The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 48

Monday 25 November 2019

Contents

Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai
MIT Technology Review
GPS is easy to hack, and the US has no backup
Scientific American
European Council approves plans to make new car safety features mandatory
INews
Non-urgent alarms are drowning out real ones in hospitals
WashPost
Internet world despairs as non-profit .org sold for $$$$ to private equity firm, price caps axed
The Register
How dumb design wwii plane led macintosh
WiReD
Accidental evacuation warning
Peter H. Gregory
6 Tips for Windows 7 End of Life and Support (MakeUseOf}
????
Microsoft restores services after it experienced a large global outage across numerous platforms
Business Insider
Someone Got Access to Their Secret Consumer Score. Now You Can Get Yours, Too.
NYTimes
Could Salesforce Blockchain Cut Cancer Drug Development Costs in Half?
Fortune
China is Pushing Toward Global Blockchain Dominance
WiReD
Burglars Really Do Use Bluetooth Scanners to Find Laptops Phones
WiReD
Disruption Mitigation Systems for Fusion Demonstration at ITER
Richard Stein
Law enforcement can plunder DNA profile database, judge rules
ZDNet
How to Opt Out of the Sites That Sell Your Personal Data
WiReD
Privacy not included
Mozilla
146 New Vulnerabilities All Come Preinstalled on Android Phones
WiReD
Uber safety push includes plans to start audio recording rides in the U.S.
WashPost
Nikki Haley Used System for Unclassified Material to Send `Confidential' Information
The Daily Beast
Official Monero website is hacked to deliver currency-stealing malware
Ars Technica
UK Conservative Party Scolded for Rebranding Twitter Account
NYTimes
AI future or follies?
Fortune magazine email
The Downside of Tech Hype
Scientific American
Best Buy Made These Smart Home Gadgets Dumb Again
WiReD
Officials Warn of "Juice Jacking" Scams at USB Charging Stations
LA County
Artificial Intelligence Discovers Tool Use in Hide-and-Seek Games
NYTimes
After False Drug Test, He Was in Solitary Confinement for 120 Days
????
NoiseAware - proprietary algorithm for noise detection in rental properties
The Verge
A hypothesis on the immediate future of audio scams
CBC
How to prevent a data breach, lessons learned from the infosec vendors themselves
Web Informant
Someone Got Access to Their Secret Consumer Score. Now You Can Get Yours, Too.
NYTimes
Iowa hired cyberhackers, then arrested them
TechSpot
Mastercard vs. mistakes and fraud
Fortune
As 5G Rolls Out, Troubling New Security Flaws Emerge
WiReD
Re: The rise of microchipping: are we ready for technology to get under the skin?
Amos Shapir
Re: What happens if your mind lives for ever on the Internet?
John R. Levine
Info on RISKS (comp.risks)

Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai (MIT Technology Review)

Gabe Goldberg <gabe@gabegold.com>
Mon, 18 Nov 2019 17:21:43 -0500
A sophisticated new electronic warfare system is being used at the world's
busiest port. But is it sand thieves or the Chinese state behind it?  Now,
new research and previously unseen data show that the Manukai, and thousands
of other vessels in Shanghai over the last year, are falling victim to a
mysterious new weapon that is able to spoof GPS systems in a way never seen
before.

Nobody knows who is behind this spoofing, or what its ultimate purpose might
be. These ships could be unwilling test subjects for a sophisticated
electronic warfare system, or collateral damage in a conflict between
environmental criminals and the Chinese state that has already claimed
dozens of ships and lives. But one thing is for certain: there is an
invisible electronic war over the future of navigation in Shanghai, and GPS
is losing. ...

https://www.technologyreview.com/s/614689/ghost-ships-crop-circles-and-soft-gold-a-gps-mystery-in-shanghai/


GPS is easy to hack, and the US has no backup (Scientific American)

Richard Stein <rmstein@ieee.org>
Wed, 20 Nov 2019 13:47:14 +0800
https://www.scientificamerican.com/magazine/sa/2019/12-01/

Old news for this forum. See
http://catless.ncl.ac.uk/Risks/30/58#subj2.1 for instance. Search on
'gps spoof' or 'gps hack'.

The 1st and 2nd paragraphs of this piece are noteworthy for public flight
safety:

"On August 5, 2016, Cathay Pacific Flight 905 from Hong Kong was heading for
an on-time arrival at Manila's Ninoy Aquino International Airport when
something unexpected occurred. The pilots radioed air traffic controllers
and said they had lost GPS (Global Positioning System) guidance for the
final eight nautical miles to 'runway right-24.' Surprised, the controllers
told the pilots to land the widebody Boeing 777-300 using just their own
eyes. The crew members pulled it off, but they were anxious the whole way
in. Fortunately, skies were mostly clear that day.

