The RISKS Digest
Volume 32 Issue 38

Sunday, 22nd November 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

State-sponsored actors 'very likely' looking to attack electricity supply, says intelligence agency
CBC
An Engineer Gets 9 Years for Stealing $10M From Microsoft
WiReD
Shoppers warned against buying cheap electronics online
BBC News
Technology To Catch HOV Lane Violators Is Coming To Virginia
Deist
Migration to new CMS can go embarrassingly wrong
BBC
Researchers hacked a robotic vacuum cleaner to record speech and music remotely
Techxplore.com
Microsoft Is Making a Secure PC Chip with Intel and AMD's Help
WiReD
Internet censorship report
Rob Slade
Online password '123456' more popular than ever and easy to crack
CBC
Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs
Applre
Apple to pay $113M to settle state investigation into iPhone *Battererygate*
WashPost
Privacy labeling for Apple apps
Rob Slade
Indistinguishability Obfuscation
WiReD
Why experts urge caution in using covid risk and tracking tools
WashPost
Functional and assurance requirements and CoVID
Rob Slade
Wrong GPS usual suspects First Responder avoidance
Dan Jacobson
Letter to Consumer Reports magazine
Gabe Goldberg
How the U.S. Military Buys Location Data from Ordinary Apps
Vice
'Bot Battle' Shows What Happens When Two AI Programs Go On a Date
Vice
AI is wrestling with a replication crisis
MIT Tech Review
The iOS Covid App Ecosystem Has Become a Privacy Minefield
WiReD
Metrics and CoVID
Rob Slade
Mac certificate check stokes fears that Apple logs every app you run
Ars Technica
Two-Factor Eggs in One Basket
Kent Borg
'Most Secure' U.S. Election Not Without Problems
Lukas Ropek
Election Security Experts Contradict Trump's Voting Claims
Nicole Perlroth
Blockchain Voting Risks Undetectable Nation-Scale Failures
Stilgherrian
Did you know that Dominion's voting software "Allows staff to adjust tally based on review of scanned ballot images?
Twitter
What happens when you test TCL TV's
Nenry Baker
'Cheating detection' goes full Orwell during pandemic
Henry Baker
Re: How to F Up and Aiport, including What It's Like to Stress-Test Berlin's Brand New Airport
John Levine
Re: Facial recognition used to identify Lafayette Square protester accused of assault
Chuck Jackson
Re: CPU-Heat Sink Thermal Paste Effectiveness
Charles Cazabon
Re: Whale Sculpture Stops Train From Plunge in the Netherlands
Brian Inglis
Re: "Did you know that Dominion's voting software "Allows staff to adjust tally based on review of scanned ballot images"?
PGN
Info on RISKS (comp.risks)

State-sponsored actors 'very likely' looking to attack electricity supply, says intelligence agency (CBC)

"Matthew Kruk" <mkrukg@gmail.com>
Wed, 18 Nov 2020 19:51:24 -0700
https://www.cbc.ca/news/politics/cse-threat-assesment-1.5806213

State-sponsored actors are "very likely" trying to shore up their cyber
capabilities to attack Canada's critical infrastructure - such as the
electricity supply - to intimidate or to prepare for future online assaults,
a new intelligence assessment warns.

"As physical infrastructure and processes continue to be connected to the
Internet, cyber threat activity has followed, leading to increasing risk to
the functioning of machinery and the safety of Canadians," says a new
national cyber threat assessment drafted by the Communications Security
Establishment.

"We judge that state-sponsored actors are very likely attempting to develop
the additional cyber capabilities required to disrupt the supply of
electricity in Canada."


