The RISKS Digest
Volume 32 Issue 31

Saturday, 10th October 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information features enabled by clicking the flashlight icon above. They are described in the news page. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Too many passengers at front of plane caused take-off issue at Luton Airport
BBC
Tesla owner says he butt-dialed a $4,280 Autopilot upgrade
CNBC
Why cars are more “fragile”: more technology has reduced reobustness
Paul Robinson
Polestar 2 EV recalled over glitch that can cut power while driving
Engadget
Space is becoming too crowded, Rocket Lab CEO warns
CNN
Botched Excel import may have caused loss of 15,841 UK COVID-19 cases
Thomas Dzubin plus others
Psychology study indicates that narcissists are more involved in politics than the rest of us
SagePub
Doctor gave an inept diagnosis for a neurological problem
WashPost
Can AI Detect Disinformation? A New Special Operations Program May Find Out
Defense One
California bar exam has facial recognition problems
SanFranChronicle
Nuclear Waste and Nuclear Waste Management at the Hanford Site
ContentSharing
Charges filed in hack that caused NFL athlete's nude pics to be posted on Twitter
Ars Technica
A Literal Child and His Mom Sue Nintendo Over Joy-Con Drift'
WiReD
Eero for Service Providers: Eero Wi-Fi mesh targeted at ISPs
Ars Technica
DHS warns that Emotet malware is one of the most prevalent threats today
Ars Technica)
'Smart' male chastity device vulnerable to locking by hackers: researchers
AFP
Hackers targeting IoT devices with a new P2P botnet malware
The Hacker News
Supreme Court takes on Google vs. Oracle: The biggest software development case ever
ZDNet
55 New Security Flaws Reported in Apple Software and Services
The Hacker News
Researchers Find Vulnerabilities in Microsoft Azure Cloud Service
The Hacker News
Microsoft Office 365, Outlook down again
ZDNet
CyberCommand has sought to disrupt the world's largest botnet, hoping to reduce its potential impact on the election
WashPost
Pennsylvania voter services website crashes as 2020 election mail ballot deadlines loom
Inquirer
Clinical Trials Hit by Ransomware Attack on Health Tech Firm
Nicole Perlroth
Flawed Algorithm Used to Determine UK Welfare Payments Is 'Pushing People Into Poverty'
Thomas Macaulay
'The Wire' inspired a fake turtle egg that spies on poachers
WiReD
The robot shop worker controlled by a faraway human
bbc.com
“A friend of a friend at Google interviewed at Facebook right as the virus hit”
unnamed via twitter
Documents Show How The LAPD Was Trained To Use Palantir
BuzzFeed
Meet the Customer Service Reps for Disney and Airbnb Who Have to Pay to Talk to You
ProPublica
Digital pioneer Geoff Huston apologises for bringing the Internet to Australia
ZDNet
Psychographic Profiling cartoon
Tom Fishburne—Marketoonist
Re: Maryland's web-delivered ballots must be hand-copied to be counted
Amos Shapir
Re: Apple marches to a different beat
Steve Klein John Levine Alan Ralph Craig S. Cottingham
Info on RISKS (comp.risks)

Too many passengers at front of plane caused take-off issue at Luton Airport (BBC)

Allen Bonneau <alnbonneau@gmail.com>
Sat, 10 Oct 2020 12:30:32 -0500

Downstream impact from an unavailable system

The automated system had a technical issue preventing a plane change from being passed to downstream systems. Operators noticed the change and manual updates were performed as a workaround. Either the workaround was not complete or did [not?] address all affected systems.

https://www.bbc.com/news/uk-england-beds-bucks-herts-54477819


Tesla owner says he butt-dialed a $4,280 Autopilot upgrade Luton Airport (CNBC)

Amos Shapir <amos083@gmail.com>
Fri, 9 Oct 2020 14:02:15 +0300

It seems that the Tesla app on iPhone somehow makes an update purchase as the default action, and doesn't require a confirmation password or code.

Full story at: https://www.cnbc.com/2020/10/07/tesla-app-butt-dial-purchases-still-possible-refunds-hard-to-get.html


Why cars are more “fragile”: more technology has reduced reobustness

Paul Robinson <rfc1394@yahoo.com>
Fri, 2 Oct 2020 20:37:12 +0000 (UTC)

Some associates of mine have noticed problems with automobiles, often with changes they do not like or want, like forcing the use of a start button (and stepping on the brake) instead of simply turning the key. It means things like the passenger being able to turn on he car just by turning the key have gone the way of the AM-only radio or the crank starter. Now, turning the engine on, even if you're not going to drive, requires getting out of the car, sitting in the driver's seat, stepping on the brake, then pushing the starter. Another problem is that a relatively inexpensive device (like keys) that even in the most expensive cases never reached US$20, are now replaced by transponders or keyfobs costing as much as $1,000.

