The RISKS Digest
Volume 32 Issue 39

Friday, 4th December 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Keyhole wasps may threaten aviation safety
phys.org
Boeing's 737 Max Is a Saga of Capitalism Gone Awry
NYTimes
This Bluetooth Attack Can Steal a Tesla Model X in Minutes
WIRED
China's Surveillance State Sucks Up Data. U.S. Tech Is Key Sorting It Out
NYTimes
Secret Amazon Reports Expose the Company's Surveillance of Labor and Environmental Groups
Vice
How 30 Lines of Code Blew Up a 27-Ton Generator
WiReD
The world of online chess cheating
chess.com
A Broken Piece of Internet Backbone Might Finally Get Fixed
WiReD
WarGames for real: How one 1983 exercise nearly triggered WWIII
Ars Technica
Showing robots how to drive a car… in just a few easy lessons
Techxplore.com
Looking for ways to prevent price collusion with AI systems
Techxplore.com
ML Guarantees Robots' Performance in Unknown Territory
Princeton
AI in the Age of Cyber-Disorder
F. Rugge, Ed.
Is Alexa becoming antisemitic?
Vice
Google Search too powerful
Dan Jacobson
What Is the Signal Encryption Protocol?
WiReD
Thunderbird 78+ OpenPGP is a mess
im Garrison
Patients of a Vermont Hospital Are Left in the Dark After a Cyberattack
NYTimes
Inside the Cit0Day Breach Collection
Troy Hunt
Accidentally broadcast screenshot shows hackers where to look
Amos Shapir
Hackers tricked GoDaddy into helping attacks on cryptocurrency services
Engadget
Rashida Tlaib takes on cryptocurrency
WiReD
Apple's security chief charged with bribery
BBC
iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever
Ars Technica
A “moral contract” with a virus?
Rob Slade
Cyberattacks Discovered on Vaccine Distribution Operations
NYTimes
AI tool to track high-volume adverse vaccine reactions
geoff goodfellow
Internet's MostNotorious Botnet Has an Alarming New Trick
WiReD
After years of work, Congress passes ‘Internet-of-Things’ cybersecurity bill —and it's kind of a big deal
Cyberscoop
Fortifying Our Electoral System Against Attacks
CAP
Google Researcher Says She Was Fired Over Paper Highlighting Bias in AI
NYTimes
Robocallers unclear on the concept …
Rob Slade
“Discussion Feedback” becomes “Discussion Fee”
Dan Jacobson
Nice solution to password problem—if only
Snopes via Gabe Goldberg
When Ships Are Abandoned, Stuck Sailors Struggle to Get By and Get Paid
Atlas Obscura
Another way every system eventually becomes email
Randall Monroe via Jan Wolitzky
Microsoft 365 “Productivity Score”
Rob Slade
Re: Microsoft Is Making a Secure PC Chip with Intel and AMD's Help
Jack Christensen
Re: Technology To Catch HOV Lane Violators Is Coming To Virginia
A Michael W Bacon
Re: What happens when you test TCL TVs
Richard A. DeMattia
Re: Whale Sculpture Stops Train From Plunge in the Netherlands
AMW Bacon
Re: Letter to Consumer Reports magazine
Gabe Goldberg
Re: Online password ‘123456’ more popular than ever and easy to crack
Stefan Lueders Keith Medcalf
Utah monolith: Internet sleuths got there, but its origins are still a mystery
BBC News
Info on RISKS (comp.risks)

Keyhole wasps may threaten aviation safety (phys.org)

Richard Stein <rmstein@ieee.org>
Fri, 27 Nov 2020 10:38:19 +0800

https://phys.org/news/2020-11-keyhole-wasps-threaten-aviation-safety.html

w“Over a period of 39 months, invasive keyhole wasps (Pachodynerus nasidens) at the Brisbane Airport were responsible for 93 instances of fully blocked replica pitot probes—vital instruments that measure airspeed—according to a study published November 25 in the open-access journal PLOS ONE by Alan House of Eco Logical Australia and colleagues.”

The essay suggests aircraft maintenance crews cover pitot probes to prevent their colonization when unused.

Would a power-on-self-test be able to discern if the inlet is bugged via fiber optic signal and sensor?


Boeing's 737 Max Is a Saga of Capitalism Gone Awry (NYTimes)

Richard Stein <rmstein@ieee.org>
Wed, 25 Nov 2020 08:30:43 +0800

https://www.nytimes.com/2020/11/24/sunday-review/boeing-737-max.html

“Yet in recent decades, Boeing—like so many American corporations — began shoveling money to investors and executives, while shortchanging its employees and cutting costs.”

