The RISKS Digest
Volume 32 Issue 27

Friday, 18th September 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


PG&E error at power plant may help explain California's rolling blackouts
Using information to cause a blackout
Small drink cup-holders lead to engine shutdowns on A350s
A Tesla driver was caught sleeping on Autopilot at high speed, police are charging him criminally
University Ransomware Attack Exploits Citrix, Kills German Hospital Patient
Weakened Encryption: The Threat to America's National Security
At this point, 5G is a bad joke
Mobile phone radiation may be killing insects: German study
Listening To An IPhone With AM Radio
Is the Internet Conscious? If It Were, How Would We Know?
Vinton Cerf
Voatz letter published
Jack H Cable
A Quick Note on Voting Twice
Matt Bishop
How smart tech could help save the world's honey bees
The future is cyborg: Kaspersky study finds support for human augmentation
Police Across Canada Are Using Predictive Policing Algorithms, Report Finds
Nathan Munn
The 20-Year Hunt for the Man Behind the Love Bug Virus
Phone system cursed by magic words
Chicago Tribune
I Have Blood on My Hands: A Whistleblower Says Facebook Ignored Global Political Manipulation?
How an Epic Series of Tech Errors Hobbled Miami' Schools
Early research from 23andMe strengthens link between blood types and Covid-19
Kate Sheridan
New Report Explains COVID-19's Impact on Cybersecurity
The Hacker News
Re: 44 Square Feet: A School-Reopening Detective Story
Brian Inglis
Info on RISKS (comp.risks)

PG&E error at power plant may help explain California's rolling blackouts ( | Breaking News <>
Mon, 14 Sep 2020 20:39:29 -0400 (EDT)
*San Francisco Chronicle*, 14 Sep 2020>

A mistake by Pacific Gas and Electric Co. may have played a role in one of
the two days that California experienced rolling blackouts during an extreme
heat wave last month.

Using information to cause a blackout (Crypto-gram)

3daygoaty <>
Tue, 15 Sep 2020 21:32:18 +1000
Bruce Schneier covers "How weaponizing disinformation can bring down a
city's power grid" linked here:

  The attack has already happened and defenses are there, in London at
  least!  People turning on thousands of kettles in TV ad breaks:

  Dinorwig Power Station, pumped hydro scheme built in 1974 (I understand
  but cannot prove) specifically for the Coronation Street TV show tea and
  toast ad breaks.

I will use this little spot to suggest that a better vector is solar
microinverters.  RISKS readers no doubt love what went down in Hawaii (and
in fact what stayed up):

  " you can imagine, service call costs to 51,000 solar homes equipped
  with 800,000 micro inverters quickly added up to tens of millions of
  dollars. Uniquely, Enphase (who are heavily data focused and driven)
  already had the ability to remotely connect to and tweak inverter
  settings.  Could they simultaneously, remotely and precisely make this
  change? And measure its effectiveness? From their headquarters in Napa
  Valley, California?"

Risk: Enphase install goes awry and an incomplete firmware upgrade causes
800k microinverters to reboot continuously, rapidly raising and lowering
grid feed-in.  Then there's tens of millions of dollars of house calls.

Small drink cup-holders lead to engine shutdowns on A350s (FlightGlobal)

George Mannes <>
Sun, 13 Sep 2020 21:34:19 -0400
Airbus has developed a new liquid-resistant integrated control panel for the
A350, designed to avoid the risk to engine systems from accidental drink
spillage in the cockpit.

Its development follows two incidents, in November last year and January
this year, in which A350-900s diverted as a result of uncommanded engine
shutdowns linked to beverage spills on the panel....

>From AVWeb:

In both instances one of the engines shut down and couldn't be restarted....

...It's not clear if the EASA [European Aviation Safety Administration]
mandate will include bigger cup holders. There are at least two located well
out of harm's way to the left of the captain and right of the FO but they're
too small for the paper cups used by most airport vendors.

