The RISKS Digest
Volume 32 Issue 30

Friday, 2nd October 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information features enabled by clicking the flashlight icon above. They are described in the news page. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Microsoft says Russia behind most nation-state cyber-attacks
Conservative operatives face felony charges in connection with robocalls seeking to mislead voters
More on Cambridge Analytica
UK Channel 4
Error discovered on Georgia touchscreens in US Senate race
Mark Niesse
Maryland's web-delivered ballots must be hand-copied to be counted
Tokyo Stock Market Halts Trading for a Day, Citing Glitch
Is The Internet falling apart?
The Hill
Apple marches to a different beat
Henry Baker
Robots smaller than the width of a hair
Could future AI turn animals against us?
The Next Web
This Is How Much Top Hackers Are Earning From Bug Bounties
Steve Ranger
Windows XP source code leaks online
The Verge
File under ‘feature interaction’
Third-Party Code Bug Left Instagram Users at Risk of Account Takeover
Alex Scroxton
MIT Media Lab develops sleep-tracking device that alters dreams to boost creativity
Science Times
Privacy of biometric data in DHS hands in doubt, IG says
New homeowner ‘freaked out’ when stranger took control of her security system
Alarm company “overlooked” change of home ownership
Teacher saw a BB gun in 9-year-old's room during online class, who faced expulsion
Using deep learning to control the unconsciousness level of patients in an anesthetic state
Re: A Tesla driver was caught sleeping on Autopilot
Martin Ward
Re: Tribune staff furious as cybersecurity test email makes cruel promises
John Beattie
Re: D.C.'s New Area Code Will Be… 771
Re: Pandemic spurs journalists to go it alone via email
Steve and Micki Bacher
Info on RISKS (comp.risks)

Microsoft says Russia behind most nation-state cyber-attacks (Bloomberg)

geoff goodfellow <>
Wed, 30 Sep 2020 10:52:08 -1000

Targets have ranged from elections to the Olympic Games* Hackers in Iran and China have also been active, report says

Russia-based hackers are responsible for the majority of nation-state attacks on Microsoft customers, according to new data from company.

Microsoft Corp. has issued 13,000 alerts about nation-state hacking attempts to its customers in the last two years, with 52% of incidents between July 2019 and June 2020 related to Russian hackers—whose targets have ranged from elections to the Olympics, according to a report published Tuesday. Iran was responsible for a quarter of the alerts while China was responsible for 12%. The remainder of the nation-state activity observed by Microsoft came from North Korea and other countries.

Russian hackers have targeted elections and political organizations in multiple countries, as well as non-profit groups, professional services and higher education, according to Microsoft. Kremlin-linked hackers also tried to break into 16 sporting and anti-doping organizations on three continents amid doping investigations into Russia athletes.

“We see nation-state actors constantly evolving, trying new techniques,” said Tom Burt, a vice president at Microsoft. “As it stands today the attackers are winning in that they are so well resourced, so determined and so agile.” Foreign hackers have continued to target organizations related to American politics in recent weeks, he said.

Iranian hackers have also been prolific, stepping up the volume of their attacks in the last six months, according to Burt. In August 2019 alone, Iranian hackers attacked 241 Microsoft accounts associated with a U.S. presidential campaign, current and former U.S. officials, political journalists and well-known Iranians living abroad, the report said. While only four of these attacks were successful, Microsoft anticipates an increase activity as the U.S. election approaches.