And the cost of repairs has gone up as the capacity of most people to do anything beyond routine maintenance has gone down. Technology has improved features cars have, but it has come at a cost.

Cars in the past used relays to control functions because it was the least expensive way to provide these functions. As microprocessors became ever cheaper and had more functionality, they became ideal for use to do multiple things in place of relays, programmable logic controllers, and other circuitry. All that they had to do was connect them. Previously they ran one connection (wire) to each thing being controlled. Then they got an idea: create a network (bus) to connect the components. If the components could simply only listen on the bus for commands addressed to them, you only need one wire for everything, to send messages everywhere. This provides lots more flexibility as all you have to do as add new messages with a different command code and you can control a new device, but it makes everything more “fragile.”

Now, when I say “fragile,” I don't mean the comment of Doc Brown in “Back to the Future” in which he says a 1954 Buick crashing into a Delorean would tear through it like tissue paper, i mean the systems are less “robust,” less resistant to failure.

Systems built with centralized or “concentrated” architecture are more fragile, more subject to failure because there are more critical points that if any one point fails, the whole thing fails. On a car from the past, short of the engine or transmission suffering catastrophic damage, the car would continue to operate. Today, if the computer or the bus is damaged, your car is inoperable.

Previously, a failure of the air conditioning didn't mean the car couldn't drive, or if there was a problem with the power steering it doesn't prevent you from putting the car in reverse. But today, so many systems are connected in a very centralized architecture that one system can affect another due to side effects. It also means that where before, just about anyone with ordinary education and skils could repair most things on an automobile with ordinary tools, today it takes a skilled mechanic with a master's degree and $40,000 in equipment.

Distributed architecture increases robustness. Here are two examples.

The development of Blockchain technology has caused other industries to use it beyond cryptocurrency. An example being a bank: crack their mainframe and you can steal just about anything. But, if instead of breaking one computer you have to get, say, all or a majority of all 100 branches to agree, it makes it much harder to almost impossible to create a fraudulent transaction.

During the Gulf War, despite saturation bombing, the coalition forces were unable to shut down Iraq's military Command & Control systems; the messages still got through. The reason being that the systems were built using TCP/IP, the same communications protocol used by the Internet, and was invented specifically for the US military to be able to continue to operate communications infrastructure capable of communicating to troops in the event of nuclear war. We found out under actual battlefield conditions that “the damn stuff actually works.”

These and other examples show that distributed architecture makes systems more robust, while concentrated architecture makes systems more fragile. We have traded increased functionality and cost savings, while sacrificing robustness and less complexity. and the trend is likely to continue, unless people get sick of these failures and demand better, or someone comes up with better systems that are more robust and possibly simpler.

While that would be nice, I don't see that happening any time soon.


Polestar 2 EV recalled over glitch that can cut power while driving (Engadget)

Monty Solomon <monty@roscom.com>
Sat, 3 Oct 2020 12:08:30 -0400

https://www.engadget.com/polestar-2-ev-recall-over-power-glitch-151046269.html


Space is becoming too crowded, Rocket Lab CEO warns (CNN)

geoff goodfellow <geoff@iconia.com>
Fri, 9 Oct 2020 05:07:00 -1000

In 1978, NASA scientist Donald Kessler warned of a potential catastrophic, cascading chain reaction in outer space. Today known as “Kessler Syndrome,” the theory posited that space above Earth could one day become so crowded, so polluted with both active satellites and the detritus of space explorations past, that it could render future space endeavors more difficult, if not impossible. Last week, the CEO of Rocket Lab, a launch startup, said the company is already beginning to experience the effect of growing congestion in outer space. Rocket Lab CEO Peter Beck said that the sheer number of objects in space right now—a number that is growing quickly thanks in part to SpaceX's satellite Internet constellation, Starlink—is making it more difficult to find a clear path for rockets to launch new satellites. “This has a massive impact on the launch side,” he told CNN Business. Rockets “have to try and weave their way up in between these [satellite] constellations.”