A Tesla driver was caught sleeping on Autopilot at high speed, police are charging him criminally

geoff goodfellow <>
Fri, 18 Sep 2020 04:56:05 -1000
A Tesla driver was caught sleeping on Autopilot with their seat *fully
reclined* at high speed, according to police who criminally charged the

Alberta RCMP (Canada federal police) reported on a strange incident
involving a Tesla vehicle on Autopilot.

“Alberta RCMP received a complaint of a car speeding on Highway 2 near
Ponoka. The car appeared to be self-driving, traveling over 140 km/h [87
mph] with both front seats completely reclined and occupants appeared to be

With this report, they shared the picture of a Tesla Model S vehicle on

Alberta RCMP received a complaint of a car speeding on Hwy 2 near #Ponoka
<^tfw>. The car
appeared to be self-driving, travelling over 140 km/h [87 mph] with both
front seats completely reclined & occupants appeared to be asleep. The
driver received a Dangerous Driving charge & summons for court
** <>

RCMP Alberta (@RCMPAlberta) *September 17, 2020*

Tesla Autopilot is not a “self-driving'' system but a suite of driver
assist features.

While it can technically drive autonomously on highways without driver
interventions, Tesla asks drivers to keep their hands on the wheel and to
pay attention at all times.

The automaker also implemented a system that requires drivers to frequently
apply light torque to the steering wheel in order for Autopilot to stay

Some Tesla drivers have been getting around the system by *attaching a
weight to the steering wheel*
-- a practice considered dangerous by US regulators (and anyone with half a

In this incident, the police reported some strange behaviors from the
vehicle, which was presumably on Autopilot:  [...]

University Ransomware Attack Exploits Citrix, Kills German Hospital Patient (Politico)

"Peter G. Neumann" <>
Fri, 18 Sep 2020 11:17:33 PDT
A ransomware attack led to a patient's death in Germany
authorities there said, marking the first known occasion of ransomware being
directly linked to a person's demise in the hospital—and perhaps the most
direct civilian demise caused anywhere by any kind of cyberattack. An
investigation could lead to homicide charges, local press reported. News of
the incident last week—where a patient had to be transferred to another
city's hospital due to the ransomware and died because of the delay in
treatment—first broke on Thursday. The attack apparently wasn't even
targeting the hospital, but instead a university. A long-warned
vulnerability in Citrix tied to the attack generated another German
cybersecurity agency alert.
[linked document in German].

Cybersecurity experts have been warning for some
time<> about a
cyberattack causing the death of a medical patient, but the link has usually
been seen far more
indirectly<>. Industry
voices took to Twitter to lament the death, sometimes in profane terms.
<> “If you ever
wondered why the unsung jobs of IT admins [are] so thankless, if they
succeed, they are invisible, whereas if they fail - we all fail & people
die, tweeted Katie Moussouris, CEO of Luta Security.

  See also:

Weakened Encryption: The Threat to America's National Security (ThirdWay)

geoff goodfellow <>
Wed, 16 Sep 2020 11:04:53 -1000
*Takeaways* For years, law enforcement officials have warned that, because
of encryption, criminals can hide their communications and acts, causing law
enforcement to struggle to decrypt data during their investigation—a
challenge commonly referred to as “going dark.'' They called on technology
companies to build a process, like a “master key,'' to enable law
enforcement to unlock encrypted communications. While this may seem like a
tempting idea, it would have grave implications for our national security.
As more and more of our communications move online, users seek out encrypted
services to protect their privacy. Unlike telephonic communications, and
despite repeated requests by law enforcement to do so, Congress has not
required Internet communications platforms to give law enforcement access to
intercept user communications or access stored communications. In this
paper, we assess the national security risks to a requirement to provide
that master key (referred to throughout as “exceptional'' or “backdoor''
access) to encrypted communications and propose alternative approaches to
address online harms.

