around user consent.

Another slide adds, "We strongly believe that if consumers understood the
vulnerabilities they face, and their carrier's ability to help prevent it,
they would want the carrier data to be shared in order to keep them safe."

https://motherboard.vice.com/en_us/article/vbwgw8/zumigo-phone-location-data-sold-lobbied-fcc-consent

For our own good, yes.


Researchers discover state actor's mobile malware efforts because of YOLO OPSEC (Ars Technica)

geoff goodfellow <geoff@iconia.com>
Tue, 22 Jan 2019 09:36:54 -1000
*Ran malware on own phones as test, uploading all their WhatsApp messages,
other data.*

At the Shmoocon security conference here on January 19, two researchers from
the mobile security provider Lookout revealed the first details of a mobile
surveillance effort run by a yet-to-be-named state intelligence agency that
they had discovered by exploring the command-and-control infrastructure
behind a novel piece of mobile malware.

In the process of exploring the malware's infrastructure, Lookout
researchers found iOS, Android, and Windows versions of the malware, as well
as data uploaded from a targeted phone's WhatsApp data. That phone turned
out to be one that belonged to one of the state-backed surveillance efforts
-- and the WhatsApp messages and other data found on the server provided a
nearly full contact list for the actors and details of their interactions
with commercial hacking companies and eventual decision to build their own
malware.  [...]

https://arstechnica.com/information-technology/2019/01/researchers-discover-state-actors-mobile-malware-efforts-because-of-yolo-opsec/


1000 Vulnerable Cranes (

Henry Baker <hbaker1@pipeline.com>
Fri, 18 Jan 2019 07:11:41 -0800
It's easier to RF hack an industrial crane than to hack a garage door
opener.  $40-60 of RF parts gives you control.

Recommendation: off-the-shelf open source protocols rather than proprietary
roll-your-own "security through obscurity" protocols.  But you already knew
that.

Here are some selected paragraphs from a recent report.

https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf

A Security Analysis of Radio Remote Controllers for Industrial Applications

Our research shows that there is a discrepancy between the consumer and
industrial worlds.  In the consumer world, the perceived risks have pushed
the vendors to find reasonably secure, albeit imperfect, solutions such as
rolling codes.  In the industrial world, where the assets at risk are much
more valuable than a fancy house or car, there seems to be less awareness.

By exploiting various vulnerabilities that we discovered, we were able to
move full-sized cranes deployed in production at construction sites,
factories, and transportation businesses.  In all of the cases, we were able
to confirm and run the attacks very quickly.  In each of the cases, we were
able to switch on the controlled industrial machine even after the operator
had issued an e-stop, which put the machine in a "stop" state.

Apart from leaked schematics, the only available "technical" documentation
is limited to user manuals, and we are unaware of any public research about
the digital security risks in this space.  We hope that our findings will
inspire the RF- and hardware-hacking communities to continue looking at
these protocols, and to encourage vendors to focus on open, standard RF
protocols.

In conclusion, given that the kind of machinery these remote controllers are
managing can be dangerous if hijacked or disabled, manufacturers need to
start thinking about moving to stronger open-source protocols rather than
relying on security through obscurity.  It could be challenging to balance
the almost real-time requirements and secure RF transmission, but the
hardware technology is there, ready to be used.


When your landlord installs smart locks

José María Mateos <chema@rinzewind.org>
Thu, 24 Jan 2019 10:30:42 -0500
I don't particularly like to use Twitter threads as sources (all of them
will go away when Twitter (hopefully soon) implodes), but this is quite on
point:

https://twitter.com/hacks4pancakes/status/1086000837615382529


Hundreds of popular cars at risk from key compromise

Richard Stein <rmstein@ieee.org>
Mon, 28 Jan 2019 12:37:26 +0800
https://www.bbc.com/news/business-47023003

New cars are more secure than ever, and the latest technology has helped
bring down theft dramatically with, on average, less than 0.3% of the cars
on our roads stolen.  Criminals will always look for new ways to steal cars;
it's an ongoing battle and why manufacturers continue to invest billions in
ever more sophisticated security features—ahead of any regulation.
However, technology can only do so much and we continue to call for action
to stop the open sale of equipment with no legal purpose that helps
criminals steal cars.