Part of the problem is that outer space remains largely unregulated. The last widely agreed upon international treaty hasn't been updated in five decades, and that's mostly left the commercial space industry to police itself. Rocket Lab set out to create lightweight rockets—far smaller than SpaceX's 230-foot-tall Falcon rockets—that can deliver batches of small satellites to space on a monthly or even weekly basis. Since 2018, Rocket Lab has launched 12 successful missions and a total of 55 satellites to space for a variety of research and commercial purposes. Beck said the in-orbit traffic issues took a turn for the worst over the past 12 months. It was over that time that SpaceX has rapidly built up its Starlink constellation, growing it to include more than 700 Internet-beaming satellites. It's already the largest satellite constellation by far, and the company plans to grow it to include between 12,000 and 40,000 total satellites. That's five times the total number of satellites humans have launched since the dawn of spaceflight in the late 1950s. <https://www.cnn.com/2020/07/02/tech/spacex-starlink-planet-9-x-scn/index.html>

It's not clear if traffic from its own satellites has also caused frustrations for SpaceX. The company did not respond to a request for comment. Orbital junkyards. […] https://www.cnn.com/2020/10/07/business/rocket-lab-debris-launch-traffic-scn/index.html


Botched Excel import may have caused loss of 15,841 UK COVID-19 cases

Thomas Dzubin <dzubint@vcn.bc.ca>
Mon, 5 Oct 2020 13:48:04 -0700 (PDT)

“The problem is that the PHE developers picked an old file format to do this — known as XLS.”

As a consequence, each template could handle only about 65,000 rows of data rather than the one million-plus rows that Excel is actually capable of.

https://arstechnica.com/tech-policy/2020/10/excel-glitch-may-have-caused-uk-to-underreport-covid-19-cases-by-15841/

Asked if it was likely that some people will have got coronavirus due to the IT failure, Work and Pensions Secretary Therese Coffey told Sky News: “There may well be.”

The error is believed to have been caused by a spreadsheet containing lab results reaching its maximum size, and failing to update.

https://www.standard.co.uk/news/uk/covid-testing-technical-issue-excel-spreadsheet-a4563616.html

So, the problem hasn't actually been fixed… just pushed down the road a bit for someone else to deal with in the next Pandemic

[danny burstein noted a Twitter item from Max Roser, Univ. of Oxford researcher: https://twitter.com/MaxCRoser/status/1313046638915706880 ah… I had some trouble copying those URLs, but here: https://www.bbc.co.uk/news/uk-54412581 https://www.dailymail.co.uk/news/article-8805697/Furious-blame-game-16-000-Covid-cases-missed-Excel-glitch.html PGN]


Psychology study indicates that narcissists are more involved in politics than the rest of us (SagePub)

geoff goodfellow <geoff@iconia.com>
Fri, 2 Oct 2020 09:56:38 -1000

Those higher in narcissism are disproportionately taking part in the democratic process, according to new research published in Personality and Social Psychology Bulletin <https://journals.sagepub.com/doi/10.1177/0146167220919212>.

The study found a positive correlation between narcissism and political participation. In other words: The more narcissistic someone is, the more likely they are to contact politicians, sign petitions, donate money, and vote in midterm elections.

“We have entered into an Age of Entitlement and a post-truth world that combine to form an unprecedented cultural movement where large portions of the public pursue self-interest and self-promotion above all things and truth is whatever you want it to be, where alternative facts are given equal standing with credible sources,” said study author Pete Hatemi <https://scholar.google.com/citations?hl=en&user=Ci8Ix08AAAAJ&view_op=list_works&sortby=pubdate>, a distinguished professor at Penn State University.

“It is hard not to notice how much more of me is part of our world — projecting one's status at the cost of others, whether using social media such as Facebook or Instagram or Twitter. Gone are the days when children's goals were to be something or do something important, replaced by the desire to be famous. Tom Wolfe's vision seems to have come to pass.”

“It was hard for my colleague Zoltan Fazekas and I to ignore the rampant narcissism in our elected leaders, and the outcomes of their decisions. And it seemed likely that higher public narcissism has some role in the growing instability of our democracy, and in 2009 we began collecting data to see if those higher in narcissism are taking a greater part in the political process,” Hatemi explained.

The researchers examined data from two nationally representative surveys in the U.S. and in Denmark, with 500 and 2,450 participants in each, respectively, and a web-based U.S. survey with 2,280 participants.