In short, requiring exceptional access to encrypted technologies would
undermine national security by:

   1. Weakening protections for the information that the national security
      community relies upon, especially as it flows over foreign networks.
      2. Creating a vulnerability in encrypted communications that could be
      accessed by foreign adversaries.
      3. Encouraging other countries to require tech and Internet companies
      to provide equivalent access to communications within their boundaries.
      4. This does not mean that the Internet should be a lawless zone. Law
      enforcement and the private sector can and should cooperate in addressing
      crimes on the Internet and can do so without undermining a protection as
      fundamental as encryption.  [...]

At this point, 5G is a bad joke (Computerworld)

Gabe Goldberg <>
Fri, 18 Sep 2020 00:14:40 -0400
Thinking of buying a new phone, just for high-speed mmWave 5G? Do yourself a
favor: Don't.

The risk? Marketing.

Mobile phone radiation may be killing insects: German study (

Richard Stein <>
Fri, 18 Sep 2020 14:19:53 +0800

"Mobile phone and Wi-Fi radiation in particular opens the calcium channels
in certain cells, meaning they absorb more calcium ions.

"This can trigger a biochemical chain reaction in insects, the study said,
disrupting circadian rhythms and the immune system."

"Peter Hensinger of the German consumer protection organisation Diagnose
Funk said closer attention must be paid to the possible negative effects of
radiation on both animals and humans, particularly with regard to the
introduction of 5G technology."

The insect apocalypse threatens to disrupt food chains and our ecosystem. Do
WiFi and cellular device and tower radiation exposure also contribute to
premature insect mortality?

Photon energy is determined by E = h*f
   (h == Planck's constant, f == frequency).

Ultraviolet-C photons, known to cause melanoma, range in energy between
~4.5-12.4 eV (see 4.5 eV ~= 1100
THz; 12.4 eV ~= 3000 THz. A microwave oven operates @ ~2.5 GHz (~0.01
milli-electron volts).

5G technology (at a maximum) operates at ~30GHz (0.03 THz) or ~0.12
milli-electron volts which is insufficient, via the photoelectric effect, to
ionize an atom in a DNA's amino acid during reproduction and elevate genetic
mutation probability.

A certain species of bacteria has evolved a mechanism to survive ionizing
radiation exposure. See Doubtful that insects
inherited this capability. Humans do not possess these genes.

Note that room temperature of 300 degrees Kelvin (25 degrees Celsius or ~77
degrees F) ~= 0.026 eV which is ~200X greater than the energy of a 30 GHz
radio-wave photon. Ambient thermal energy, inside or out, swamps cell phone
radiation. DNA evolved to accommodate heat exposure.

Do RF sources influence insect cell membrane ion mobility and initiate
premature death?
(MAR2018) documents effects of RF exposure on several insect species using
2-120 GHz radio-waves. Their conclusion: "This could lead to changes in
insect behavior, physiology, and morphology over time due to an increase in
body temperatures, from dielectric heating." 'Could' is the operative word.

What happens when Drosophila Melanogaster are exposed to 30 GHz radio-wave
radiation for 1 hour each day? Fruit flies experience slight warming for 1
hour. Atmospheric garden heat exposes a fruit fly to 200 times the photon
energy emitted by cellular radio-wave photons.

To my knowledge, there are no established (meaning non-conflicted,
independent peer-review) links to non-ionizing radiation and vitality, be it
insect or human. Ambient RF radiation contribution to mortality, human or
insect, is impossible given physics.

Where are the epidemiological clusters and studies of human glioblastomas
(brain cancer) or other malignancies from earlier generations of cellphone
use and persistent exposure to ambient RF from cellphone towers or radio and
TV broadcasts? They do not exist.