Prohibition didn't work for booze; why should it be expected to succeed for
{RFID, WiFi, or Bluetooth}-enabled vehicle heists?

https://www.statista.com/statistics/859950/vehicles-in-operation-by-quarter-united-states/
estimates that ~263Mvehicles were in operation during 1st quarter of
2017. This implies, assuming they are equally vulnerable to RFID/Bluetooth
access theft: ~789K thefts.

https://ucr.fbi.gov/crime-in-the-u.s/2017/preliminary-report/cius-2017-preliminary-excel-tables.zip
shows that for the 6 month period, an estimated 289K vehicle thefts were
reported within the 50 US states with cities of 100Kpeople or greater; a
vehicle theft each 50 seconds or so.


Coming Soon to a Police Station Near You: The DNA 'Magic Box' (NYT)

geoff goodfellow <geoff@iconia.com>
Mon, 21 Jan 2019 09:21:08 -1000
*With Rapid DNA machines, genetic fingerprinting could become as routine as
the old-fashioned kind. But forensic experts see a potential for misuse.*

... many legal experts and scientists are troubled by the way the technology
is being used. As police agencies build out their local DNA databases, they
are collecting DNA not only from people who have been charged with major
crimes but also, increasingly, from people who are merely deemed suspicious,
permanently linking their genetic identities to criminal databases. [...]

If the Rapid DNA system has flaws, now is the moment to address them, many
experts argue. Peter Stout, president of the Houston Forensic Science
Center, was left with concerns after completing a Rapid DNA pilot program
with the Houston Police Department last February.  “We need fast and cheap.
It also needs to be right.''

https://www.nytimes.com/2019/01/21/science/dna-crime-gene-technology.html


An IoT security mailing list

José María Mateos <chema@rinzewind.org>
Fri, 25 Jan 2019 09:56:31 -0500
I think regular RISKS readers might be interested in a new mailing list
devoted to IoT security:
http://www.firemountain.net/mailman/listinfo/dumpsterfire

Initial message and administrivia:
http://www.firemountain.net/pipermail/dumpsterfire/2019-January/000000.html


Japan to regulate foreign companies use of e-mail content

Mark Thorson <eee@dialup4less.com>
Sat, 19 Jan 2019 16:32:11 -0800
It's already illegal for domestic companies to use the content of users'
e-mail.  Government is now planning to apply this to foreign companies like
Google and Facebook.  Almost makes me want to move to Japan.

http://the-japan-news.com/news/article/0005488933


Facebook "real names" policy forces you to sign up with a fake name

Neil Youngman <neil.youngman@youngman.org.uk>
Sun, 27 Jan 2019 11:16:26 +0000
RISKS readers are familiar with Facebook's Orwellian "real names" policy I
didn't realise how poor the implementation is. I only discovered when my
daughter wanted to sign up that it's so bad that many people will be forced
to sign up with a fake name to get around it.

When my daughter wanted to sign up Facebook decided that it didn't like her
name. The help pages are pretty useless and their is no real indication of
why. You have to guess why the name is rejected, but the solution appears to
be to go through the name verification process. The "clever" bit is that
there seems to be no way to start the name verification process until you
create an account, so you have to make up a name that it will accept and use
that to create the account.

At this point I'm guessing that a lot of people don't bother to verify their
real name and continue with the fake name. I can think of at least 2 of my
Facebook friends using names that aren't "the name they go by in everyday
life" (https://www.facebook.com/help/112146705538576) good guess that it's
either not worth the effort of verifying their real name, or because their
official documents use a different form of their name to the one they
normally use in real life.

As currently implemented the policy seems to prevent you signing up with an
unusual name, but pretty much anybody can sign up as Paul Smith with no
checks.


Reaction to the #10YearChallenge circulating on Facebook: Nope.