All of the surveys assessed narcissism and eight types of political participation: signing a petition, boycotting or buying products for political reasons, participating in a demonstration, attending political meetings, contacting politicians, donating money, contacting the media, and taking part in political forums and discussion groups.

The surveys also collect information about voting behavior and sociodemographic variables such as gender, age, race, education, and political ideology. […] https://www.psypost.org/2020/09/psychology-study-indicates-that-narcissists-are-more-involved-in-politics-than-the-rest-of-us-58112


Doctor gave an inept diagnosis for a neurological problem (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Mon, 5 Oct 2020 16:51:37 -0400

Steven H. Horowitz, The Washinton Post

Perspective: “A doctor gave me an inept diagnosis for a neurological problem. I should know: I'm a neurologist.”

“I offered to teach the staff at this medical center, but I got nowhere. I could not have been the first patient so poorly evaluated. Without doubt, I won't be the last.”

https://www.washingtonpost.com/health/hospital-misdiagnosis-mistakes-ignored/2020/10/02/7bac2d10-f851-11ea-be57-d00bb9bc632d_story.html


Can AI Detect Disinformation? A New Special Operations Program May Find Out (Defense One)

geoff goodfellow <geoff@iconia.com>
Mon, 5 Oct 2020 08:39:26 -1000

Air Force, U.S. Special Operations Command fund year-long effort to train a neural net to rank credibility and sort news from misinformation.

For all the U.S. military's technical advantages over adversaries, it still struggles to counter disinformation. A new software tool to be developed for the U.S. Air Force and Special Operations Command, or SOCOM, may help change that.

“If you don't compete in the information space, regardless of how good your operations are, your activities are, you will probably eat a shit sandwich

of disinformation or false reporting later on,” Raymond ‘Tony' Thomas, a former SOCOM chief, said in an interview*.* “We certainly experienced that at the tactical level. That was the epiphany where we would have good raids, good strikes, etc. and the bad guys would spin it so fast that we would be eating collateral damage claims, etc. So the information space in that very tactical space is key.

It even “stretches to the strategic space,” said Thomas, meaning that disinformation can spread until it affects larger geopolitical realities.

Thomas now serves as an advisory board member for Primer, a company that on Thursday announced a Small Business Innovation Research contract to develop software over the next year to help analysts better—and much more quickly—survey the information landscape and hopefully detect false narratives that show up in the public space. […] <https://www.prnewswire.com/news-releases/socom-and-us-air-force-enlist-primer-to-combat-disinformation-301143716.html>

https://www.defenseone.com/technology/2020/10/can-ai-detect-disinformation-new-special-operations-program-may-find-out/168972/


California bar exam has facial recognition problems (SanFranChronicle)

Al Stangenberger <forags@sbcglobal.net>
Thu, 8 Oct 2020 07:24:54 -0700

Despite the software vendor's protestations, it appears that facial recognition software is not ready for prime time… https://www.sfchronicle.com/business/article/California-bar-exam-takers-say-facial-recognition-15629617.php


Nuclear Waste and Nuclear Waste Management at the Hanford Site

Gabe Goldberg <gabe@gabegold.com>
Tue, 6 Oct 2020 15:25:00 -0400

History, Environmental Issues and Policies

Cited as being the most contaminated site in the Western Hemisphere, Mr. Weil will cover the history of Hanford from its beginning as part of the Manhattan Project in 1943. He will discuss the construction and operation of multiple processing facilities for the production of plutonium (for more than 60,000 nuclear weapons). He will also discuss waste management activities from the 1940s to today and current activities at the Hanford Site. The presentation will review major activities including the development and impact of the Hanford Federal Facility Compliance Agreement and Consent Order, the construction and operation of the Environmental Restoration Disposal Facility (a huge landfill on the site receiving remediation waste), the cocooning of production reactors, and the closing and dismantling of large numbers of production facilities on site (including the Plutonium Finishing Plant).

http://contentsharing.net/actions/email_web_version.cfm?ep=Kj_xdJ-0JVJIqqPQAeqUL9PFzB2cyVMeq4O4KPvoOMMkk20cH7CRQUqLr9Acr_Qu67LSb73pM6fsmZenSms-I5PLieqgow6a2sNgxWm_EL4~


Charges filed in hack that caused NFL athlete's nude pics to be posted on Twitter (Ars Technica)

Monty Solomon <monty@roscom.com>
Sat, 3 Oct 2020 12:19:31 -0400

Men accused of taking part in scheme to phish credentials and sell account access.

