The RISKS Digest
Volume 32 Issue 14

Sunday, 26th July 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents

Anatomy of an Election `Meltdown' in Georgia
NYTimes
Intel's Stunning Failure Heralds End of Era for U.S. Chip Sector
Bloomberg
Russia's GRU hackers hit U.S. government and energy targets
Ars Technica
Unsolicited Chinese seeds?
Washington State Dept of Agriculture
Homeland in Portland? No, USAF.
The Intercept
Finally there's a handbook on voting
Kimberly Wehle
Conflict Over a Rental Car Leads to Elusive ATM Skimming Suspect
NYTimes
Letting Your Insurer Ride Shotgun, for a Discounted Rate
NYTimes
The three worst things about email, and how to fix them
WashPost
PDF signatures useless
ZDNet
Google is aware of 'w5' Wi-Fi failures on some Nest thermostats and providing replacements
Android Police
Re: Boeing's future is cloudy as it tries to restore credibility
Joseph Gwinn
Re: European Public Sphere Towards Digital Sovereignty for Europe
Drew Dean
Info on RISKS (comp.risks)

Anatomy of an Election `Meltdown' in Georgia (NYTimes)

Peter Neumann <neumann@csl.sri.com>
Sun, 26 Jul 2020 12:44:01 -0700
.. Was the Result of Cascade of Failures
Danny Hakim, Reid J. Epstein, and Stephanie Saul
*The New York Times*, 26 July 2020
National Edition front page continued in pp.22-23.

Stuggles to get the new high-text voting system working, failures to detect
check marks instead of 'X', a huge management problem, barrage of partisan
blame-throwing, Reps blame Fulton County (Atlanta, Dems), Dems blame just
another Rep effort to disenfranchizes Dems, problems still unresolved six
weeks later, with no signs of any improvements for November.  "It has become
increasingly clear that what happened in June was a collective collapse.''
[Seriously PGN-ed, but the entire article is really scary and ominous.]


Intel's Stunning Failure Heralds End of Era for U.S. Chip Sector (Bloomberg)

David Farber <farber@keio.jp>
Sat, 25 Jul 2020 17:36:53 +0900
https://www.bloomberg.com/news/articles/2020-07-25/intel-stunning-failure-heralds-end-of-era-for-u-s-chip-sector


Russia's GRU hackers hit U.S. government and energy targets (Ars Technica)

Monty Solomon <monty@roscom.com>
Sat, 25 Jul 2020 09:59:08 -0400
Russia's GRU military intelligence agency has carried out many of the most
aggressive acts of hacking in history: destructive worms, blackouts, and --
closest to home for Americans—broad hacking-and-leaking operation
designed to influence the outcome of the 2016 U.S. presidential
election. Now it appears the GRU has been hitting U.S. networks again, in a
series of previously unreported intrusions that targeted organizations
ranging from government agencies to critical infrastructure.

https://arstechnica.com/information-technology/2020/07/russias-gru-hackers-hit-us-government-and-energy-targets/

https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/


Unsolicited Chinese seeds? (Washington State Dept of Agriculture)

Paul Saffo <paul@saffo.com>
Sat, 25 Jul 2020 15:37:40 -0700
This from Facebook. Anyone know the background?  Any guesses what this is
about?  Cover for drug deals? There don't seem to be any explanations on the
web.

https://www.vvng.com/people-are-receiving-an-unsolicited-package-of-seeds-from-china-in-the-mail/
https://www.facebook.com/WAStateDeptAg/photos/a.10151025620032906/10158360747457906/

Washington State Department of Agriculture, with Stephanie Marshall and 14
others.

  Today we received reports of people receiving seeds in the mail from China
  that they did not order. The seeds are sent in packages usually stating
  that the contents are jewelry. Unsolicited seeds could be invasive,
  introduce diseases to local plants, or be harmful to livestock.

  Here's what to do if you receive unsolicited seeds from another country:

  1) DO NOT plant them and if they are in sealed packaging (as in the photo
     below) don't open the sealed package.

  2) This is known as agricultural smuggling. Report it to USDA and maintain
     the seeds and packaging until USDA instructs you what to do with the
     packages and seeds. They may be needed as evidence.

https://www.aphis.usda.gov/=E2=80=A6/impor=E2=80=A6/sa_sitc/ct_antismuggling

  [APHIS = Animal and Plant Health Inspection Service.  I don't find the
  item on the aphis site.  Maybe this is the symbiosis between the Chinese
  A(u)nts and the Aphi(d)s?  PGN]


Homeland in Portland? No, USAF. (The Intercept)

Paul Saffo <paul@saffo.com>
Sat, 25 Jul 2020 15:36:57 -0700
https://theintercept.com/2020/07/23/air-force-surveillance-plane-portland-protests/


Finally there's a handbook on voting (Kimberly Wehle)

David Lesher <wb8foz@8es.com>
Sat, 25 Jul 2020 14:23:46 -0400
  [In need of VV education?  DL]

<https://www.washingtonpost.com/opinions/2020/06/19/finally-theres-handbook-voting/>

Kim Wehle: Congress needs to appropriate money to the states every year
exclusively for elections. The last serious influx of federal funding for
equipment occurred in 2002. How many of us are using computers or flip
phones from 18 years ago? I would like to see modern encryption technology
brought to bear on voting so that, just like we conduct private and
sensitive bank transactions on our phones, we vote on our phones safely and
securely. This would address much of the fraud and the suppression concerns
from both sides of the aisle.