Hackers based in China have “attempted to gain intelligence on organizations associated with the upcoming U.S. presidential election,” according to Microsoft. Those hackers have also been active in cyber-attacks related to medical research. Among multiple attempts to hack medical research institutions in the U.S. and Asia, China-based hackers attacked an unnamed U.S. university that was researching a coronavirus vaccine in March. […] -or-

Conservative operatives face felony charges in connection with robocalls seeking to mislead voters (WashPost)

Monty Solomon <>
Fri, 2 Oct 2020 02:30:14 -0400

If convicted, the pair could face up to 24 years in prison each

More on Cambridge Analytica (UK Channel 4)

David Isenberg <>
September 30, 2020 23:04:14 JST

[Via Dave Farber]

Channel 4 in the UK has released an amazing 20 minute video that is the best explanation I've seen of how Cambridge Analytica used Facebook data to micro-target voters to influence the 2016 US election and the Brexit vote:

There's also another most interesting video from the same project that digs into one guy's Facebook/Cambridge Analytica file

This second video shows one particular guy's file, which contains his psychographic profile, including openness, conscientiousness, extroversion, agreeableness and neuroticism scores by percentile.

It “knows” what kind of car the individual has, that he's a gamer, what his investments are, what his diet is, whether he uses coupons, if he writes a blog, how he uses The Internet and social media, whether he has a home office and what charities he gives to. And a bunch of other things.

From these aggregated data, it's easy to imagine how CA could determine things like who he'd vote for and the strength of his commitment to the voting process, and target manipulative ads and messages from “friends” accordingly.

In my humble opinion, both videos are must-watch for all who consider themselves to be technology literate.

Error discovered on Georgia touchscreens in US Senate race (Mark Niesse)

“Peter G. Neumann” <>
Sat, 26 Sep 2020 17:19:27 PDT

Mark Niesse, Atlanta Journal Constitution( <>

Election officials working to correct issue before early voting begins 12 Oct. Georgia election officials said Saturday they found a programming error on the state's voting touchscreens that caused a row of candidates in the 21-person U.S. Senate special election to disappear at times when flipping back and forth between screens. This will require reprogramming the state's 30,000 new touchscreens. The issue occurred in the U.S. Senate special election, which includes Republican U.S. Sen. Kelly Loeffler and U.S. Rep. Doug Collins, along with Democrats Raphael Warnock, Matt Lieberman and Ed Tarver.

Maryland's web-delivered ballots must be hand-copied to be counted (WashPost)

Gabe Goldberg <>
Sun, 27 Sep 2020 14:15:01 -0400

The rush to vote from home this year left Maryland election judges with a burden that plagues no other state in the country: Ballots delivered online cannot be read by the state's scanning machines. To be counted, each of those ballots must instead be hand-copied by election judges onto a cardstock ballot. And each week, more requests for those Web-delivered ballots are rolling into election offices around the state, dramatically increasing the pressure on a system built for a far different type of election.

A month ahead of the deadline, more than 111,000 people have requested Web-delivered blank ballots—nearly twice the volume of the previous election. About 924,000 voters have so far asked for ballots to be mailed to them.

The Web-delivered ballots offer front-end expediency for voters, who can follow a link in their email, enter credentials on a website and download a ballot packet to print at home on regular paper. But on the back end, that plain paper becomes a first draft, and every voter's choices must be transcribed onto oversize cardstock that can be scanned.

For transparency's sake, the transcription is done by a pair of judges — one a Republican, the other a Democrat. One judge reads the ballot choices aloud, and the other marks them down on the ballot. Then the judges switch jobs to check each other's work.

The process takes about five minutes per ballot, election officials said. As of Thursday, that added up to more than 9,000 hours of work just to get the ballots ready to be scanned.

No good deed goes unpunished.

Tokyo Stock Market Halts Trading for a Day, Citing Glitch (NYTimes)

Monty Solomon <>
Thu, 1 Oct 2020 09:38:34 -0400

The exchange's operator said it planned to resume trading on Friday after a technical problem left investors unable to place orders.