"The incident was not isolated. In July and August of that year, the
International Civil Aviation Organization received more than 50 reports of
GPS interference at the Manila airport alone. In some cases, pilots had to
immediately speed up the plane and loop around the airport to try landing
again. That kind of scramble can cause a crew to lose control of an
aircraft. In a safety advisory issued this past April, the organization
wrote that aviation is now dependent on uninterrupted access to satellite
positioning, navigation and timing services and that vulnerabilities and
threats to these systems are increasing."

Airmanship is attributed to pilots that successfully react to abnormal
cockpit conditions, and sustain flight safety. See
https://www.nytimes.com/2019/09/18/magazine/boeing-737-max-crashes.html for
a descriptions of pilots that possess and demonstrate airmanship, versus
those that regard flying as 1352 procedural steps from takeoff to landing.

That GPS is frequently spoofed or jammed or hacked, often by hostile
governments or non-state actors, is unsettling as a periodic member of the
air traveling public.

This USA Today piece from
(https://www.usatoday.com/story/travel/columnist/mcgee/2015/06/03/amtrak-rail-bus-flying-safety/28358899/)
indicates that bus travel was safest:

"Here's how the U.S. Department of Transportation ranked these modes by
fatalities in 2012:

Bus: 39
Aviation: 447
Railroad: 557
All other highway: 33,743

"Undoubtedly some readers are typing responses already—and rightfully so.
Because the story begins rather than ends with these numbers, and such
statistics are brimming with caveats, clarifications, exceptions and
asterisks. In fact, the benchmarks themselves need to be constantly
reevaluated; for example, simply calculating fatalities may not capture
other serious but non-fatal hazards."


European Council approves plans to make new car safety features mandatory (INews)

Chris Drewe <e767pmk@yahoo.co.uk>
Thu, 14 Nov 2019 22:40:46 +0000
Spotted this in a local newspaper, by Matt Allan, INews, 13 Nov 2019
<https://inews.co.uk/inews-lifestyle/cars>

Speed limiters and breathalyser tech to be fitted to all new cars from 2022

All new cars launched from 2022 will have to be equipped with speed-limiting
equipment and the wiring for in-built breath alysers following a decision by
the European Council.  The rule will make it compulsory for car makers to
fit intelligent speed assistance (ISA); wiring for in-car breathalysers;
lane-keep assistance; autonomous emergency braking; data loggers and driver
drowsiness warning systems.  The move has met with a mixed response from
safety and motoring organisations. [...]

  Looks like lots of risks, e.g. how much data is logged, and what happens
  to it?  Hygiene issues with breathalyser?  How are these features checked
  at vehicle inspections?  Could drivers be faced with legal action for
  taking circuitous routes or driving in an uneconomic style..?

  As a friend observed, the problem with all this automation in cars is that
  it's not clear who the heck is actually driving the darn thing...


Non-urgent alarms are drowning out real ones in hospitals (WashPost)

Monty Solomon <monty@roscom.com>
Sun, 24 Nov 2019 22:06:05 -0500
The safety devices are everywhere in health-care facilities, but they also
create a riot of disturbances for staff and patients.

https://www.washingtonpost.com/health/hospital-alarms-prove-a-noisy-misery-for-patients-i-feel-like-im-in-jail/2019/11/22/e4f6edc8-0554-11ea-ac12-3325d49eacaa_story.html


Internet world despairs as non-profit .org sold for $$$$ to private equity firm, price caps axed (The Register)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 22 Nov 2019 9:45:55 PST
https://www.theregister.co.uk/2019/11/20/org_registry_sale_shambles/?page=1

In a sign that ICANN is unlikely to challenge the sale of the registry—as
some have formally urged it to do—ICANN says in its statement that the
new contract requires the operator of the registry to “provide registrars
at least 30 days'' advance written notice of any price increase for initial
registrations and 6 months' notice for any price increases of renewals,''
while allowing domain owners to renew a domain for as much as 10 years in
advance “thus enabling a registrant to lock in current prices for 10 years
in advance of a pricing change.''

It is debatable whether even a small number of the 10 million .org domain
holders would be aware of price increases until they are required to pay
them, or whether the ability to register a domain for 10 years is equivalent
to a 10-year price freeze.


How dumb design wwii plane led macintosh (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Thu, 14 Nov 2019 11:21:39 -0500
We now presume that apps that reorder the entire economy should require no
instruction manual at all; some of the most advanced computers ever made now
come with only cursory instructions that say little more than "turn it on."