https://arstechnica.com/information-technology/2020/09/2-men-charged-with-hacking-social-media-accounts-of-nfl-and-nba-players/


A Literal Child and His Mom Sue Nintendo Over Joy-Con Drift' (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Wed, 7 Oct 2020 18:22:30 -0400

The class action lawsuit alleges that the video game company hasn't done enough to address a known problem with its controllers.

https://www.wired.com/story/nintendo-joy-con-lawsuit/

The risks? Technology, lawyers, greed…


Eero for Service Providers: Eero Wi-Fi mesh targeted at ISPs (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 7 Oct 2020 18:50:15 -0400

https://arstechnica.com/gadgets/2020/10/eero-for-service-providers-eero-wi-fi-mesh-targeted-at-isps/


DHS warns that Emotet malware is one of the most prevalent threats today (Ars Technica))

Monty Solomon <monty@roscom.com>
Wed, 7 Oct 2020 18:51:06 -0400

https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/


'Smart' male chastity device vulnerable to locking by hackers: researchers (AFP)

geoff goodfellow <geoff@iconia.com>
Wed, 7 Oct 2020 07:48:14 -1000

A security flaw in an Internet-connected male chastity device could allow hackers to remotely lock it—leaving users trapped, researchers have warned.

The Cellmate, produced by Chinese firm Qiui, is a cover that clamps on the base of the male genitals with a hardened steel ring, and does not have a physical key or manual override.

The locking mechanism is controlled with a smartphone app via Bluetooth — marketed as both an anti-cheating and a submission sex play device—but security researchers have found multiple flaws that leave it vulnerable to hacking.

“We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no physical unlock,” British security firm Pen Test Partners said Tuesday.

“An angle grinder or other suitable heavy tool would be required to cut the wearer free.”

The firm also found other security flaws in the Cellmate—listed for $189 on Qiui's website—that could expose sensitive user information such as names, phone numbers, birthdays and location data. […] https://sports.yahoo.com/smart-male-chastity-device-vulnerable-053135255.html

This gives new meaning to the WOPR response at the end of the movie WarGames: The only winning strategy is not to play.


Hackers targeting IoT devices with a new P2P botnet malware (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Wed, 7 Oct 2020 08:16:50 -1000

Cybersecurity researchers have taken the wraps off a new #botnet that's hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly #DDoS attacks, and illicit #cryptocurrency coin mining.

Cybersecurity researchers have taken the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly DDoS attacks, and illicit cryptocurrency coin mining.

Discovered by Qihoo 360's Netlab security team, the HEH Botnet <https://blog.netlab.360.com/heh-an-iot-p2p-botnet/>—written in Go language and armed with a proprietary peer-to-peer (P2P) protocol, spreads via a brute-force attack of the Telnet service on ports 23/2323 and can execute arbitrary shell commands.

The researchers said the HEH botnet samples discovered so far support a wide variety of CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PowerPC (PPC).

The botnet, despite being in its early stages of development, comes with three functional modules: a propagation module, a local HTTP service module, and a P2P module.

Initially downloaded and executed by a malicious Shell script named “wpqnbw.txt,” the HEH sample then uses the Shell script to download rogue programs for all different CPU architectures from a website (“pomf.cat”), before eventually terminating a number of service processes based on their port numbers. […] https://thehackernews.com/2020/10/p2p-iot-botnet.html


Supreme Court takes on Google vs. Oracle: The biggest software development case ever (ZDNet)

Gabe Goldberg <gabe@gabegold.com>
Thu, 8 Oct 2020 00:32:27 -0400

More than a decade in the marking, the Supreme Court may finally decide if application programming interfaces (APIs) can be copyrighted. If the court decides they are, everything you know about making programs will change for the worse.

https://www.zdnet.com/article/supreme-court-takes-on-google-vs-oracle-the-biggest-software-development-case-ever/


55 New Security Flaws Reported in Apple Software and Services (The Hacker News)

“Peter G. Neumann” <neumann@csl.sri.com>
Fri, 9 Oct 2020 12:20:36 PDT

A team of five security researchers analyzed several Apple online services for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity.

The flaws—including 29 high severity, 13 medium severity, and 2 low severity vulnerabilities—could have allowed an attacker to “fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”

The flaws meant a bad actor could easily hijack a user's iCloud account and steal all the photos, calendar information, videos, and documents, in addition to forwarding the same exploit to all of their contacts.