Is The Internet falling apart? (The Hill)

geoff goodfellow <>
Wed, 30 Sep 2020 10:39:56 -1000

The president's two August Executive Orders banning the mobile app TikTok <> and the mobile app WeChat <>, along with the State Department's major foreign policy initiative for a “clean” internet within the United States <> are only the most recent signs that the once open, global Internet is slowly being replaced by 200, nationally-controlled, separate internets. And, while these separate American, Chinese, Russian, Australian, European, British, and other “internets” may decide to have some things in common with each other, the laws of political gravity will slowly pull them further apart as interest groups in each country lobby for their own concerns within their own country. Moreover, we will probably see the emergence of a global alternat[iv]e internet before long.

Some of this nationalistic dis-integration of The Internet has been foreseen <> as the 1990s' open/global Internet gradually became a principal domain of war, news, espionage, politics, propaganda, banking, commerce, entertainment, and education since around 2005. The process of creating hundreds of individual, national internets has been slow because the global Internet—the network of networks =94 was never designed to recognize national borders and because the United States had been a forceful opponent of a fragmented set of national internets. Both of these conditions have changed and they are changing rapidly.

To oversimplify, the genesis of the internet, the U.S. Defense Department=99s DARPANET, was designed to allow completely different computer networks (think IBM and UNIVAC, or PC and Mac) to connect with each other by inserting between them a gateway that converts each network=99s computer language into a common internet language, called internet protocols. The genius behind the concept is that not all computer networks needed to use the same computer language they only had to convert to a common language at a gateway, which then routed everyone on every network to everyone on every other network. And—since computer networks do not inherently notice or care which city, province, state or country they=99re in or the nationality of their human user—the technology was not designed to take national borders into account. This contrasts markedly with such media as broadcasting and telecommunications, which basically grew with the permission of national governments from within countries, and then governments allowed the interconnection of their national network to others under government-controlled technical and substantive arrangements.

As background, it's important to recognize that—by almost any measure -4 the global Internet is controlled by businesses and non-profits subject to the jurisdiction of the United States government. Within a roughly 1,000-mile strip of land stretching from San Diego to Seattle lie most major Internet businesses and network control or standards bodies (and those that aren=99t there likely lie elsewhere in the United States). So =94 as the governments of China, Russia and Iran never tire of explaining =94 while Americans constitute around 310 million out of the world=99s 4.3 billion Internet users (around 8 percent) <>, the U.S. government exercises influence or control over more than 70 percent of the Internet's controls and services.

It took China millions—perhaps billions =94 of dollars and well over a decade to demonstrate that the inherently non-nationalistic nature of the internet could be managed through both technical and legal means, sometimes described as “The Great Firewall of China <>.” Without listing the wide range of methods that China has used to create an internet within China that is different from the Internet in the U.S. or Europe, suffice it to say that unless someone in China has extraordinary technical means and is willing to risk breaking the rules, the internet in China is noticeably different (e.g. no Google, Facebook or Twitter <>). China's ability to control the Internet experience within its borders between roughly 2005 and 2018 taught many other countries that doing so, even if costly, is possible. This lesson was not lost on Russia, Iran, Australia, Turkey, Saudi Arabia, the EU and many other countries, which began developing legal (and sometimes technical) means to control Internet content within their borders. This legal/technical nationalization over the past decade was significantly boosted by the realization that it was actually not very difficult for a government to substantially shut down the Internet within a territory. […]

Apple marches to a different beat

Henry Baker <>
Mon, 28 Sep 2020 11:38:33 -0700

Is it just me, or do other people find that MacOS keeps their clock 2-3 minutes early?

I noticed that MacOS was several minutes ahead of the opening bell of the NYSE, and started watching over the next several days. It was not a fluke.

I rebooted the machine, which got MacOS to sync with an Apple time server, and it was still 2-3 minutes early.

I didn't see any easy way to change the time server that this machine consults, so it remains early.

Among other things, this time difference is a security risk, because someone might be able to utilize a specific time difference to identify a particular computer.

Robots smaller than the width of a hair (

Richard Stein <>
Tue, 29 Sep 2020 13:40:13 +0800

The video demonstrates that silicon-device manufacturing techniques can mass produce microscopic mobile robots. The device creators suggest these devices might one day deliver targeted chemotherapy payloads or other substances to treat human diseases.