Using the app, you could reserve all your activities way before you boarded
the ship. And once on board, all you needed was to carry was a disk the size
of a quarter; using that, any one of the 4,000 touchscreens on the ship
could beam you personalized information, such which way you needed to go for
your next reservation. The experience recalled not just scenes from /Her/
and /Minority Report/, but computer-science manifestos from the late 1980s
that imagined a suite of gadgets that would adapt to who you are, morphing
to your needs in the moment.

Behind the curtains, in the makeshift workspace, a giant whiteboard wall was
covered with a sprawling map of all the inputs that flow into some 100
different algorithms that crunch every bit of a passenger;s preference
behavior to create something called the *Personal Genome*.  If Jessica from
Dayton wanted sunscreen and a mai tai, she could order them on her phone,
and a steward would deliver them in person, anywhere across the sprawling
ship.

The server would greet Jessica by name, and maybe ask if she was excited
about her kitesurfing lesson. Over dinner, if Jessica wanted to plan an
excursion with friends, she could pull up her phone and get recommendations
based on the overlapping tastes of the people she was sitting with. If only
some people like fitness and others love history, then maybe they;ll all
like a walking tour of the market at the next port.

Jessica;s Personal Genome would be recalculated three times a second by 100
different algorithms using millions of data points that encompassed nearly
anything she did on the ship: How long she lingered on a recommendation for
a sightseeing tour; the options that she /didn't/ linger on at all; how long
she'd actually spent in various parts of the ship; and what's nearby at that
very moment or happening soon. If, while in her room, she had watched one of
Carnival's slickly produced travel shows and seen something about a market
tour at one her ports of call, she'd later get a recommendation for that
exact same tour when the time was right.  “Social engagement is one of the
things being calculated, and so is the nuance of the context,'' one of the
executives giving me the tour said.

https://www.wired.com/story/how-dumb-design-wwii-plane-led-macintosh/

Good news about design, until...

Risks? Believing that anything high-tech is fully self-evident or
self-explanatory.  And revealing a bit too much information and thinking.


Accidental evacuation warning

"Peter H. Gregory" <peter.gregory@gmail.com>
Fri, 15 Nov 2019 14:09:59 -0600
A warning was broadcast in the Highway 99 tunnel to get out of their cars
and evacuate the tunnel. Someone at the command center mistakenly pushed the
wrong buttons causing this alarm.  Despite the warnings, no one followed the
instructions.

https://mynorthwest.com/1598411/seattle-tunnel-accidental-alert/?roi=echo3-58101618167-53483587-16474aef43b30d442cb39e87eef9740b


6 Tips for Windows 7 End of Life and Support (MakeUseOf}

Gabe Goldberg <gabe@gabegold.com>
Fri, 15 Nov 2019 17:01:06 -0500
https://www.makeuseof.com/tag/windows-7-end-of-life-support/

No surprises here except I didn't know about:

  The end of Windows 7 support is a cause for concern for anyone running the
  fading operating system.

  However, it isn't the end of Windows 7 if you have enough money.
  Windows 7 Pro and Enterprise have the option to pay $350 to keep Windows 7
  alive for three years.

  The *Microsoft Extended Security Updates program* will run until 2023.
  The program isn't for everyone, though. Only businesses, professional
  organizations, and mission-critical computers can apply for the Extended
  Security Updates program.  When that period ends, those companies must
  have made provisions to upgrade to Windows 10 (or otherwise).

And this misstatement presumably means Microsoft programs, not all software:
The programs you use on Windows 7 will also stop receiving updates to fix
bugs and security holes.


Microsoft restores services after it experienced a large global outage across numerous platforms (Business Insider)

Monty Solomon <monty@roscom.com>
Wed, 20 Nov 2019 12:05:25 -0500
https://www.businessinsider.com/microsoft-outage-us-japan-and-australia-2019-11


Someone Got Access to Their Secret Consumer Score. Now You Can Get Yours, Too. (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sun, 24 Nov 2019 22:28:29 -0500
Little-known companies are amassing your data—like food orders and Airbnb
messages—and selling the analysis to clients. Here's how to get a copy of
what they have on you.

I Got Access to My Secret Consumer Score. Now You Can Get Yours, Too.
https://www.nytimes.com/2019/11/04/business/secret-consumer-score-access.html

Sigh, a while ago I requested my files from various government agencies
mentioned in a surveillance article. Nothing much found. Now there's more
work learning what these people have on me.