Habitat loss and pesticide exposure are known, obvious insect mortality
contributors. Atmospheric influences (such as extra CO2, CH4, SO2, or
pollution or aerosols ) on insect populations are likely contributors (see

The original publication on Germany's mitigation of insect demise is here:

Listening To An IPhone With AM Radio

geoff goodfellow <>
Fri, 18 Sep 2020 05:12:22 -1000
Electronic devices can be surprisingly leaky, often spraying out information
for anyone close by to receive. [Docter Cube] has found another such leak,
this time with the speakers in iPhones. While repairing an old AM radio and
listening to a podcast on his iPhone, he discovered that the radio was
receiving audio the from his iPhone when tuned to 950-970kHz.

[Docter Cube] states that he was able to receive the audio signal up to 20
feet away. A number of people responded to the tweet with video and test
results from different phones. It appears that iPhones 7 to 10 are affected,
and there is at least one report for a Motorola Android phone.  The
amplifier circuit of the speaker appears to be the most likely culprit, with
some reports saying that the volume setting had a big impact. With the short
range the security risk should be minor, although we would be interested to
see the results of testing with higher gain antennas. It is also likely that
the emission levels still fall within FCC Part 15 limits.  [...]

Is the Internet Conscious? If It Were, How Would We Know?

vinton cerf <>
Thu, Sep 17, 2020 at 8:18 AM
  [via geoff goodfellow]

we give autonomy to a lot of IOT devices/applications; maybe that is not
quite independent behavior.

Are stock programmed trading systems conscious? yes  - they take in input,
process, produce output that affects the real world (stock market). They
are capable of unexpected behaviors (bugs). If based on machine learning,
they are also capable of "breaking" owing to unpredicted situations.


Voatz letter published

Jack H Cable <>
Mon, 14 Sep 2020 17:04:32 +0000
The Voatz letter was published today, available at Thank you to everyone who signed on and contributed!

The letter was featured in this week's Politico cybersecurity newsletter<>.

A Quick Note on Voting Twice

Matt Bishop <>
Tue, 15 Sep 2020 15:34:06 -0700
> But if each ballot voted has to be checked to make sure it is not
> a second ballot, then the disruption factor is ENORMOUS.

Actually, not every ballot needs to be checked. Here's how it works:

If you vote by mail, when the envelope is received and your signature
validated, it's recorded that you voted. If you send in another vote by mail
ballot, when they try to validate your signature, the system will report you
have already voted. This is automatic and done when your signature is

So let's say you go to vote in person.

If you are doing a same-day registration, you vote conditionally. The
conditional ballot is handled the same as a provisional ballot.

If you have your vote by mail ballot and surrender it to the election
workers, they then print you a new ballot, and you vote in person.

If you do not have your vote by mail ballot, you then vote provisionally.

In all cases, if you have already signed the poll book, you vote

So the time-consuming checking is in processing the provisional and
conditional ballots. That can take quite a while; according to the election
officials in my county (Yolo), it can take 2-3 weeks to process them. It
took a bit longer at the last election due to COVID-19, but the Secretary of
State extended the dates.

Hope this clarifies things.

  [Of course, some precincts don't use electronic poll books, and are
  manual.  Mine has a paper list that one has to sign that cannot indicate
  whether you have already voted absentee.  When the absentee ballots are
  tallied later, the paper record would have to checked.  PGN]

How smart tech could help save the world's honey bees (

Richard Stein <>
Fri, 18 Sep 2020 19:57:49 +0800

The pollination industry contributes ~US$ 180B annually to agribusiness.
Avocados and almonds depend on pollination, as do ~1/3 of all commercial

Pesticides and fungicides—agricultural chemicals—jeopardize pollinator
survival. Bee apiaries fail at a high rate: ~44% die off annually,
threatening agriculture yields.

Hive inspection is time-consuming and laborious. Enter the wireless beehive
sensor to remotely monitor hive health for temperature, humidity, sound,
etc. and supply the beekeeper with important indicators of vitality or

Risks: Sensor calibration errors. Telemetry processing hacks manipulate hive
performance indicators.