Profit pressures undercut engineering process and problem solving culture in a business that was a consumer product safety icon. FAA oversight capacity, neutered by self-certification measures, accelerated product life cycle completion with compromised safety.

Product safety, especially for software, and computer-based systems generally, implies the institutionalization of effective defect escape suppression mechanisms. Defects discovered earlier in a life cycle afford more time to consider their repair prioritization BEFORE release for sale. This practice assumes accountability for product life cycle process fulfillment. If governance profit or schedule pressures force accountability shirks, defects will free-flow to the customer.

Unlike the medical device industry, where device problem/patient problem history is consolidated for public inspection by the FDA's MAUDE and TPLC repositories, Boeing product defect escapes emerge via accident or mishap investigations.

Justice Louis Brandeis said, “Sunlight is said to be the best of disinfectants.” Public visibility into Boeing's release and qualification processes (test plans, test results, defects) should not be necessary or required. Restoration of shattered public trust requires demonstrated capability that overachieves both consumer expectations and flight safety metrics.


This Bluetooth Attack Can Steal a Tesla Model X in Minutes (WIRED)

Gabe Goldberg <gabe@gabegold.com>
Wed, 25 Nov 2020 15:07:40 -0500

The company is rolling out a patch for the vulnerabilities, which allowed one researcher to break into a car in 90 seconds and drive away.

Tesla has always prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update: A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes. […]

https://www.wired.com/story/tesla-model-x-hack-bluetooth/

I also heard a rumor—couldn't confirm with search—that you can't play Tesla radio without having headlights on. True or nonsense? Model dependent? Bug or feature?

[See also https://www.washingtonpost.com/technology/2020/11/23/tesla-modelx-hack/ spotted by Monty Solomon]


China's Surveillance State Sucks Up Data. U.S. Tech Is Key Sorting It Out (NYTimes)

Monty Solomon <monty@roscom.com>
Mon, 23 Nov 2020 11:12:53 -0500

Intel and Nvidia chips power a supercomputing center that tracks people in a place where government suppresses minorities, raising questions about the tech industry's responsibility.

https://www.nytimes.com/2020/11/22/technology/china-intel-nvidia-xinjiang.html


Secret Amazon Reports Expose the Company's Surveillance of Labor and Environmental Groups (Vice)

“Matthew Kruk” <mkrukg@gmail.com>
Sat, 28 Nov 2020 18:01:24 -0700

Dozens of leaked documents from Amazon's Global Security Operations Center reveal the company's reliance on Pinkerton operatives to spy on warehouse workers and the extensive monitoring of labor unions, environmental activists, and other social movements.

https://www.vice.com/en/article/5dp3yn/amazon-leaked-reports-expose-spying-warehouse-workers-labor-union-environmental-groups-social-movements?utm_source=pocket-newtab


How 30 Lines of Code Blew Up a 27-Ton Generator (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Tue, 1 Dec 2020 02:04:15 -0500

Now, if Assante had done his job properly, they were going to destroy it. And the assembled researchers planned to kill that very expensive and resilient piece of machinery not with any physical tool or weapon but with about 140 kilobytes of data, a file smaller than the average cat GIF shared today on Twitter.

https://www.wired.com/story/how-30-lines-of-code-blew-up-27-ton-generator/

30 lines of code = 140KB? Maybe we have to read the book to understand that.


The world of online chess cheating (Chess.com)

Lauren Weinstein <lauren@vortex.com>
Sat, 28 Nov 2020 14:30:57 -0800

https://www.chess.com/article/view/online-chess-cheating


A Broken Piece of Internet Backbone Might Finally Get Fixed (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Wed, 2 Dec 2020 20:58:52 -0500

Efforts to secure the Border Gateway Protocol have picked up critical momentum, including a big assist from Google.

https://www.wired.com/story/bgp-routing-manrs-google-fix/


WarGames for real: How one 1983 exercise nearly triggered WWIII (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Tue, 1 Dec 2020 20:08:49 -0500

From the archives: Say hello to the KGB software model that forecasted mushroom clouds.

“Let's play Global Thermonuclear War.”

Thirty-two years ago, just months after the release of the movie WarGames, the world came the closest it ever has to nuclear Armageddon. In the movie version of a global near-death experience, a teenage hacker messing around with an artificial intelligence program that just happened to control the American nuclear missile force unleashes chaos. In reality, a very different computer program run by the Soviets fed growing paranoia about the intentions of the United States, very nearly triggering a nuclear war.

https://arstechnica.com/information-technology/2020/11/wargames-for-real-how-one-1983-exercise-nearly-triggered-wwiii/


Showing robots how to drive a car… in just a few easy lessons (Techxplore.com)

Richard Stein <rmstein@ieee.org>
Fri, 20 Nov 2020 10:36:30 +0800

“When we go into the world of cyber physical systems, like robots and self-driving cars, where time is crucial, linear temporal logic becomes a bit cumbersome, because it reasons about sequences of true/false values for variables, while STL allows reasoning about physical signals.”