Could Salesforce Blockchain Cut Cancer Drug Development Costs in

Gabe Goldberg <gabe@gabegold.com>
Sun, 24 Nov 2019 22:13:27 -0500

https://fortune.com/2019/11/21/ucsf-salesforce-blockchain-breast-cancer/

I was just screened, at a specialist's office, for a clinical trial. The
process was straightforward and rigorous, driven by an automated online
questionnaire a nurse completed with my answers. It included criteria for
inclusion/exclusion, and branched through questions based on my answers.

So I'm not sure what this from article all means or how (apparently) magic
blockchain solves all problems:

Just how would that work out in practicality? Esserman explains that the
current clinical trial and drug development process is riddled with
uncertainty, especially when it comes to data collection and integrity.

For instance: The baseline for what qualifies as an acceptable liver
function level for a potential clinical trial participant can vary wildly
based on who did the test, where it came from, and what criteria were used
to assess the numbers. Blockchain could simultaneously universalize and
democratize that process, according to Esserman.

That's because this system could automate a process that is still, in this
digital age, reliant on flesh-and-blood humans to assess, record, and
analyze something as basic as lab reading.

“I can see, with blockchain, what the normalized numbers are for someone
enrolling in an iSPY trial,'' she says, adding that data re-entry and
redundant practices can drive up the cost of a clinical trial 30% to 60%.

Blockchain could potentially provide both accountability and efficiency on
this front since everything is linked together in a documented
chain-of-custody—a practice that is surprisingly foreign to American
health care.


China is Pushing Toward Global Blockchain Dominance (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 15 Nov 2019 15:39:45 -0500
As US leaders dither, President Xi Jinping vies for the technological future
of finance.
https://www.wired.com/story/opinion-china-is-pushing-toward-global-blockchain-dominance/

The risk? Blockchain? Not blockchain?


Burglars Really Do Use Bluetooth Scanners to Find Laptops Phones (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Tue, 19 Nov 2019 16:28:24 -0500
Bluetooth scanners are readily available and easy to use—which means that
smash-and-grab car break-in might not have been pure chance.

https://www.wired.com/story/bluetooth-scanner-car-thefts/


Disruption Mitigation Systems for Fusion Demonstration at ITER

Richard Stein <rmstein@ieee.org>
Sun, 17 Nov 2019 14:42:12 +0800
I looked up progress on the ITER (International Thermonuclear Experimental
Reactor) program, a multi-billion dollar effort that plans to demonstrate
viable and sustained fusion energy before the permanent shift to fusion
powered reactors. See ITER.org for the full story and interim progress
reports.

I happened on this summary article: "Addressing the challenge of plasma
disruptions" System (DMS).
https://www.iter.org/newsline/-/2678&sa=U&ved=2ahUKEwj_7LnzzPDlAhV-7nMBHU0VCGQQFjAAegQIBRAC&usg=AOvVaw3NsHxU8Qu30UmW_uvj4Mrf

A portentous name. Airlines and other industries rely on disruption
MANAGEMENT systems to assist their operations during crises. For
logistics-based businesses, the scale of invocation is usually a few minutes
before emergency governance kicks in and commences protocols to sustain or
recover business continuity.

In the case of a fusion reactor, the Disruption MITIGATION System needs to
respond within ~10-20 msec according to this paper: "Requirements for
Triggering the ITER Disruption Mitigation System."
https://www.researchgate.net/publication/295829604_Requirements_for_Triggering_the_ITER_Disruption_Mitigation_System/link/56ec5fee08ae59dd41c4fc4f/download

DMS will require a hard real-time platform to successfully interact with and
monitor the plasma fusion reactor parameters that can compromise electricity
generation.

Plasmas that operate at a Q-value greater than 1 (self-sustaining nuclear
fusion reactions) generate ~15-25 million amps of electron flow, neatly
trapped by intense magnetic fields to prevent runaway electrons (RE) from
damping out the reaction. But when the REs start to negatively influence
fusion, the DMS must engage to sustain fusion or the reactor parts can
meltdown into a diverter.

My short investigation on the whole DMS issue found a few more interesting
tidbits:

1) https://www.euro-fusion.org/fusion/fusion-conditions/ hosts a video of
controllable fusion parameters, made from a fusion simulation that operators
can control for practice. Homer Simpson has it easy at the Springfield
Nuclear Plant compared to this simulation video.

2) "Plasma Disruption Management in ITER," via
https://nucleus.iaea.org/sites/fusionportal/Shared Documents/FEC 2016/fec2016-preprints/preprint0314.pdf
shows estimated DMS invocation parameters based on a simulation using the
Joint European Torus as a baseline model.