Gabe Goldberg <gabe@gabegold.com>
Sat, 19 Jan 2019 20:59:00 -0500
He writes:

Perhaps I am a curmudgeon. In my view, the meme, which prompts people to
post before-and-after photos of themselves on Facebook
<https://click.email.fortune.com/?qs=449fa3686574c81be466f38d7c0cebbbe083520f6bf4d366ddb2482a4d929c0691638fbad4d87d593874c9eaaa6ffeb4c09fa97b64b0f52e>
Instagram, and other social media sites, is no better than a data-siphoning
social engineering attempt. The viral campaign exploits our vanity,
encouraging us to surrender images of ourselves from a decade ago. People
just happen to be packaging the chronology of their physiognomy in a usable
format for machines to parse.

https://view.email.fortune.com/?qs=0201bad8c93739fd5962676018096aced0f8602d66109218173392a5b675b1535d006a5a5b019814f916959e973fb36f41b44d801423e04d1e0e6b4a4119a8d65899f9866c6d8e60

The risk? Willingly feeding the beast.


How Reserved Storage Works in the Next Version of Windows 10

Gabe Goldberg <gabe@gabegold.com>
Sat, 26 Jan 2019 22:32:11 -0500
In a blog post, Microsoft stated that Reserved Storage will be available
only on devices that come with Windows 10 19H1 (version 1903) pre-installed
or those where 1903 was clean installed.  Those who upgrade to the next
version will not utilize this feature.

Problems with the current update process

In Windows 10 October 2018 Update or older, if a user begins to run out of
storage space, Windows may not run smoothly and many apps may not work as
expected. Even worse, Microsoft has had a rough track record recently when
it comes to updates and those who have no free space may not be able to
install updates correctly.

https://www.bleepingcomputer.com/news/microsoft/how-reserved-storage-works-in-the-next-version-of-windows-10/

It took 10 versions to notice?


Security, Compliance Add-Ons Offered to Microsoft 365 Users

Gabe Goldberg <gabe@gabegold.com>
Thu, 24 Jan 2019 00:36:12 -0500
Two new security and compliance packages are available at extra cost to
protect enterprise Microsoft 365 users from wider threats.

https://www.eweek.com/enterprise-apps/microsoft-bolstering-security-compliance-with-microsoft-365-add-ons


How Reserved Storage Works in the Next Version of Windows 10

Gabe Goldberg <gabe@gabegold.com>
Sat, 26 Jan 2019 22:32:11 -0500
In a blog post, Microsoft stated that Reserved Storage will be available
only on devices that come with Windows 10 19H1 (version 1903) pre-installed
or those where 1903 was clean installed.  Those who upgrade to the next
version will not utilize this feature.

Problems with the current update process

In Windows 10 October 2018 Update or older, if a user begins to run out of
storage space, Windows may not run smoothly and many apps may not work as
expected. Even worse, Microsoft has had a rough track record recently when
it comes to updates and those who have no free space may not be able to
install updates correctly.

https://www.bleepingcomputer.com/news/microsoft/how-reserved-storage-works-in-the-next-version-of-windows-10/

It took 10 versions to notice?


US Patent for Drone delivery of coffee based on a cognitive state of an individual Patent

Gabe Goldberg <gabe@gabegold.com>
Sun, 20 Jan 2019 16:51:01 -0500
(Patent # 10,040,551 issued  August 7, 2018) - Justia Patents Search

Coffee or other drink, for example a caffeine containing drink, is delivered
to individuals that would like the drink, or who have a predetermined
cognitive state, using an unmanned aerial vehicle (UAV)/drone. The drink is
connected to the UAV, and the UAV flies to an area including people, and
uses sensors to scan the people for an individual who has gestured that they
would like the drink, or for whom an electronic analysis of sensor data
indicates to be in a predetermined cognitive state. The UAV then flies to
the individual to deliver the drink. The analysis can include profile data
of people, including electronic calendar data, which can be used to
determine a potentially predetermined cognitive state.

https://patents.justia.com/patent/10040551
https://www.inc.com/geoffrey-james/the-best-invention-of-2018-is-ibm-coffee-drone.html—note graphics
https://www.popularmechanics.com/flight/drones/a22813997/ibm-patent-coffee-delivery-drone/

...so this is how IBM wins the patents battle every year.