The findings were reported by Sam Curry, along with Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes over a three month period between July and September. <https://samcurry.net/hacking-apple/>

After they were responsibly disclosed to Apple, the iPhone maker took steps to patch the flaws within 1-2 business days, with a few others fixed within a short span of 4-6 hours.

So far, Apple has processed about 28 of the vulnerabilities with a total payout of $288,500 as part of its bug bounty program. […]

https://thehackernews.com/2020/10/apple-security.html


Researchers Find Vulnerabilities in Microsoft Azure Cloud Service (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Thu, 8 Oct 2020 08:24:04 -1000

As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important.

Now according to the latest research, two security flaws in Microsoft's Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF <https://portswigger.net/web-security/ssrf>) attacks or execute arbitrary code and take over the administration server.

“This enables an attacker to quietly take over the App Service's git server, or implant malicious phishing pages accessible through Azure Portal to target system administrators,” cybersecurity firm Intezer said in a report published today and shared with The Hacker News. <https://www.intezer.com/blog/cloud-security/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/>

Discovered by Paul Litvak <https://twitter.com/polarply> of Intezer Labs, the flaws were reported to Microsoft in June, after which the company subsequently addressed them.

Azure App Service is a cloud computing-based platform <https://azure.microsoft.com/en-us/services/app-service/> that's used as a hosting web service for building web apps and mobile backends.

When an App Service is created via Azure, a new Docker environment is created with two container nodes—a manager node and the application node — along with registering two domains that point to the app's HTTP web server and the app service's administration page, which in turn leverages Kudu <https://github.com/projectkudu/kudu> for continuous deployment of the app from source control providers such as GitHub or Bitbucket. […] <https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment>

https://thehackernews.com/2020/10/microsoft-azure-vulnerability.html


Microsoft Office 365, Outlook down again (ZDNet)

Gabe Goldberg <gabe@gabegold.com>
Thu, 8 Oct 2020 00:34:22 -0400

Yes, Office 365, Outlook, and all the rest of Microsoft's Software-as-a-Services are down yet again.

https://www.zdnet.com/article/microsoft-office-365-outlook-down-again/

The risks? Software, Microsoft, cloud computing, software-as-a-“service”


CyberCommand has sought to disrupt the world's largest botnet, hoping to reduce its potential impact on the election (WashPost)

geoff goodfellow <geoff@iconia.com>
Fri, 9 Oct 2020 16:17:22 -1000

The botnet is often used to drop ransomware, which officials fear could snarl voter registration.

In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world's largest botnet - one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.

U.S. CyberCommand's campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter's sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.

The effort is part of what Gen. Paul Nakasone, the head of CyberCommand, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom's activities to help protect the election against foreign threats, officials said.

“Right now, my top priority is for a safe, secure, and legitimate 2020 election,” Nakasone said in August in a set of written responses to Washington Post questions. “The Department of Defense, and CyberCommand specifically, are supporting a broader ‘whole-of-government’ approach to secure our elections.”

Trickbot is malware that can steal financial data and drop other malicious software onto infected systems. Cyber-criminals have used it to install ransomware, a particularly nasty form of malware that encrypts users' data and for which the criminals then demand payment - usually in cryptocurrency - to unlock. […] https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html -or- https://www.chron.com/news/article/Cyber-Command-has-sought-to-disrupt-the-world-s-15635373.php


Pennsylvania voter services website crashes as 2020 election mail ballot deadlines loom (Inquirer)

Gabe Goldberg <gabe@gabegold.com>
Tue, 6 Oct 2020 15:33:33 -0400

Pennsylvania's online system for registering to vote and applying for and tracking mail ballots crashed over the weekend, triggering an outage that stretched for more than 40 hours and prompted frustration from voters weeks before critical election deadlines.

State officials managed to restore the site Monday morning and blamed the problem on an equipment failure at a data center run by an outside contractor. They did not believe any data had been lost or that malicious physical or cyber activity was behind the outage.

https://www.inquirer.com/politics/election/pennsylvania-voter-services-website-down-outage-mail-in-ballot-november-2020-election-20201004.html


Clinical Trials Hit by Ransomware Attack on Health Tech Firm (Nicole Perlroth)

ACM TechNews <technews-editor@acm.org>
Mon, 5 Oct 2020 12:39:33 -0400 (EDT)