Law enforcement can plunder DNA profile database, judge rules (ZDNet)

Gene Wirchenko <gene@shaw.ca>
Wed, 20 Nov 2019 09:37:46 -0800
Charlie Osborne for Zero Day, 7 Nov 2019
DNA data is available even if users opt-out in a landmark ruling that
could have serious privacy implications.
https://www.zdnet.com/article/law-enforcement-can-plunder-dna-profile-database-judge-rules/

A judge has approved a warrant for law enforcement to access the database of
DNA profiler GEDmatch, a landmark ruling which may have serious privacy
implications.

Fields, however, would like to see these databases become common
repositories of information for investigators.

"You would see hundreds and hundreds of unsolved crimes solved overnight,"
the detective told the publication. "I hope I get a case where I get to
try."


How to Opt Out of the Sites That Sell Your Personal Data (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 15 Nov 2019 16:32:49 -0500
It's much harder than it should be to get your name off of data broker and
people-search sites, but it's possible.

https://www.wired.com/story/opt-out-data-broker-sites-privacy/


Privacy not included (Mozilla)

Gabe Goldberg <gabe@gabegold.com>
Sat, 16 Nov 2019 09:56:41 -0500
Be Smart. Shop Safe.

How creepy is that smart speaker, that fitness tracker, those wireless
headphones? We created this guide to help you shop for safe, secure
connected products.

This URL shows how creepy users find these products:

https://foundation.mozilla.org/en/privacynotincluded/

Ho ho ... uh oh.


146 New Vulnerabilities All Come Preinstalled on Android Phones (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 15 Nov 2019 17:20:24 -0500
The dozens of flaws across 29 Android smartphone makers show just how
insecure the devices can be, even brand-new.

https://www.wired.com/story/146-bugs-preinstalled-android-phones/


Uber safety push includes plans to start audio recording rides in the U.S. (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Wed, 20 Nov 2019 13:44:22 -0500
https://www.washingtonpost.com/technology/2019/11/20/uber-plans-start-audio-recording-rides-us-safety/

The risk? No good deed (recording for safety) goes unpunished (violating
laws and privacy).


Nikki Haley Used System for Unclassified Material to Send `Confidential' Information (The Daily Beast)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 20 Nov 2019 14:21:02 -0700
Newly released emails suggest that in 2017 the then-ambassador lost her
password for classified communication, and so she used a different system.

Christopher Dickey
World News Editor
Updated Nov. 20, 2019 8:46AM ET / Published Nov. 20, 2019 5:01AM ET

Excerpt:

  North Korea had just tested an intercontinental ballistic missile capable
  of hitting Alaska, and the Trump administration was scrambling to
  react. But it seems Nikki Haley, Trump's ambassador to the United Nations,
  had lost her password for classified communications.

  That's why on that fraught July 4, 2017, she was typing away on her
  BlackBerry 10 smartphone, sending 'confidential' information over a system
  meant only for unclassified material.

  Haley was in a rush as she headed to her office "On my way in" shooting
  emails back and forth with top aides who'd been with her since she was
  governor of South Carolina. She needed to make a statement, and they were
  drafting it for her. 'Let's clean this up,' she writes after looking at
  some of the copy. 'Pretty this up for me,' she says.

  The next day we discover what the problem is with her
  communications. 'Can't find my password for the high side,' she writes.

  The stylistic suggestions and the apparent explanation for using less
  secure messages was in a trove of emails recently obtained under the
  Freedom of Information Act by the watchdog organization American
  Oversight.

https://www.thedailybeast.com/nikki-haley-used-system-for-unclassified-material-to-send-confidential-information

Also
https://arstechnica.com/information-technology/2019/11/nikki-haley-lost-her-password-so-she-sent-sensitive-info-over-unclassified-system/


Official Monero website is hacked to deliver currency-stealing malware (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 20 Nov 2019 21:00:41 -0500
https://arstechnica.com/information-technology/2019/11/official-monero-website-is-hacked-to-deliver-currency-stealing-malware/


UK Conservative Party Scolded for Rebranding Twitter Account (NYTimes)

Monty Solomon <monty@roscom.com>
Thu, 21 Nov 2019 11:14:22 -0500
https://www.nytimes.com/2019/11/20/world/europe/factcheck-uk-conservative-party.html

The temporary name change, to *factcheckUK*, was an effort to *mislead
people* during an election debate between Prime Minister Boris Johnson and
Jeremy Corbyn of Labour, Twitter said.