An Engineer Gets 9 Years for Stealing $10M From Microsoft (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 15 Nov 2020 23:15:45 -0500
A former Microsoft software engineer from Ukraine has been sentenced
<https://www.justice.gov/usao-wdwa/pr/former-microsoft-software-engineer-sentenced-nine-years-prison-stealing-more-10-million>
to nine years in prison for stealing more than $10 million in store credit
from Microsoft's <https://www.wired.com/tag/microsoft/> online store. From
2016 to 2018, Volodymyr Kvashuk worked for Microsoft as a tester, placing
mock online orders to make sure everything was working smoothly.

The software automatically prevented shipment of physical products to
testers like Kvashuk. But in a crucial oversight, it didn't block the
purchase of virtual gift cards. So the 26-year-old Kvashuk discovered that
he could use his test account to buy real store credit and then use the
credit to buy real products.  [...]

Kvashuk has been ordered to pay $8.3 million in restitution, though it seems
unlikely he'll ever be able to do that. The government says he may be
deported after serving his time in prison.

https://www.wired.com/story/an-engineer-gets-9-years-for-stealing-dollar10m-from-microsoft/


Shoppers warned against buying cheap electronics online (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Tue, 17 Nov 2020 16:19:38 -0500
A laptop that caught fire after being fitted with a battery bought on Amazon
has prompted safety charity Electrical Safety First to warn of the dangers
of buying cheap electronics online.

It said that it had found "some extremely dangerous items" for sale on
Amazon, eBay and Wish.

The warnings were echoed by watchdog Which? and the Trading Standards
Institute.

The charity wants to see government legislation on the issue.

https://www.bbc.com/news/technology-54973538


Technology To Catch HOV Lane Violators Is Coming To Virginia (Deist)

Gabe Goldberg <gabe@gabegold.com>
Tue, 17 Nov 2020 17:00:09 -0500
https://dcist.com/story/20/11/17/technology-hov-lane-violators-cameras-virginia/

New Technology Allows Virginia To Verify That HOV Drivers Have The Right
Number Of Passengers

  [Comment already there: Nowadays dolls can be so convincing. The good new
  is, you only need the top half to simulate a passenger; the bottom half
  can be reserved for other uses.]

I hope cameras can detect objects as large as trucks which don't belong in
Express Lanes! They're frequently there cheating and only rarely do I see
one stopped by police.


Migration to new CMS can go embarrassingly wrong (BBC)

Anthony Thorn <anthony.thorn@atss.ch>
Wed, 18 Nov 2020 07:54:52 +0100
On 15 Nov 2020, Radio France International (RFI) published the obituaries of
"about 100" personages who were (are) still alive.

Including: the Queen, Clint Eastwood, Pele, Brigitte Bardot. Ayatollah Ali
Khamenei, Jimmy Carter, Raul Castro, Bernard Tapie...

https://www.bbc.com/news/world-europe-54965098
https://nypost.com/2020/11/17/french-radio-accidentally-publishes-obits-for-still-alive-celebs/

(I hope the Queen was amused   ;-)

  [Also noted by Gabe Goldberg.  PGN]
https://www.nytimes.com/2020/11/17/world/europe/france-website-obituaries.html


Researchers hacked a robotic vacuum cleaner to record speech and music remotely (Techxplore.com)

Richard Stein <rmstein@ieee.org>
Wed, 18 Nov 2020 16:42:27 +0800
https://techxplore.com/news/2020-11-hacked-robotic-vacuum-cleaner-speech.html

"We welcome these devices into our homes, and we don't think anything about
it," said Roy, who holds a joint appointment in the University of Maryland
Institute for Advanced Computer Studies (UMIACS). "But we have shown that
even though these devices don't have microphones, we can repurpose the
systems they use for navigation to spy on conversations and potentially
reveal private information."

What could be the next household device hack target for surveillance?
Perhaps that IoT-enabled dental floss dispenser?