STL == Signal Temporal Logic to accelerate AI training processes by enabling discernment of correct v. incorrect outcome detection.

Achievement of driverless vehicle (DV) fleet deployments with guaranteed accident and fatality reduction risk potential requires much more than a technological solution.

A sustained transition from human-driver-in-the-loop supremacy to DV-in-the-loop supremacy is required. This transition will be challenging for drivers, both silicon and carbon-based, especially in the earliest phases of widespread deployments.

DV hailing app terms of service may require passengers to indemnify the fleet operator against class action suit in the event of accident subject to fleet operator-sponsored arbitration, and mandatory acceptance of terms before DV boarding commences. No acceptance, no ride.

NHTSA regulations appear to green light DV fleet deployment. If the federal government generously underwrites an liability insurance pool, deployment will accelerate.

The latest US motor vehicle traffic fatality statistics can be found here https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/813021 (retrieved on 20NOV2020). Whether or not STL, if integrated into the dv-onics, can reduce these fatalities remains to be seen.

Risk: Public safety.


Looking for ways to prevent price collusion with AI systems (techxplore.com)

Richard Stein <rmstein@ieee.org>
Sun, 29 Nov 2020 14:23:31 +0800

https://techxplore.com/news/2020-11-ways-price-collusion-ai.html

“AI systems have found, through learned experience, that uncommunicated collusion can lead to higher profits. Such systems do not have to meet secretly in back rooms—instead, they use logic to discover that their company will make more money if they charge more for products. And if all of their competitors are using similar systems, they can all agree to raises prices and hold them there, without ever having to actually agree to do so. Worse, because they do not break any of the rules that have been established to prevent human price setters from colluding, there is nothing the law can do to stop them. At least not right now, based on current laws.”

Price fixing enforcement (see https://en.wikipedia.org/wiki/Price_fixing) requires access to pricing decisions.

A hypothetical PriceFixSnifferBot deployed by the Federal Trade Commission, the Consumer Finance Protection Bureau, or Securities Exchange Commission in the US might deter commercial enterprises from illegally exploiting (gaming) AI pricing systems.

Can a PriceFixSnifferBot correctly identify illegal price fixing traceable to a non-communicated conspiracy of AI systems owned and operated by commercial enterprises? It would imply continuous search of business pricing systems across economic sectors.

A likely violation of the US Constitution's 4th amendment preventing illegal search and seizure. Corporations, like people, are presumed innocent of illegality until proven guilty. A nationwide search warrant to prevent business price fixing across the economy? Reminiscent of a Philip K. Dick story plot.

What might trigger a PriceFixSnifferBot to identify illegal price fixing? The PriceSnifferBot would have to detect evidence of an algorithmic-enabled pricing conspiracy. An algorithmic bias standard would be needed for it to allege price bias.

The hypothetical algorithmic bias standard needs to equivalence the international system of units established for kilogram, meter, second, or ampere. These standards are fully dependent on the fundamental constants of nature (pi, Planck's constant, electron charge, etc.). Without this universal reference, political influence might adjust PriceFixSnifferBot deployment parameters to favor certain interests.

How to create an algorithm bias standard? Perhaps an analog computation, via a Whetstone bridge circuit with precision resistor components, could independently weigh a pricing system's algorithmic bias, thereby eliminating the human thumb from the scale.

Not hard to imagine a PriceGougeBot available for off-the-shelf purchase, or via open source at Git. Just-in-time to juice up the year-end holiday shopping experience.


ML Guarantees Robots' Performance in Unknown Territory (Princeton)

ACM TechNews <technews-editor@acm.org>
Mon, 23 Nov 2020 12:24:37 -0500 (EST)

Molly Sharlach, Princeton Engineering News, 17 Nov 2020 via ACM TechNews, 23 Nov 20202

Princeton University researchers have developed a machine learning (ML) technique for ensuring robots' safety and success in unfamiliar environments. The researchers came up with the technique by adapting ML frameworks from other fields to robotic movement and grasping. The new technique was tested in various simulations, and also validated by evaluating its use for obstacle avoidance using a small combination quadcopter/fixed-wing airplane drone that flew down a 60-foot-long corridor dotted with cardboard cylinders; it avoided those obstacles 90% of the time. The Toyota Research Institute's Hongkai Dai said, “ Over the last decade or so, there's been a tremendous amount of excitement and progress around machine learning in the context of robotics, primarily because it allows you to handle rich sensory inputs,” like images captured by a robot's camera.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-282a6x226987x070255&


AI in the Age of Cyber-Disorder (F. Rugge, Ed.)