AI future or follies? (Fortune magazine email)

Gabe Goldberg <gabe@gabegold.com>
Sat, 16 Nov 2019 22:55:13 -0500
*OpenAI Releases Full-Scale Version of Its "Too Dangerous to Release"
Language Model. *The San Francisco-based AI research shop has released the
full-size version of its language modeling algorithm
<https://click.newsletters.fortune.com/?qs=304881d1f47022db4f760185645ac2ac31d0d56b4c65014094846471e16c4081a577163efe8dd6ddb221b3736f452cdb2721d903d584bd5e>,
GPT-2, which can compose whole paragraphs of fairly-coherent text from just
a few seed words or sentences. When it unveiled the model in February, the
company said it was declining to make the most powerful version of the
software—which has 1.5 billion parameters—available to the public out
of fear it could be abused to create fake news. At the time, many in the AI
research community criticized that decision as a publicity stunt. OpenAI
says it has reversed course now because, since February, it has released
gradually more powerful versions of GPT-2 and seen little evidence of
misuse.

  1.5 billion parameters—one hopes they're not using that word for its
  common definition in programming.

  And what could go wrong with this?

Speaking of GPT-2: At Microsoft's Ignite developer conference last week, the
company showcased *how OpenAI's language model could be used to create an
auto-complete feature for lines of software code.
<https://click.newsletters.fortune.com/?qs=304881d1f47022db4dbaf7299aa4046ce631a1f8631c155c7c536ccab15fec10a3b423e23d79653c1795c5b1141d8b0740595bfbe6029e5f>

Microsoft's team took the language model and trained it on the 3,000
top-rated open-source code repositories on Github. The result is a system
that suggests, as a coder types, the most likely completion of a line of
code. Microsoft says the system can be fine-tuned for a specific team of
coders by training it on their particular code base. This is just one of
several examples of AI simplifying—or sometimes even automating (see
Google's AutoML,
<https://click.newsletters.fortune.com/?qs=304881d1f47022db5155acde02b6e6b27ff76b1140e84eaa051d56bebbcbca9cd6067ca8f4653df4171128073d96c9cc1bbce1aed87f040d>
for example)—the act of writing software. So if you thought learning to
code was a guarantee of employment in the face of relentless AI-driven
automation, think again.


The Downside of Tech Hype (Scientific American)

Richard Stein <rmstein@ieee.org>
Fri, 22 Nov 2019 10:36:16 +0800
https://blogs.scientificamerican.com/observations/the-downside-of-tech-hype/

"What can be done about rising hype? Although scientists and engineers can
have little impact on the media, those at universities can promote better
measures of success and more accuracy in their announcements, courses and
curricula. Measuring university programs by amounts of venture capital
funding attracted or numbers of start-ups created makes it easy for programs
to game the system.

"Better accuracy requires acknowledging the long development times,
explaining the reasons for them, and illuminating the process by which new
technologies became economically feasible, going beyond simplistic
distinctions between basic and applied research. The reality is that few
technologies experience the types of improvements necessary for
commercialization and excessive hype distracts decision makers from the
challenges of achieving the necessary pre-commercialization improvements."

Academic offices exaggerate technology benefits to lure funding from
commercial and government sources. Absent long-term measurements of success
for a given R&D dollar, there's no quantitative predictor of failure or
success for scientific of engineering research payoff.

No risk, no reward, like betting a few bucks at the roulette table. In a
casino, the odds of a return are fixed.

In biotechnology, the odds of a candidate substance becoming a blockbuster
drug are estimated at 1000 to 1 (see
http://blogs.einstein.yu.edu/the-high-cost-of-and-uncertain-path-to-a-blockbuster-drug/).

Regarding AI hype, see the companion piece "The Media's Coverage of AI is
Bogus"
https://blogs.scientificamerican.com/observations/the-medias-coverage-of-ai-is-bogus/.


Best Buy Made These Smart Home Gadgets Dumb Again (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 15 Nov 2019 11:16:24 -0500
Last week, a series of smart home gadgets became dumb again. On November 6,
Best Buy pulled the plug on its line of Insignia Connect products, including
a convertible freezer/fridge, two kinds of smart plugs, a smart light
switch, and a Wi-Fi-connected camera. Best Buy offered people who purchased
the gadgets partial gift cards, not full refunds.  Most of the items still
have some functionality, but are no longer equipped with the smart features
that led people to choose them in the first place. The Wi-Fi camera,
however, ceased to function altogether.