Nicole Perlroth, The New York Times, 3 Oct 2020, via ACM TechNews, 5 Oct 2020

Philadelphia-based software provider eResearch Technology (ERT) was hit two weeks ago by a ransomware attack that has slowed clinical trials. The exploit started when ERT workers learned that they were locked out of their data, and clients said this forced researchers to move certain clinical trials to pen and paper. ERT's Drew Bustos on Friday verified that ransomware had hijacked company systems on Sept. 20, when the firm took its systems offline, called in outside cybersecurity experts, and alerted the U.S. Federal Bureau of Investigation. Affected customers included IQVIA, the contract research organization helping manage AstraZeneca's Covid-19 vaccine trial, and drug maker Bristol Myers Squibb, which is leading a consortium in developing a rapid test for coronavirus.

https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html


Flawed Algorithm Used to Determine UK Welfare Payments Is ‘Pushing People Into Poverty’ (Thomas Macaulay)

ACM TechNews <technews-editor@acm.org>
Mon, 5 Oct 2020 12:39:33 -0400 (EDT)

Thomas Macaulay, The Next Web, 29 Sep 2020

Human Rights Watch warns a flawed algorithm for calculating monthly social security benefits in Britain is causing hunger, debt, and psychological distress. The model measures changes in their earnings to dole out payments, but the non-governmental organization said the algorithm only analyzes wages people receive within a calendar month, and ignores frequency of payment. This means people who get multiple monthly paychecks can have their earnings overestimated, with their welfare payments dramatically reduced as a result. Human Rights Watch's Amos Toh said, "The government's bid to automate the benefits system—no matter the human cost—is pushing people to the brink of poverty.”

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-27559x225466x065619&


'The Wire' inspired a fake turtle egg that spies on poachers (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Tue, 6 Oct 2020 00:51:56 -0400

Scientists 3D-printed sea turtle eggs and stuffed transmitters inside. When poachers pulled them out of nests, the devices tracked their every move.

https://www.wired.com/story/the-wire-inspired-a-fake-turtle-egg-that-spies-on-poachers/


The robot shop worker controlled by a faraway human (bbc.com)

Richard Stein <rmstein@ieee.org>
Tue, 6 Oct 2020 13:05:05 +0800

https://www.bbc.com/news/business-54232563

It's true that the list of jobs that were once manual but which are now done by machines with just a small amount of human oversight, or none at all, grows ever longer.

’When these robots are good enough, you don't necessarily want them to be remote-controlled, you want them to be automatic,’ he says. ‘That's when you cut out the workers.’

Where staff shortages for certain roles are chronic and increasingly acute, a robot substitute may be an optimal replacement choice. Robot life cycle economics, like all machine v. human business investment decisions (employment), augurs against people engaged to perform routine and repetitive tasks.

I recall the Scientific American from Sep 1982 entitled, “The Mechanization of Work”, where robotic integration into manufacturing processing, and other industries, was described. This issue also raised economic dislocation prospects as a result of robotic substitution for human participation. https://www.scientificamerican.com/magazine/sa/1982/09-01/

Risks: Malicious tele-hack (remote or insider), computer crash, mechanical malfunction, stock damage, economic disenfranchisement.


“A friend of a friend at Google interviewed at Facebook right as the virus hit”

geoff goodfellow <geoff@iconia.com>
Fri, 2 Oct 2020 10:03:45 -1000
> Accepted new job in March. Didn't quit old job. Apparently does both
> jobs at home in 55 hours/week. Neither company knows yet. Might have
> reversed the [companies], not sure. I have so many thoughts on this.

https://twitter.com/arrington/status/1311520168200163328


Documents Show How The LAPD Was Trained To Use Palantir (BuzzFeed)

Gabe Goldberg <gabe@gabegold.com>
Sat, 3 Oct 2020 17:08:12 -0400

https://www.buzzfeednews.com/article/carolinehaskins1/training-documents-palantir-lapd


Meet the Customer Service Reps for Disney and Airbnb Who Have to Pay to Talk to You (ProPublica)

Gabe Goldberg <gabe@gabegold.com>
Sat, 3 Oct 2020 17:08:50 -0400

https://www.propublica.org/article/meet-the-customer-service-reps-for-disney-and-airbnb-who-have-to-pay-to-talk-to-you


Digital pioneer Geoff Huston apologises for bringing the Internet to Australia (ZDNet)

geoff goodfellow <geoff@iconia.com>
Sun, 4 Oct 2020 05:46:58 -1000

Huston says the Internet is a 'gigantic vanity-reinforcing distorted TikTok selfie' and web security is 'the punchline to some demented sick joke'. But Australia's first Privacy Commissioner thinks he's being optimistic. […]

https://www.zdnet.com/article/digital-pioneer-geoff-huston-apologises-for-bringing-the-internet-to-australia/


Psychographic Profiling cartoon (Tom Fishburne—Marketoonist)

Gabe Goldberg <gabe@gabegold.com>
Mon, 5 Oct 2020 16:20:10 -0400

Psychographics are back in the news as part of the US election cycle, four years after the Cambridge Analytica scandal made the term mainstream.