For size comparison purposes:

a) Human blood cell diameter is ~6 to 8 micrometers (see, retrieved on 29SEP2020).

b) Human hair diameter ranges between ~17 micrometers to ~181 micrometers. Thickness attributed to various genetic factors (see

Tablets (with silicon dioxide) are apparently used to treat osteoporosis, heart disease, hair loss, Alzheimer's disease, etc (see, retrieved on 29SEP2020). Silicon dust, if inhaled, is toxic (see, retrieved on 29SEP2020).

Risk: Unmetabolized silicon robot carcasses (toxic waste), including other minerals used to manufacture the robot, or metabolites from robot interaction with human blood.

Double-blind clinical study needed to determine therapeutic safety.

Could future AI turn animals against us? (The Next Web)

geoff goodfellow <>
Fri, 2 Oct 2020 08:49:16 -1000

This Is How Much Top Hackers Are Earning From Bug Bounties

“Peter G. Neumann” <>
Mon, 28 Sep 2020 13:12:20 PDT

Steve Ranger, ZDNet, 22 Sep 2020 via the ACM Tech News, 28 Sep 2020

More than $44.75 million in bounties was awarded to hackers worldwide over the past year, up 86% annually, according to HackerOne, which operates bug bounty programs. The average bounty paid for critical vulnerabilities rose 8% over the past year to $3,650, and the average amount paid per vulnerability was $979. To date, more than 181,000 vulnerabilities have been reported, and hackers have been paid more than $100 million. Almost nine out of 10 of the hackers enrolled with HackerOne are under 35, and hacking is the only source of income for one in five of the program's hackers. HackerOne reported that, in less than a decade, nine individual hackers have been paid $1 million in total bounty earnings, more than 200 hackers have earned more than $100,000, and 9,000 hackers have earned “at least something.”

Windows XP source code leaks online (The Verge)

Monty Solomon <>
Sat, 26 Sep 2020 00:03:59 -0400

File under ‘feature interaction’ (BBC)

Martyn Thomas <>
Sat, 26 Sep 2020 19:12:00 +0100

If this story is true it appears that the alcohol mist is automatic—and so is the sensor to detect alcohol in the driver's breath. But surely it must have been tested …

Third-Party Code Bug Left Instagram Users at Risk of Account Takeover (Alex Scroxton)

ACM TechNews <>
Mon, 28 Sep 2020 12:50:25 -0400 (EDT)

Alex Scroxton, Computer Weekly, 24 Sep 2020 via ACM TechNews, 28 Sep 2020

Security teams at Check Point and Facebook reported a third-party remote code execution flaw in the Instagram photo-sharing platform, which could have enabled malefactors to hijack accounts and use victims' devices for surveillance. Facebook calls the bug an integer overflow leading to a heap buffer overflow, and was present in Mozjpeg, an open source, third-party JPEG decoder that Instagram uses to upload images to the application. Check Point's Yaniv Balmas highlighted the risks of using third-party code libraries to build app infrastructures without checking for flaws. Although patched six months ago, the Mozjpeg bug is only being disclosed now in the hope that a sufficient number of users have updated their apps to ameliorate its impact.

MIT Media Lab develops sleep-tracking device that alters dreams to boost creativity (Science Times)

geoff goodfellow <>
Wed, 30 Sep 2020 10:47:07 -1000

Scientists from MIT have found a way to implant ideas on the minds of people as they fall asleep to create bizarre and abstract dreams. The researchers used the targeted dream incubation to guide people's dreams towards particular themes by repeating information during the first stage of sleep. That stage is called hypnagogia, which is responsible for dreams about psychedelic phenomena.

The technology consists of a wrist-worn electronic device that tracks sleep, called Dormio, connected to an app that delivers audio prompts during hypnagogia.