The incident is a salient reminder that when you buy an Internet-connected
device, you're betting the company behind it will continue supporting its
corresponding software in the future. That means regularly updating apps to
ensure compatibility with the latest smartphones, patching bugs, and
more. But it's impossible to tell ahead of time what brands will outlast
their competitors and which will shutter, get acquired, or pivot. One day
you wake up and your smart freezer is suddenly stupid.

https://www.wired.com/story/best-buy-smart-home-dumb/


Officials Warn of "Juice Jacking" Scams at USB Charging Stations

Gabe Goldberg <gabe@gabegold.com>
Fri, 22 Nov 2019 16:26:30 -0500
Los Angeles—Law enforcement officials in Los Angeles County are warning
cell phone users about a new scam that could infect their devices with
malware when they plug into USB charging stations at airports, hotels and
other public locations. In a scam called "juice jacking," criminals load
malware onto charging stations or cables they leave plugged in at the
stations, infecting the phones and other electronic devices of unsuspecting
users. The malware may lock a user's device or export data and passwords
directly to the scammer. "A free charge could end up draining your bank
account," said Luke Sisak, a deputy district attorney in Los Angeles
County. "Within minutes of being plugged in, the malware could lock the
device or send private information, like passwords, addresses or even a full
backup of the phone directly to the criminal." Officials are urging people
to use AC power outlets instead of USB charging stations, as well as to take
AC and car chargers when traveling and consider buying a portable charger
for emergencies.
http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff


Artificial Intelligence Discovers Tool Use in Hide-and-Seek Games (Quanta Magazine)

Gabe Goldberg <gabe@gabegold.com>
Fri, 22 Nov 2019 20:11:44 -0500
After millions of games, machine learning algorithms found creative
solutions and unexpected new strategies that could transfer to the real
world.

https://www.quantamagazine.org/artificial-intelligence-discovers-tool-use-in-hide-and-seek-games-20191118/

The risk? That bots dominate world Hide-and-Seek tournaments...


After False Drug Test, He Was in Solitary Confinement for 120 Days (NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 22 Nov 2019 20:16:49 -0500
https://www.nytimes.com/2019/11/20/nyregion/prison-inmate-drug-testing-lawsuit.html

Hundreds of New York State prisoners were locked in cells, denied release or
removed from programs when tests erroneously showed they had used narcotics,
according to a lawsuit.


NoiseAware - proprietary algorithm for noise detection in rental properties (The Verge)

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Sat, 23 Nov 2019 07:15:14 -0500
  [Should this be called "Noiseware?"  PGN]

I'm staying in an Airbnb for Thanksgiving, and noticed this in the fine
print:

  "We are dedicated to protecting our guests and neighbors from bothersome
  levels of noise. In an effort to do so, this property is equipped with
  NoiseAware technology. NoiseAware is a smart home device that measures
  volume levels throughout the property and allows us to respond to noise
  nuisances without disrupting your stay. NoiseAware is privacy compliant
  and is required on this property."

So I naturally had to learn what this "privacy compliant" system is.  It
purports to be a device that will plug in and inform the property owner if
it gets too noisy, but using a proprietary algorithm that's more
sophisticated than just measuring dB level.  Of course it's proprietary, so
no one can tell how it comes to a conclusion, but if it reacts, I presume
there would be a call from the property owner - and perhaps impact my
ability to get future rentals.

There's some hint of the algorithm ("Our Noise Risk Score goes beyond the
sporadic and instantaneous measurement of a decibel, to bring you context
and deeper insight. We track not only how loud it is, but how long it is
loud for. We combine this with a number of other factors to bring you the
contextual noise risk score. Nobody wants a text every time your guest
sneezes.").  But there's no explanation of why they say it's "privacy
compliant" - is it a microphone that sends what it hears to the cloud, or
just a loudness sensor that's sending a dB score (which would be less
intrusive)?

I found one article in Verge that indicates it's truly a simple sensor, not
a microphone, so perhaps this is one of the rare cases of an IoT vendor
getting it right!  (Having said that, I'd be more comfortable if someone did
a teardown of one of the devices and verified that indeed it is just a noise
sensor, and that the lack of a microphone isn't a false claim.)

https://www.theverge.com/circuitbreaker/2018/10/29/18037604/noiseaware-gen-3-indoor-outdoor-security-microphone


A hypothesis on the immediate future of audio scams (CBC)

José María Mateos <chema@rinzewind.org>
Sun, 24 Nov 2019 11:41:14 -0500
My landlady send me the other day this news article:

https://www.cbc.ca/news/canada/edmonton/can-you-hear-me-phone-scam-warning-bbb-1.3970312

Excerpt:

  From encrypted passwords to padlocked doors, Canadians will go to extreme
  lengths to avoid scammers.

Now it may not be safe to pick up the phone.

A new scam relies on your voice to answer a simple question: "Can you hear
me now"? The scammers try to bait callers into answering "yes."

Anti-fraud agencies say that simple acknowledgment can be used to make it
sound as if you signed on for a purchase or service.  “They're trying to
get a recording of you saying *yes*,'' said Ron Mycholuk, a spokesman with
the Better Business Bureau of Central and Northern Alberta.  “They're going
to take that recorded *yes*, play around with that audio and make it seem to
you, or a representative of a business, that you have paid for some
advertising, a cruise or a big ticket item, and send you the bill.''