[A few bugs to work out before a beeline to IPO?]

See for an algorithm and game
that simulates bee dances. Not hard to imagine an ambitious future
roboticist who designs and builds robobees that out-compete natural

The future is cyborg: Kaspersky study finds support for human augmentation (Reuters)

geoff goodfellow <>
Thu, 17 Sep 2020 09:38:40 -1000
Nearly two thirds of people in leading Western European countries would
consider augmenting the human body with technology to improve their lives,
mostly to improve health, according to research commissioned by Kaspersky.

As humanity journeys further into a technological revolution that its
leaders say will change every aspect of our lives, opportunities abound to
transform the ways our bodies operate from guarding against cancer to
turbo-charging the brain.

The Opinium Research survey of 14,500 people in 16 countries including
Britain, Germany, France, Italy and Spain showed that 63% of people would
consider augmenting their bodies to improve them, though the results varied
across Europe.

In Britain, France and Switzerland, support for augmentation was low - at
just 25%, 32% and 36% respectively - while in Portugal and Spain it was
much higher - at 60% in both.

“Human augmentation is one of the most significant technology trends
today,'' said Marco Preuss, European director of global research and
analysis at Kaspersky, a Moscow-based cybersecurity firm.

“Augmentation enthusiasts are already testing the limits of what's
possible, but we need commonly agreed standards to ensure augmentation
reaches its full potential while minimising the risks,'' Preuss
said.  [...]

Police Across Canada Are Using Predictive Policing Algorithms, Report Finds (Nathan Munn)

Dewayne Hendricks <>
September 14, 2020 at 18:42:31 GMT+9
Nathan Munn, *Vice*, 1 Sep 2020 (via David Farber)

Police across Canada are increasingly adopting algorithmic technology to
predict crime. The authors of a new report say human rights are threatened
by the practice.


Police across Canada are increasingly using controversial algorithms to
predict where crimes could occur, who might go missing, and to help them
determine where they should patrol, despite fundamental human rights
concerns, a new report has found.

To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in
Canada is the result of a joint investigation by the University of Toronto's
International Human Rights Program (IHRP) and Citizen Lab. It details how,
in the words of the report's authors, “law enforcement agencies across
Canada have started to use, procure, develop, or test a variety of
algorithmic policing methods,'' with potentially dire consequences for civil
liberties, privacy and other Charter rights, the authors warn.

The report breaks down how police are using or considering the use of
algorithms for several purposes including predictive policing, which uses
historical police data to predict where crime will occur in the
future. Right now in Canada, police are using algorithms to analyze data
about individuals to predict who might go missing, with the goal of one day
using the technology in other areas of the criminal justice system. Some
police services are using algorithms to automate the mass collection and
analysis of public data, including social media posts, and to apply facial
recognition to existing mugshot databases for investigative purposes.

“Algorithmic policing technologies are present or under consideration
throughout Canada in the forms of both predictive policing and algorithmic
surveillance tools.''

Police in Vancouver, for example, use a machine-learning tool called GeoDASH
to predict where break-and-enter crimes might occur. Calgary Police Service
(CPS) uses Palantir's Gotham software to identify and visualize links
between people who interact with the police—including victims and
witnesses—and places, police reports, and the properties and vehicles
they own. (A draft Privacy Impact Assessment (PIA) conducted by CPS in 2014
and mentioned in the report noted that Gotham could “present false
associations between innocent individuals and criminal organizations and
suspects'' and recommended measures to mitigate the risk of this happening,
but not all the recommendations have been implemented.)

The Toronto Police Service does not currently use algorithms in policing,
but police there have been collaborating with a data analytics firm since
2016 in an effort to “develop algorithmic models that identify high crime
areas,'' the report notes.