Microsoft Is Making a Secure PC Chip with Intel and AMD's Help (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Thu, 19 Nov 2020 02:04:05 -0500
The Pluton security processor will give the software giant an even more
prominent role in locking down Windows hardware.

https://www.wired.com/story/microsoft-pluton-secure-processor/


Internet censorship report

Rob Slade <rslade@gmail.com>
Thu, 19 Nov 2020 09:10:55 -0800
The University of Michigan has created an automated censorship measuring
tool, Censored Planet, and has now released a report from the collected
data.
https://news.umich.edu/extremely-aggressive-internet-censorship-spreads-in-the-worlds-democracies/

The tool uses public Internet servers, and measures, and reports, when
access to Websites is blocked.  Billions of measurements are taken
automatically, and further filters analyze the data.

The findings, presented at the 2020 ACM Conference on Computer and
Communications Security, demonstrate that even democracies are doing
considerable censorship, and that tools are in place for much more.


Online password '123456' more popular than ever and easy to crack (CBC)

"Matthew Kruk" <mkrukg@gmail.com>
Wed, 18 Nov 2020 19:48:15 -0700
Maker of password manager app details worst passwords of 2020

https://www.cbc.ca/news/business/nordpass-list-of-most-common-and-worst-passwords-1.5807089

People are still using the most basic of Internet passwords that can be
easily cracked, according to a database analysis by password manager
NordPass.

Its list of the 200 most common passwords for online accounts in 2020 was
released after a review of nearly 275.7 million passwords.

Coming in first was "123456," used by 2.5 million people, after landing in
second place last year. NordPass said it has been breached more than 23.5
million times.

The data shows many people stubbornly cling to using weak passwords, even
though they're the worst in terms of security.


Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 18 Nov 2020 12:36:23 PST
  [via Geoff Goodfellow]

Apple is facing the heat for a new feature in macOS Big Sur that allows many
of its own apps to bypass firewalls and VPNs, thereby potentially allowing
malware to exploit the same shortcoming to access sensitive data stored on
users' systems and transmit them to remote servers.

The issue was first spotted last month by a Twitter user named Maxwell in a
beta version of the operating system.

"Some Apple apps bypass some network extensions and VPN Apps," Maxwell
*tweeted* <https://twitter.com/mxswd/status/1318305284524183552>. "Maps for
example can directly access the Internet bypassing any NEFilterDataProvider
or NEAppProxyProviders you have running."

But now that the iPhone maker has released the latest version of macOS to
the public on November 12, the behavior has been left unchanged, prompting
concerns from security researchers, who say the change is ripe for abuse.

Of particular note is the possibility that the bypass can leave macOS
systems open to attack, not to mention the inability to limit or block
network traffic at users' discretion.
According to Jamf security researcher *Patrick Wardle*
<https://twitter.com/patrickwardle/status/1327726496203476992>, the
company's 50 Apple-specific apps and processes have been exempted from
firewalls like Little Snitch and Lulu.

The change in behavior comes as Apple *deprecated support*
<https://developer.apple.com/support/kernel-extensions/> for Network Kernel
Extensions last year in favor of Network Extensions Framework   [...]
https://thehackernews.com/2020/11/apple-lets-some-of-its-big-sur-macos.html


Apple to pay $113M to settle state investigation into iPhone *Battererygate* (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Thu, 19 Nov 2020 02:13:10 -0500
Apple will pay $113 million to settle an investigation by nearly three dozen
states into the tech giant’s past practice of slowing custome'
old iPhones in an attempt to preserve their batteries.

https://www.washingtonpost.com/technology/2020/11/18/apple-fine-battery/

I think I filed claims for two affected phones; I also had batteries
replaced in them for $29/each when Apple was doing that for penance.

I have to say that this...

That December, Apple acknowledged the practice, explaining that it had
tweaked its technology starting a year earlier so that some older models,
including the iPhone 6S, did not shut down unexpectedly or experience other
malfunctions due to excessive demands on their dated batteries. The
widespread blowback also prompted Apple to issue a public apology—a
rarity for the image-conscious tech giant—and to begin offering
battery-replacement discounts for consumers.