“Diego.Latella” <diego.latella@isti.cnr.it>
Mon, 23 Nov 2020 13:45:29 +0100

You may be interested in the following ISPI-Brookings report:

F. Rugge (Ed.), AI in the Age of Cyber-Disorder ISPI-Brookings Report 23 Nov 2020

https://www.ispionline.it/it/pubblicazione/ai-age-cyber-disorder-28309


Is Alexa becoming antisemitic? (Vice)
Amos Shapir <amos083@gmail.com>
Tue, 1 Dec 2020 14:02:01 +0200

Quote: CFI Vice-Chairman Andrew Percy MP has urged Home Secretary Priti Patel to “immediately investigate” how cloud-based voice services “select their material and sources,” after learning that responses given by= the Amazon Alexa device “lend credibility to antisemitic views.” Full article at: https://cfoi.co.uk/cfi-vice-chairman-andrew-percy-mp-expresses-concern-over-amazon-alexa-responses-which-lend-credibility-to-antisemitic-views


Google Search too powerful

Dan Jacobson <jidanni@jidanni.org>
Sat, 21 Nov 2020 13:48:01 +0800

Customer: “Yes you do sell vegan pizza. It's right there on your web page!”

Staff: “We are not responsible for pages you find on our website that are no longer linked from our homepage. No matter if you used Google to find them, or other nefarious means.”


What Is the Signal Encryption Protocol? (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 30 Nov 2020 19:18:28 -0500

As the Signal protocol becomes the industry standard, it's worth understanding what sets it apart from other forms of end-to-end encrypted messaging.

https://www.wired.com/story/signal-encryption-protocol-hacker-lexicon/


Thunderbird 78+ OpenPGP is a mess

Jim Garrison <jhg@jhmg.net>
Thu, 26 Nov 2020 11:57:39 -0800

For years there has been a 3rd-party plugin for the Mozilla Thunderbird email client, called Enigmail, that enables the use of GnuPG and OpenPGP keyrings to sign and encrypt email. It included a fairly complete key management UI, and depended on an installation of the Windows port of OpenPGP. This meant I could have a single keyring and share it between Windows, Thunderbird and Cygwin.

With version 78, the folks at Mozilla made Enigmail obsolete (and non-functional), replacing it with built-in OpenPGP integration. Sounds good, right? Wrong! The new implementation is extremely limited compared to Enigmail, but it has a couple of major flaws. One is inconvenient, but the other is a security hole big enough to drive a train through.

With Enigmail, every time you wanted to sign an outgoing message, you were required to type in the key's passphrase. There may have been an option to cache the passphrase for a few minutes, I didn't use it, but I have a dim memory of the timeout being quite short.

Thunderbird's OpenPGP integration does things differently. First, it uses its own internal keyring. No more sharing a single keyring among different OpenPGP implementations. Highly inconvenient as I now have to manage two identical keyrings.

The real problem is in passphrase management. When you import a private key, Thunderbird asks for your passphrase and stores it. From that point forward, it does not prompt for the passphrase when using it to sign an outgoing email. They claim the encryption used for the passphrases is “safe”.

There's another feature called “Master Password”, but that's just security veneer as it is requested only once, at session startup. Most people leave their email client running in the background continuously. Anyone with physical access to the machine can now impersonate you with ease. And then there's the use case of a shared computer. If you want PGP encryption without the glaring risk, you cannot use Thunderbird.

I went to the Mozilla bug database to see what others have said. There are several bugs filed, all closed and dismissed with comments like “Just lock your computer. Problem solved”. I filed my own bug https://bugzilla.mozilla.org/show_bug.cgi?id=1679455

We'll see what happens.