This week, CB Insights published a useful primer on psychographics, which they describe as one of the dark arts of social media and Internet marketing.

https://marketoonist.com/2020/10/psychographic-profiling-2.html


Re: Maryland's web-delivered ballots must be hand-copied to be counted (RISKS-32.30)

Amos Shapir <amos083@gmail.com>
Sun, 4 Oct 2020 18:50:13 +0300

Let me get this straight: “The process takes about five minutes per ballot” — so it can be converted to a form that can be counted by a machine in 0.001 second? Hasn't it occurred to anyone there that the ballots could just be counted manually?

Someone there must be nominated for the next Ig-Nobel Prize for political sciences…


Re: Apple marches to a different beat (Baker, RISKS-32.30)

Steve Klein <steven@klein.us>
Thu, 8 Oct 2020 13:08:47 -0400

Henry Baker reported that his Mac's clock was 2-3 minutes slow, and that he couldn't see how to change the time server.

I administer a fleet of Macs, and they all use Apple time servers. Most use time.apple.com; our Macs in China use time.asia.apple.com.

Three Macs chosen at random all have clocks matching the time displayed at https://time.gov (to within 1 second).

That website, operated by the NIST (National Institute of Standards and Technology), displays the official US time. NIST also offers NTP (Network Time Protocol) servers available at nist.time.gov

Apple has three default time servers depending on your location:

Changing the time server on a Mac is incredibly easy:

  1. Open the Date & Time preference pane (in System Preferences)
  2. Click the padlock icon to unlock settings
  3. Delete time.apple.com, and type or paste the address of your preferred NTP server

Hope this helps Henry, and anyone else facing similar issues.


Re: Apple marches to a different beat (Baker, RISKS-32.30)

“John Levine” <johnl@iecc.com>
2 Oct 2020 23:09:53 -0400
> Is it just me, or do other people find that MacOS keeps their clock 2-3
> minutes early?

It's just you.

I'm typing this on a Macbook running MacOS Catalina, and its time agrees with my NTP synced FreeBSD server to the second.

The MacOS date and time preferences menu has an option to NTP sync to one of Apple's servers. It's turned on by default but you might check to see if somehow you turned it off.


Re: Apple marches to a different beat (Baker, RISKS-32.30)

Alan Ralph <alan@alanralph.co.uk>
Sat, 3 Oct 2020 15:07:47 +0100

I've thankfully never had this issue, which is just as well since I do two weekly radio shows for an Internet radio station, as well as occasional online DJ shows.

I'm based in the UK, so my iMac is set to take its time signal from Apple's European time server. I'm also still on macOS Mojave, as I've been put off by the reports of issues with Catalina.

As for what might be causing the issue that Henry is seeing, I can think of a few possible causes:

1. A problem with whichever Apple time server Henry's Mac defaults to.

2. A problem in the time synchronisation code in the version of macOS that Henry's Mac is running.

3. Henry's ISP perhaps intercepting NTP traffic and making it go to their time server, which is running fast.

I'll admit, the last one seems unlikely, but it's not as if ISPs have much compunction against fiddling with their customer's traffic in the past. My gut instinct, however, is that this is more likely to be a problem at Apple's end.


Re: Apple marches to a different beat (Baker, RISKS-32.30)

“Craig S. Cottingham” <craig@cottingham.net>
Fri, 2 Oct 2020 16:21:25 -0500
> I didn't see any easy way to change the time server that this machine
> consults, so it remains early.

System Preferences -> Date & Time -> Date & Time tab.

Unlock (using the icon in the bottom-left corner) if necessary.

The field labeled Set date and time automatically looks like a simple dropdown with a set selection of options, but you can actually type in any domain name you wish.

For what it's worth, my laptop syncs with time.apple.com and has the same time as my cell phone (which receives its date and time from my carrier) and the master clock time reported by the US Naval Observatory at https://www.usno.navy.mil/USNO.

Please report problems with the web pages to the maintainer

Top