  [Disclosure: She is not a RISKS reader.  PGN]


Conflict Over a Rental Car Leads to Elusive ATM Skimming Suspect (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Fri, 24 Jul 2020 23:31:37 -0400
https://www.nytimes.com/2020/07/17/business/credit-card-skimmer-arrest-alaska.html

The risks? Greed, hubris, patterns, personality...


Letting Your Insurer Ride Shotgun, for a Discounted Rate (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sat, 25 Jul 2020 19:06:43 -0400
Most big car insurers offer apps that monitor your driving, and one start-up
requires it. The trade-off in privacy is a premium that could be
substantially cheaper for safe drivers.

https://www.nytimes.com/2020/07/16/business/car-insurance-app-discounts.html

Same old, same old: except here you're the product *and* the customer.


The three worst things about email, and how to fix them (WashPost)

Richard Stein <rmstein@ieee.org>
Sat, 25 Jul 2020 10:33:33 +0800
https://www.washingtonpost.com/technology/2020/07/21/gmail-alternative-hey

The inconveniences of convenience.

"Problem 1: Anybody can email you. And they do." True. Email account content
can resemble a litter box. Delivery, while not 100%, surpasses snail mail
speed and cost-effectiveness. Caveat emptor for anything that is
free. Without authenticated credential provenance, via a nationalized (or
global) identity, authorization, and maintenance mechanism, random and
arbitrary recipient address email transmission is no-go.

"Problem 2: Important stuff gets lost." True. Check your SPAM folder for
important content mischaracterized by the latest attempt to automatically
pick fly poop from a pepper pile. Filters are like rocket science: they
intimidate the unskilled and uninitiated discouraging use.

"Problem 3: Your email isn't really private." True. Corporate email service
provider terms of service (aka, privacy policies) routinely authorize
collection, exploitation, followed by the unfortunate involuntary breach
(via hack or negligence) of said collected or transmitted email content.

The privacy policy entitles the service to potentially gain from the content
(if there's anything of value or merit) in exchange for convenient and free
public access.

Some entities (government security agencies specifically) might find
interest in the names/email addresses of dissidents—see the recent
Twitter hack of Geert Wilders.
https://www.washingtonpost.com/world/middle_east/twitter-says-hackers-accessed-dutch-politicians-inbox/2020/07/23/b979af96-ccd2-11ea-99b0-8426e26d203b_story.html.

That "Hey" may partially mitigate these foundational email features to suit
certain clientele (or their investors) does not diminish technological risk
exposure.


PDF signatures useless (ZDNet)

William Brodie-Tyrrell <william.brodie.tyrrell@gmail.com>
Sat, 25 Jul 2020 14:13:58 +0930
It turns out that PDF cryptographic signatures do not protect the entire
contents or visual appearance of the file.  Which makes them utterly
pointless.

https://www.zdnet.com/google-amp/article/new-shadow-attack-can-replace-content-in-digitally-signed-pdf-files/


Google is aware of 'w5' Wi-Fi failures on some Nest thermostats and providing replacements (Android Police)

Monty Solomon <monty@roscom.com>
Sat, 25 Jul 2020 09:48:23 -0400
If troubleshooting doesn't work, it's a known issue and you can get a
replacement

https://www.androidpolice.com/2020/07/24/google-is-aware-of-w5-wi-fi-failures-on-some-nest-thermostats-and-providing-replacements/


Re: Boeing's future is cloudy as it tries to restore credibility (Ward, RISKS-32.13)

Joseph Gwinn <joegwinn@comcast.net>
Sat, 25 Jul 2020 16:50:15 -0400
> Probably junior programmers get this boring grunt work: senior programmers
> get to do more interesting jobs, like writing new code!  [...]

Ahh, no.  This was the customer tolerance level, to which IBM managed.  As I
recall, IBM alternated fixup releases (nothing new add, so more stable) and
improvement releases (sorta beta test).


Re: European Public Sphere Towards Digital Sovereignty for Europe (ACATech, RISKS-32.13)

Drew Dean <drewdean@gmail.com>
Sat, 25 Jul 2020 20:51:10 -0700
I think there's an unmentioned risk: that of an EU boondoggle. :-)

Please report problems with the web pages to the maintainer

Top