Patients of a Vermont Hospital Are Left in the Dark After a Cyberattack (NYTimes)

Monty Solomon <monty@roscom.com>
Thu, 26 Nov 2020 17:09:39 -0500

A wave of damaging attacks on hospitals upended the lives of patients with cancer and other ailments. “I have no idea what to do.”

https://www.nytimes.com/2020/11/26/us/hospital-cyber-attack.html


Inside the Cit0Day Breach Collection (Troy Hunt)

Gabe Goldberg <gabe@gabegold.com>
Thu, 19 Nov 2020 20:13:42 -0500

https://www.troyhunt.com/inside-the-cit0day-breach-collection/

23,600 hacked databases have leaked from a defunct ‘data breach index’ site Site archive of Cit0day.in has now leaked on two hacking forums after the service shut down in September.

https://www.zdnet.com/article/23600-hacked-databases-have-leaked-from-a-defunct-data-breach-index-site/

Cit0Day Breach Collection Files: How to Check If Your Email Is Compromised

Previously, many reports confirmed that the Cit0Day leak has breached 13 billion user records from 23,000 hacked databases. It is difficult to tell if your email is among the other accounts that were compromised.

https://www.techtimes.com/articles/254314/20201119/cit0day-breach-collection-files-check-email-compromised.htm

…not exactly clear what to do about this, if you've been good about using unique passwords for everything.


Accidentally broadcast screenshot shows hackers where to look

Amos Shapir <amos083@gmail.com>
Thu, 3 Dec 2020 11:09:28 +0200

This is not a rare incident: An image of an operator's screen suddenly appears in the middle of a live TV broadcast. The funny part of this one is that the screenshot shows a view of a directory containing some videos, and a text file named “Alt F9 username and password”—almost an open invitation to hackers to break into the system and, if they can figure out which application uses “Alt F9”, to manipulate the video files there!

Video at: https://youtu.be/YK0LBXV2bTs?t=7


Hackers tricked GoDaddy into helping attacks on cryptocurrency services (Engadget)

Monty Solomon <monty@roscom.com>
Tue, 24 Nov 2020 11:08:58 -0500

https://www.engadget.com/godaddy-tricked-into-helping-cryptocurrency-attack-220911454.html

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services https://krebsonsecurity.com/2020/11/godaddy-employees-used-in-attacks-on-multiple-cryptocurrency-services/


Rashida Tlaib takes on cryptocurrency (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 4 Dec 2020 18:44:48 -0500

U.S. Representative Rashida Tlaib, a progressive first-term lawmaker, has cosponsored a bill requiring stablecoins like Facebook's Libra to be issued by banks.

https://www.wired.com/story/member-squad-takes-cryptocurrency/


Apple's security chief charged with bribery (BBC)

Rob Slade <rmslade@shaw.ca>
Tue, 24 Nov 2020 11:12:29 -0800

… although it does sound more like the other guy was demanding a bribe, but it's still troubling and slightly ironic.

https://www.bbc.com/news/technology-55052540


iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever (Ars Technica)

Monty Solomon <monty@roscom.com>
Thu, 3 Dec 2020 08:29:21 -0500

iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever

Before Apple patch, Wi-Fi packets could steal photos. No interaction needed. Over the air.

https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/


A “moral contract” with a virus?

Rob Slade <rmslade@shaw.ca>
Fri, 20 Nov 2020 11:46:31 -0800

Quebec premier Francois Legault has promised a sort of four day “visiting period” December 24th to 27th over Christmas, if les Quebecois will behave themselves nicely in the week before and after. http://newsletters.cbc.ca/c/1e0JJjHQpUTXDnsEwMZFgBCttS4

This proposition is so bizarre it makes my head spin. It is akin to the saying that expecting the world to treat you nicely because you are a good person is like expecting a bull not to charge you because you are a vegetarian. Yes, I know that we all have COVID fatigue, and that mental health is an issue, but thinking that you can make this kind of deal with a virus reveals a profound misunderstanding of the situation.

The pandemic risk is not this type of risk. You can't make deals with it. It won't agree not to attack you on Tuesday if you behave properly today. You have to isolate, you have to wash your hands, you have to keep physically distant, and you have to wear a mask if you aren't physically distant ALL THE TIME. Or, if you are in close contact with someone who is infected (even if neither you nor they know it) you will get sick. You don't get to do deals. You don't get to not wash your hands just because you, personally, find wearing a mask more difficult than you think other people do.

Look, putting it in infosec terms, you don't get to click on that dangerous link, safely, just because you have not clicked on three dangerous links previously. If you click on the link, you are going to get the drive-by download installed on your machine, and the blackhats are going to steal all your financial information, contacts, and accounts. You have to keep up your guard ALL THE TIME.

With this type of thinking, I am not looking forward to the coming months. The US is already in a bad way, and American Thanksgiving is coming up next week, right? Take a lesson from us, in Canada. We let our guard down for our Thanksgiving, which is in October (at the actual harvest season, not just a kickoff for Christmas shopping season), and we are definitely paying for it now. If those of you in the Unexplored Southern Area party on Thanksgiving and then again at Christmas, there won't be any of you left by the time the vaccines actually come out.