The researchers influenced the dreams of most of its study participants to dream about a tree during the earliest stage of sleep during the trials. An MIT computer scientist also used the Dormio system to make himself dream about the chocolate fountain seen in the classic 1971 film 'Willy Wonka and the Chocolate Factory.' Dreams in the Hypnagogia Stage. […] <>

Privacy of biometric data in DHS hands in doubt, IG says (RollCall)

geoff goodfellow <>
Wed, 30 Sep 2020 10:56:15 -1000

CBP failed to protect 184,000 facial images of cross-border travelers before massive data breach last year, according to report […]

New homeowner ‘freaked out’ when stranger took control of her security system (CBC.CA)

“Matthew Kruk” <>
Mon, 28 Sep 2020 06:45:57 -0600

Weak laws leave thousands vulnerable, former privacy commissioner says.

The message came out of the blue for Taylor Fornell. A stranger told her he had complete control over the home security system in her new house in Stony Plain, Alta., and could prove it.

As she stood alone in her front hall, she watched in disbelief as the man unarmed the system, unlocked doors and windows and told her he could track when she left the house - all with a few clicks on the security company's app. “I felt a little sick to my stomach . It's just really creepy and a breach of trust,” Fornell told Go Public, referring to Vivint, the security company that installed and ran the system.

Fornell was lucky. The stranger who connected with her on Facebook was the former owner of the house.

Alarm company “overlooked” change of home ownership (CBC.CA)

Jonathan Levine <>
Mon, 28 Sep 2020 07:53:35 -0600

Teacher saw a BB gun in 9-year-old's room during online class, who faced expulsion

Monty Solomon <>
Fri, 25 Sep 2020 23:08:50 -0400

“They're applying on-campus rules to these children, even though they're learning virtually in their own homes,”said the family's attorney, Chelsea Cusimano.

Using deep learning to control the unconsciousness level of patients in an anesthetic state (

Richard Stein <>
Mon, 28 Sep 2020 15:08:19 +0800

“Essentially, Schamberg and his colleagues developed a deep neural network and trained it to control anesthetic dosing using reinforcement learning within a simulated environment. They specifically focused on the dosage of Propofol, a medication that decreases people's level of consciousness and is commonly used to perform general anesthesia or sedation on patients who are undergoing medical procedures.”

The report concludes with this text:

“So far, our approach outperformed the commonly used proportional-integral-derivative controller and was robust across a variety of patient variations in drug metabolism and effect,” Schamberg said. “We would now love to test the proposed paradigm on humans in controlled clinical settings.”

Modern anesthesia practice demonstrates dramatically low patient injury or mortality. See (retrieved 28SEP2020) which estimates 1 death per 100000 anesthesia procedures since ~2000.

General anesthesia application encompasses a procedural life cycle. Patient sedation comprises one life cycle phase (see, retrieved on 28SEP2020).

Numerous devices, depending on surgical procedure, are used to administer sedation and for post-operative recovery: Needles, catheters, sedative injections, gas mixtures, etc. Several instruments are applied to measure patient sedation and overall vitality while under the knife: blood oxygen level, blood pressure, sedative flow, patient pulse, respiration rate, etc.

The FDA's Total Product Life Cycle reporting system reveals product codes representing widely deployed commercial anesthesia delivery systems and kits.

This query yields 28 product codes. Individual medical device reports (MDR) attributed to the three-letter product code, and the commercial anesthesia devices it classifies, can be accessed:

Since 2015, the product codes with the biggest MDR density appear to be: BSZ and OGE. BSZ applies to “gas machine, anesthesia” devices; OGE applies to “anesthesia, epidural kit” devices.

It is notable that the top 3 MDR problems for each product code indicate device or component issue that DID NOT impact the patient. The events run the gamut: contaminated syringe, stuck catheter, leak, system shutdown, foreign body in patient, broken knob, kink in suction line, etc. Fortunately, a skilled professional intervened to mitigate.