At this point I don't pick up the phone if I don't recognize the number.
Voicemail is quite useful and I can always call back if the message is not
spam, which rarely happens.

However, I then remembered this other piece of news (which, incidentally, I
haven't been able to find on the RISKS archive, but I'd be surprised if it
hasn't been sent before):
https://www.zdnet.com/article/forget-email-scammers-use-ceo-voice-deepfakes-to-con-workers-into-wiring-cash/

Excerpt:

Criminals are using AI-generated audio to impersonate a CEO's voice and con
subordinates into transferring funds to a scammer's account.  So-called
deepfake voice attacks could be the next frontier in a scam that's cost US
businesses almost $2bn over the past two years using fraudulent email.

*The Wall Street Journal* reports that the CEO of an unnamed UK-based energy
company thought he was talking on the phone with his boss, the CEO of the
German parent company, who'd asked him to urgently transfer [the equivalent
of] $243,000 to a Hungarian supplier.

However, the UK CEO was in fact taking instructions from a scammer who'd
used AI-powered voice technology to impersonate the German CEO. It's the
voice equivalent of deepfake videos that are causing alarm for their
potential to manipulate public opinion and cause social discord.

So of course at this point one would expect that the first scam (the method)
and the second one (the technology) are a match made in heaven.  Let's see
if that starts happening. I'm betting on "sure, what else is to expect".


How to prevent a data breach, lessons learned from the infosec vendors themselves (Web Informant)

Gabe Goldberg <gabe@gabegold.com>
Sun, 24 Nov 2019 22:03:05 -0500
https://blog.strom.com/wp/?p=7456


Someone Got Access to Their Secret Consumer Score. Now You Can Get Yours, Too. (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sun, 24 Nov 2019 22:28:29 -0500
Little-known companies are amassing your data—like food orders and
Airbnb messages—and selling the analysis to clients. Here's how to
get a copy of what they have on you.

I Got Access to My Secret Consumer Score. Now You Can Get Yours, Too.
https://www.nytimes.com/2019/11/04/business/secret-consumer-score-access.html

Sigh, a while ago I requested my files from various government agencies
mentioned in a surveillance article. Nothing much found. Now there's more
work learning what these people have on me.


Iowa hired cyberhackers, then arrested them (TechSpot)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 13 Nov 2019 11:20:00 PST
https://www.techspot.com/news/82740-iowa-hired-cybersecurity-firm-do-penetration-testing-arrested.html


Mastercard vs. mistakes and fraud (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sat, 16 Nov 2019 23:02:06 -0500
The AI profiles of lots of other companies are starting to look more like
Amazon's.  Case in point: Mastercard. Ajay Bhalla, who heads cyber and
intelligence solutions for the payments company, told me it has used AI to
cut in half the number of times a customer has their credit card transaction
erroneously declined, while at the same time reducing fraudulent
transactions by about 40%.

Mastercard has also used predictive analytics to spot cyberattacks
<https://click.newsletters.fortune.com/?qs=dbd9314600a712630e23a5418eacc48e1536514d7dbfffe4f219611063d6d67fb034c62e813981dd59682d0fb76c03606d9ed2e8b28103db>
and waves of fraudulent activity by organized crime groups. Bhalla says this
has helped its customers avoid some $7.5 billion worth of damage from cyber
attacks in just the past 10 months. And, he says, Mastercard is now using
AI-based software across every section of the company, from human resources
to finance to marketing.


As 5G Rolls Out, Troubling New Security Flaws Emerge (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 16 Nov 2019 23:02:46 -0500
https://www.wired.com/story/5g-vulnerabilities-downgrade-attacks/


Re: The rise of microchipping: are we ready for technology to get under the skin? (RISKS-31.47)

Amos Shapir <amos083@gmail.com>
Wed, 13 Nov 2019 16:52:12 +0200
Technically, the machines which read the ID chips do not care whether the
chip is embedded in a card or implanted under the customer's skin.

The difference is that implantation is like branding: The decision whether
to carry an ID chip is transferred from the people themselves to their
owner ^H^H^H^H employer.


Re: What happens if your mind lives for ever on the Internet? (RISKS-31.47)

"John R. Levine" <johnl@iecc.com>
13 Nov 2019 11:16:22 -0500
>> It may be some way off, but mind uploading, the digital duplication of your
>> mental essence, could expand human experience into a virtual afterlife.

For another take on this very topic from June of this year, see:

  http://wondermark.com/c1485/

It's five pages, click the Next arrow at the right.

Please report problems with the web pages to the maintainer

Top