Look, this isn't the virus that stole Christmas. Think of other ways to “get together,” separately. That's why God invented Zoom and Whatsapp and Facetime. (And Jit.si. I'm dying to try out Jit.si. Somebody just installed it on our Vancouver Security SIG Slack.) (I hate Slack.) I'm pretty sure you can find someone on Doordash who will deliver turkey. But don't think of packing together in a house this Christmas. It's dangerous. And no “moral contract” will change that.

Now go call your Mum on Whatsapp.


Cyberattacks Discovered on Vaccine Distribution Operations (The NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Thu, 3 Dec 2020 12:48:31 -0500

IBM has found that companies and governments have been targeted by unknown attackers, prompting a warning from the Homeland Security Department.

https://www.nytimes.com/2020/12/03/us/politics/vaccine-cyberattacks.html https://www.washingtonpost.com/world/coronavirus-vaccine-hackers-phish-ibm-cold-chain/2020/12/03/27a5b0b2-355d-11eb-9699-00d311f13d2d_story.html


AI tool to track high-volume adverse vaccine reactions

geoff goodfellow <geoff@iconia.com>
Mon, 23 Nov 2020 08:05:23 -1000

“Most” of the side effects are reportedly “mild and short-term.”

The British government is funding the development of an artificial intelligence tool to track and log what it anticipates will be a “high volume” of adverse reactions to the upcoming COVID-19 vaccine once it becomes widely distributed.

A “contract award notice

<https://ted.europa.eu/udl?uri=TED:NOTICE:506291-2020:TEXT:EN:HTML&src=0>” posted to the European Union public procurement tracker Tenders Electronic Daily states that the U.K.'s Medicines and Healthcare products Regulatory Agency plans to deploy “an Artificial Intelligence (AI) software tool” to “process the expected high volume of COVID-19 vaccine Adverse Drug Reaction (ADRs) and ensure that no details from the ADRs' reaction text are missed.”

“It is not possible to retrofit the MHRA's legacy systems to handle the volume of ADRs that will be generated by a COVID-19 vaccine,” the contract notice continues. “Therefore, if the MHRA does not implement the AI tool, it will be unable to process these ADRs effectively.”

“This will hinder [the MHRA's] ability to rapidly identify any potential safety issues with the COVID-19 vaccine and represents a direct threat to patient life and public health.”

The contract, which is worth $2 million, was awarded in September to Genpact (UK) Ltd. The posted announcement states that “reasons of extreme urgency” related to the pandemic have “accelerated the sourcing and implementation of a vaccine specific AI tool.”

COVID vaccine safety expected to be ‘similar to other types of vaccines’ […] https://justthenews.com/politics-policy/coronavirus/uk-will-use-ai-tool-process-high-volume-expected-adverse-reactions


Internet's MostNotorious Botnet Has an Alarming New Trick (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 4 Dec 2020 02:12:16 -0500

The hackers behind TrickBot have begun probing victim PCs for vulnerable firmware, which would let them persist on devices undetected.

https://www.wired.com/story/trickbot-botnet-uefi-firmware/


After years of work, Congress passes ‘Internet-of-Things’ cybersecurity bill—and it's kind of a big deal (Cyberscoop)

Gabe Goldberg <gabe@gabegold.com>
Thu, 3 Dec 2020 13:41:21 -0500

https://www.cyberscoop.com/congress-iot-cybersecurity-bill-contractors/


Fortifying Our Electoral System Against Attacks (Center for American Progress)

Gabe Goldberg <gabe@gabegold.com>
Thu, 3 Dec 2020 17:59:09 -0500

Lessons Learned From the 2020 Presidential Election

https://www.americanprogress.org/events/2020/11/30/493333/fortifying-electoral-system-attacks/


Google Researcher Says She Was Fired Over Paper Highlighting Bias in AI (The NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Fri, 4 Dec 2020 01:45:19 -0500

Timnit Gebru, one of the few Black women in her field, had voiced exasperation over the company’s response to efforts to increase minority hiring.

https://www.nytimes.com/2020/12/03/technology/google-researcher-timnit-gebru.html


Robocallers unclear on the concept …

Rob Slade <rmslade@shaw.ca>
Tue, 1 Dec 2020 12:31:28 -0800

Got woken up by a spam/telemarketer/vishing call today. Obvious machine generated “voice” telling me it was calling from “Amazon Prime Number …”


“Discussion Feedback” becomes “Discussion Fee”

Dan Jacobson <jidanni@jidanni.org>
Fri, 04 Dec 2020 01:17:28 +0800

https://github.com/github/feedback/discussions/2811

> Oh no! There most certainly is no fee for creating a discussion here :-)
> Thank you for letting me know - we'll look into fixing this and report back. ;-)

I bet it's the old story: Older users choose larger fonts, that younger designers never expected would then exceed their tiny boxes and get clipped… in just the wrong places!