The Top-10 Patient Problems for BSZ:

Patient Problems,MDRs with this Patient Problem,Events in those MDRs
No Patient Involvement,7245,7245
No Consequences Or Impact To Patient,3203,3203
No Known Impact Or Consequence To Patient,633,633
Low Oxygen Saturation,55,55
No Information,33,33
Awareness during Anaesthesia,22,22
No Code Available,14,14
Cardiac Arrest,11,11

The Top-10 Patient for OGE:

Patient Problems,MDRs with this Patient Problem,Events in those MDRs
No Consequences Or Impact To Patient,260,260
No Information,148,148
No Known Impact Or Consequence To Patient,115,115
Foreign Body In Patient,66,66
Device Embedded In Tissue or Plaque,29,29
Cerebrospinal Fluid Leakage,18,18
No Patient Involvement,15,15
Needle Stick/Puncture,10,10
No Code Available,6,6

Re: A Tesla driver was caught sleeping on Autopilot (RISKS-32.29)

Martin Ward <>
Sat, 26 Sep 2020 15:54:23 +0100

Basically, the Tesla Autopilot replaces a good driver by a poor driver. (If you are a poorer driver than Tesla Autopilot, then you should not be allowed to drive!). But, Tesla might argue, its OK because the good driver has to continuously watch over the poor driver and take control the moment the poor driver makes a mistake.

This makes driving much more tiring for the human driver: having to concentrate all the time without being in control is much more work than actually driving. It also makes the journey less safe: the good driver is now having to react to mistakes made by the autopilot instead of being proactive in anticipating and avoiding potentially dangerous situations. Advanced driving is all about anticipation and avoidance to reduce the possibility that a dangerous situation occurs, it is not about lightning reflexes to get out of trouble.

Some examples:

In each case, instead of just instinctively avoiding the possible danger, you also have to decide if and when to take over from the autopilot, and then manage the transition while avoiding the danger.

Re: Tribune staff furious as cybersecurity test email makes cruel promises (RISKS-32.29)

John Beattie <>
Mon, 28 Sep 2020 12:28:59 +0100

I disagree that this is the fault of the WaPo staff.

First off, journalists are paid to be inquisitive, so clicking on links should be fine.

Second, they probably didn't particularly believe the email anyway but wanted to see more to understand what was going on. I've been subject to this kind of test and it is bad enough to be shown a red flashing page saying ‘FAILED’ or the like. Pointed content of the kind the WaPo used is guaranteed to get a very negative response—and from people you are actually trying to help!

Third, what we all need (and not just journalists) is to have our email pre-filtered in a sandbox environment. Load the email, test the links and see what comes back. Dodgy javascript and dodgy websites can be flagged.

An automated test of that sort is never going to be 100% accurate; the end user would still need to take some care. But adding checks would help greatly. End users are not solely responsible for damage due to following bad links in emails!

Re: D.C.'s New Area Code Will Be… 771 (Levine, RISKS-32.28)

Wols Lists <>
Sat, 26 Sep 2020 02:00:51 +0100

And how many of those numbers are “allocated but unused”?

Many years ago, they upgraded the numbers in the town where I worked from 5 digits to 6. In the process, they allocated our company the number 36nnnn for DDI (Direct Dial-In). In other words, each phone in the office had a normal phone number - the local exchange routed all numbers starting with 36 to the company PABX for it to process the rest.

That's 10,000 numbers allocated to just one customer …

Re: Pandemic spurs journalists to go it alone via email (Axios)

“Steve and Micki Bacher” <>
Sat, 26 Sep 2020 09:01:55 -0400

This item fails to observe that in the case of Sullivan (and likely Taibbi as well), what's pushing them out is not the pandemic but the amount of interference (aka censorship) being imposed by the publishing organizations they work for, since these writers often espouse views not in keeping with the mainstream. So it's more cancel culture than COVID-19 cultures.

Please report problems with the web pages to the maintainer