Did Australia Hurt Phone Security Around the World? (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Thu, 24 Jan 2019 00:28:07 -0500
But politicians said the risk of encryption technology's being used by
terrorists was too significant. Prime Minister Malcolm Turnbull of Australia
said in July, "The laws of mathematics are very commendable, but the only
law that applies in Australia is the law of Australia."

https://www.nytimes.com/2019/01/22/technology/australia-cellphone-encryption-security.html


Location-Based Little Brothers

Henry Baker <hbaker1@pipeline.com>
Wed, 23 Jan 2019 07:53:53 -0800
A Chinese WeChat app displays the people in your vicinity who are in debt.

Given the data publicly available (or via Facebook/Google/Twitter API's),
consider the endless possibilities for future apps:

* Find My Credit Scores - notifies you of the credit scores of those around
you (thanks, Experian!!)

* Find My Sugar Daddy / Find My Gold Digger - notifies you of the financial
capacity of the people around you

* Find My Real Daddy - utilizing 23&me DNA data, notifies you of genetic
relationships of the people around you

* Find My Sex Offender - notifies you if a registered sex offender is nearby

* Find My Felon - notifies you of the arrest history of those around you and
pulls up mugshots

* Find My Ex's - notifies you if a previous lover is nearby

* Find MeToo - notifies you if someone nearby was blacklisted as an
*alleged* sexual harasser by someone

* Find My Pwned - notifies you if someone nearby has been pwned and provides
password(s)

* Find My Echo Chamber - identifies the political party registration of
those nearby

* Find My Immigrant - check the E-Verify status of those nearby

* Improve My Gaydar - obvious

Once these apps surface, you'll probably never leave your house again!

http://www.chinadaily.com.cn/a/201901/16/WS5c3edfb8a3106c65c34e4d75.html

Hebei court unveils program to expose deadbeat debtors
Zhang Yu in Shijiazhuang, chinadaily.com.cn,  16 Jan 2019:

Deadbeat debtors in North China's Hebei province will find it more difficult
to abscond as the Higher People's Court of Hebei on Monday introduced a
mini-program on WeChat targeting them.

Called "a map of deadbeat debtors", the program allows users to find out
whether there are any debtors within 500 meters.

The debtor's information is available to check in the program, making it
easier for people to whistle-blow on debtors capable of paying their debts.

"It's a part of our measures to enforce our rulings and create a socially
credible environment," said a spokesman of the court.


How We Destroy Lives Today (NYTimes)

Monty Solomon <monty@roscom.com>
Wed, 23 Jan 2019 07:48:10 -0500
https://www.nytimes.com/2019/01/21/opinion/covington-march-for-life.html

Will the Covington Catholic High School fiasco change social media?


Covington and the Pundit Apocalypse (NYTimes)

Monty Solomon <monty@roscom.com>
Wed, 23 Jan 2019 07:53:00 -0500
https://www.nytimes.com/2019/01/22/opinion/covington-teenagers-twitter.html

Our hasty condemnation of these teenagers reveals the cold truth about hot
takes.


Re: A Simple Bug Makes It Easy to Spoof Google Search Results into Spreading Misinformation (RISKS-31.03)

Vint Cerf <vint@google.com>
Sun, Jan 20, 2019 at 3:27 PM
Bug has been fixed.


Re: How three rude iPhone users ruined an evening (Wirchenko, RISKS-31.03)

Henry Baker <hbaker1@pipeline.com>
Thu, 17 Jan 2019 12:25:03 -0800
Thank Apple for removing the jack from their iPhones.

I carry around a lot of <$5 earbuds for my own use on airplanes & my digital
audio player, so I'm happy to donate them to someone to listen privately.

Cheap headphones for modern USB and Bluetooth never materialized, so I'm not
about to carry around $100 earbuds to donate.


Cyber Security Hall of Fame Nominations now open

Gene Spafford <spaf@purdue.edu>
Thu, 24 Jan 2019 09:28:05 -0500
The Cyber Security Hall of Fame was on hiatus while stable funding was
secured.  That has happened, and nominations are open for the class of 2019.

  [Stable funding?  Who's horsing around here while there is always room for
  more in the ever-growing stable of honorees?  PGN]

Current honorees are listed at http://www.cybersecurityhalloffame.com

Help by nominating qualified candidates!  See bit.ly/CSHOFNom
http://bit.ly/CSHOFNom for details of nominations.

Help spread the word.

Please report problems with the web pages to the maintainer

Top