Nice solution to password problem—if only

Gabe Goldberg <gabe@gabegold.com>
Fri, 20 Nov 2020 18:58:12 -0500

Please note: We are using a passwordless system to manage Snopes Accounts. This means we'll email you a verification code each time you log in. If you do not receive your verification code within a few minutes of logging in, please check your spam folder.

We're using a passwordless login system for a few key reasons:

  1. It's momore secure. With a username and password system, users tend to choose a password they're comfortable with (such as their birthday or pet's n name) or credentials they've used for other accounts. As a result, if hackers get access to one account, they can gain access to many, leading to a domino effect that can put all of your information at risk. A passwordless system removes this threat.
  2. It's simpler. Since your Snopes account will be tied to your email, you won't need to remember complicated passwords or periodically renew your password to keep your information safe. All you'll need to do is remember the email address associated with your account to log in.
  3. It's becoming the norm. Many other industry leaders are moving towards passwordless login systems for both reasons above, so it very well may soon be used by other websites you frequent.

https://www.snopes.com/faq/what-is-passwordless-login-and-why-does-snopes-use-it/

[What could go wrong with that? So having your email compromised automatically compromises every site using this system, what a great time saver. GG]


When Ships Are Abandoned, Stuck Sailors Struggle to Get By and Get Paid (Atlas Obscura)

Gabe Goldberg <gabe@gabegold.com>
Sun, 22 Nov 2020 15:03:45 -0500

“We are satisfied with little, but even that little is impossible today.”

When Captain Alexander Ovchinnikov took over command of the ship Gobustan in Istanbul, the term COVID-19 hadn't been coined yet, quarantine was was the stuff of apocalyptic science fiction, and few people outside of China knew where Wuhan was. It was December 25, 2019. Ovchinnikov, 39, was still on that ship through the summer, along with 11 other crew members: The second engineer was Russian too, the cook was Ukranian, and the rest were from Azerbaijan. At least one had been on board since October 2019, and none of them had received a salary since January. The crew of Gobustan had been stuck since June 16 in the Italian port of Ravenna, on the Adriatic Sea. “We live like in prison. We get up, have breakfast, do some routine activities, then we have dinner and go to bed,” said Ovchinnikov. Their days were all the same and the stillness was shaken only by cleaning and maintenance activities. Sure enough, the ship was clean as a whistle.

https://www.atlasobscura.com/articles/sailors-on-abandoned-ships

Risks? Flags of convenience, politics, corruption, malfeasance…


Another way every system eventually becomes email

Jan Wolitzky <jan.wolitzky@gmail.com>
Mon, 23 Nov 2020 17:54:05 -0500

RISKS doesn't usually post cartoons, but Randall Munroe's XKCD today is appropriate:

<https://xkcd.com/2389/>

“I'll never install a smart home smoke detector. It's not that I don't trust the software—it's that all software eventually becomes email, and I know how I am with email.”


Microsoft 365 “Productivity Score”

Rob Slade <rslade@gmail.com>
Fri, 27 Nov 2020 11:09:56 -0800

Those who use Microsoft 365 can now get a “Productivity Score.” And so can the boss. https://www.independent.co.uk/life-style/gadgets-and-tech/microsoft-365-office-surveillance-productivity-b1761570.html

How many times do you use email, or chat? Do you turn off the Webcam when on video meetings? Employees are ranked against their peers. Optionally, the boss can also share the data with Microsoft, in order to see how your company is doing against the competition. Which means Microsoft gets lots and lots and lots of company and user data.

Privacy issues, much?


Re: Microsoft Is Making a Secure PC Chip with Intel and AMD's Help (RISKS-32:38)

Jack Christensen <christensen.jack.a@gmail.com>
Mon, 23 Nov 2020 14:32:17 -0500

“So there are fewer people involved, and the PC is going to be more secure for it.”

Interesting statement. Open-source proponents might make exactly the opposite argument.


Re: Technology To Catch HOV Lane Violators Is Coming To Virginia (Deist, RISKS-32.38)

A Michael W Bacon <amichaelwbacon@gmail.com>
Mon, 23 Nov 2020 07:53:52 +0000

I recall a story I was told some 20 years ago while being driven along the road in question, that the CCTV operators overseeing the operation of the HOV 3+ lanes on the I395 (Shirley Highway) had observed that the passenger seats of many vehicles appeared to be occupied by opera divas in full song.