The Saskatchewan Police Predictive Analytics Lab (SPPAL), founded in 2015,
is using data provided by the Saskatoon Police Service to develop algorithms
to predict which young people might go missing in the province. The SPPAL
project is an extension of the “Hub model'' of policing, in which social
services agencies and police share information about people believed to be
“at risk'' of criminal behavior or victimization. The SPPAL hopes to use
algorithms to address “repeat and violent offenders, domestic violence, the
opioid crisis, and individuals with mental illness who have come into
conflict with the criminal justice system,'' the report reads.

“We've learned that people in Canada are now facing surveillance in many
aspects of their personal lives, in ways that we never would have associated
with traditional policing practices,'' said Kate Robertson, a criminal
defense lawyer and one of the authors of the report, in a phone call with

“Individuals now face the prospect that when they're walking or driving
down the street, posting to social media, or chatting online, police
surveillance in the form of systematic data monitoring and collection may be
at work,'' Robertson added.

The authors note that “historically disadvantaged communities'' are at
particular risk of being targeted for surveillance and analysis by the
technology due to systemic bias found in historical police data.

The 20-Year Hunt for the Man Behind the Love Bug Virus (WiReD)

Gabe Goldberg <>
Mon, 14 Sep 2020 00:16:40 -0400
For two decades, Onel de Guzman has been suspected of unleashing the
groundbreaking virus. But he's never confessed to anything—until now.

Phone system cursed by magic words (Chicago Tribune)

Gabe Goldberg <>
Wed, 16 Sep 2020 16:15:32 -0400
Author writes:

  Trying to get a human on the line when you're trapped in some company's
  automated phone system is like whacking your way through a jungle with a
  pair of toenail clippers.

Impossible. Interminable. Maddening.

I am here today to offer two magic words to free you from the wilderness.

We've all been there: You have a problem. You need a person. Instead, you're
trapped with a computer that keeps chirping, "I'm sorry. Did you mean

What I meant, @#$$%^, is: @#$! you.

And those, I regret to say, are the magic words.

I Have Blood on My Hands: A Whistleblower Says Facebook Ignored Global Political Manipulation? (Buzzfeednews)

geoff goodfellow <>
Wed, 16 Sep 2020 11:15:08 -1000
*A 6,600-word internal memo from a fired Facebook data scientist details how
the social network knew leaders of countries around the world were using
their site to manipulate voters—and failed to act.*

“I've found multiple blatant attempts by foreign national governments to
abuse our platform on vast scales to mislead their own citizenry, and caused
international news on multiple occasions. I have personally made decisions
that affected national presidents without oversight, and taken action to
enforce against so many prominent politicians globally that I've lost
count.''  [...]

How an Epic Series of Tech Errors Hobbled Miami' Schools (WiReD)

Gabe Goldberg <>
Wed, 16 Sep 2020 17:16:24 -0400
It started with the district hiring a little-known virtual charter school
company, which led to balky connections and an even more troublesome

Early research from 23andMe strengthens link between blood types and Covid-19 (Kate Sheridan)

Dewayne Hendricks <>
Wed, Sep 16, 2020 at 3:45 AM
Kate Sheridan, StatNews, 14 Sep 2020

New Report Explains COVID-19's Impact on Cybersecurity (The Hacker News)

geoff goodfellow <>
Thu, 17 Sep 2020 08:07:53 -1000
A new report explains COVID-19's impact on #cybersecurity, detailing
changes in cyberattacks experts at @Cynet360 have observed across North
America and Europe since the beginning of this pandemic.

Re: 44 Square Feet: A School-Reopening Detective Story (RISKS-32.26)

Brian Inglis <>
Mon, 14 Sep 2020 17:21:00 -0600
Take 2m physical distance guide, square for area/person, which seems
reasonable and is the Australian guideline I believe, and convert to sq.ft.:

$ units \(2m\)^2 ft^2
43.055642 ft^2

One Canadian indoor store selling outdoor goods seems to have gone an order

$ units 20m^2 yd^2
23.919801 yd^2

Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

Please report problems with the web pages to the maintainer