Re: What happens when you test TCL TVs

“Richard A. DeMattia” <rademattia@sbcglobal.net>
Mon, 23 Nov 2020 11:54:01 -0500

It is truly an abomination that a line of mass-produced consumer products would be released with such egregious security failings. However, in my world and perhaps in certain parts of the REAL world, SSH on my home cable router is port-forwarded to a machine that is not the television. And on my TCL 40S330 purchased 20-Nov-2020 ssh and telnet are both rejected at that host.

I don't have any comment on the serving up of the file system… well hardly any.


Re: Whale Sculpture Stops Train From Plunge in the Netherlands (RISKS-32.38)

A Michael W Bacon <amichaelwbacon@gmail.com>
Mon, 23 Nov 2020 07:31:16 +0000

Taking up Brian Inglis's suggestion of a Limerick (RISKS-32.38) …

In Holland they tell a tall tale, Of a train that was stopped by a whale. It seemed quite a fluke, But it earned a rebuke, For the driver, whose train left the rail.


Re: Letter to Consumer Reports magazine

<Gabe Goldberg <gabe@gabegold.com>9>
Mon, 23 Nov 2020 18:46:24 -0500

Right—far too many household objects have delusions of computerhood (toothbrush with timer and several brushing modes, blood pressure monitor, electric razor charging station with multiple indicator lights, etc.). I actually don't mind them having localized/isolated computing power but I'm selective about what goes online. For example, I could connect garage door opener to Internet and control it with smartphone app—but no.

>> TVs should be TVs, not computers.
> That's how TVs are used in our household, but the horse is already out of
> the barn.  You could also say watches should be watches, vacuum cleaners
> should be vacuum cleaners, phones should be phones, cars should be cars,
> refrigerators should be refrigerators.  The issue is cooked.  What may not
> be cooked is how we end up regulating the privacy and security
> issues. I hope not, in any case.
> Before me is a copy of the notes for a talk I gave several times in the
> early 1990s to groups in Europe in which one slide asks “What's the
> difference between a computer with a television in it and a television
> with a computer in it?” and the next answers “None”. I wanted to
> prepare them for a networked future with active media where computing and
> networking would be so widespread and common as to be invisible.
> I can't recall that they ever got it.
>
> Pete Kaiser

Re: Online password ‘123456’ more popular than ever and easy to crack (Kruk)

Stefan Lueders <Stefan.Lueders@cern.ch>
Mon, 23 Nov 2020 07:49:13 +0000

I do not agree its conclusion. While I agree that passwords should be complex and long, rather passphrases, and ideally go along with second factor authentication, the problem in the below lies somewhere else: in the increasing need to register with an email address / password combination to even the simplest webpages to get some random content (newsletters, bulletin boards, etc.) such that the website owners can market those email addresses. The risk of exposure of personal information, if those sites are compromized, on that pages is zero. The password complexity (and use of 2FA) should be proportional to the risk --- where PII is at stake, complex passwords & 2FA are a must. But for a page where I am forced to register just with an email address to access content, like RISKS, any password can do.


Re: Online password ‘123456’ more popular than ever and easy to crack (Kruk, RISKS-32.38)

“Keith Medcalf” <kmedcalf@dessus.com>
Wed, 25 Nov 2020 05:25:18 -0700

And this points out why one should NEVER use a so-called “password manager” because they are inherently untrustworthy and have access to all your passwords.

If you want to publish all your passwords for everyone to see, why not just write them on a sticky-note and stick it on your window, or send it as a letter to the editor of your local newspaper? Or post them on Twitter or whatever the kids are using these days …


Utah monolith: Internet sleuths got there, but its origins are still a mystery (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Fri, 27 Nov 2020 16:20:50 -0500

It took just 48 hours for the first person to get there.

When officials in Utah on Monday revealed they had found a shimmering, metal structure deep in the Red Rock desert, they refused to say exactly where.

They hoped that would be enough to deter amateur adventurers from setting off to find it, risking getting dangerously lost in the process.

But there was little chance that people would abide by this advice. By Wednesday, pictures were emerging on Instagram of people triumphantly posing with the monolith, eager to show the world that they had got there first - even if the wider mystery of why it is there remains unsolved.

They were aided by Internet sleuths who had quickly geo-located the structure on Google Earth and posted the co-ordinates online.

https://www.bbc.com/news/world-us-canada-55071058

The risk? Trying to keep secrets.

Please report problems with the web pages to the maintainer

x
Top