...doesn't sound entirely malign—would shutdowns or other malfunctions
really have been better than slowdowns?—except it was done secretly. And
given the huge set of Settings options, adding battery controls wouldn't
have been burdensome. Now, at least, battery health can be user determined
(though apparently there are more comprehensive battery tests only Apple can
run). And, weirdly, iPadOS doesn't display iPad battery health; you need
nifty/free PC/Mac utility iMazing for that).


Privacy labeling for Apple apps

Rob Slade <rmslade@shaw.ca>
Mon, 16 Nov 2020 11:30:07 -0800
Apple will, as of December 8th, start requiring standardized summaries of
information gathering and privacy behaviour for new and updated apps in the
app store.  https://www.theregister.com/2020/11/06/apple_privacy_advice/ In
the announcement, Apple referred to the summaries as being like nutritional
labels on food, which phrase seems to have caught the media's imagination.

Details of the requirements are given at
https://developer.apple.com/app-store/app-privacy-details/ The "labels"
don't seem to be that far removed from the "permissions" that Android apps
list, and don't give that much more information about collection.

Having recently created a presentation on differential privacy, it strikes
me that this is one of the first outcomes of Apple's grand announcement of
its commitment to the technology in 2016.  Differential privacy does allow
for some version of metrics for privacy, but so far it has been a rather
academic exercise.

This announcement doesn't push it much further.


Indistinguishability Obfuscation (WiReD)

Rob Slade <rmslade@shaw.ca>
Mon, 16 Nov 2020 11:47:19 -0800
https://www.wired.com/story/computer-scientists-achieve-the-crown-jewel-of-
cryptography/

First reaction: this sounds very much like trying to build a Bell and
LaPadula [Multilevel-secure] computer.  It sounds like the type of formal
and theoretical abstraction that is useful as an exercise, but seldom
results in an actual, useful, working device.  I am, again, reminded of
differential privacy: some great ideas, but the outcomes that people tend to
actually present are less than earth-shattering, in reality.

Second reaction: although the article seems to be reasonably detailed, there
simply isn't enough information on iO in there to make any real assessment.


Why experts urge caution in using covid risk and tracking tools (WashPost)

Richard Stein <rmstein@ieee.org>
Tue, 17 Nov 2020 11:28:09 +0800
https://www.washingtonpost.com/lifestyle/wellness/understanding-risk-covid-tracker-tools/2020/11/13/95adb654-2504-11eb-952e-0c475972cfc0_story.html

"Instead of relying on any one tool, Landon recommended people use multiple
data sources to help with decisions and reference community and federal
resources. The CDC recently updated its guidance for Thanksgiving
gatherings, suggesting many ways for people to celebrate the holiday without
putting themselves or their loved ones at increased risk.

"'If you unknowingly spread covid to higher-risk individuals in your family,
there's no do-over for that,' Landon said."

Confronting a go/no-go choice based on imperfect information is an age-old
problem.

Second opinions can be helpful, but if their recommendations differ?  Choose
a 3rd, and accept a "best two-out-of-three" result?

A deficit of civil forbearance appears to sustain COVID-19 pandemic waves in
the US. A commonsense vaccine to replenish diminished public trust is
urgently needed.


Functional and assurance requirements and CoVID

Rob Slade <rmslade@shaw.ca>
Tue, 17 Nov 2020 08:12:18 -0800
With the recent surges in CoVID-19 cases (pretty much everywhere), parents
have become (understandably) concerned about the welfare and safety of their
children, particularly at school.  There have been widespread calls for
school closures, or, at the very least, mandatory mask wearing for all staff
and students.  However, looking at the situation in terms of both functional
and assurance requirements demonstrates that these concerns are unnecessary,
or, at least, misplaced.

First lets look at the functional requirements.  For the most part, controls
against the pandemic are still basic and widely known.  But they are
problematic in regard to schools.  Isolation is the most effective.
However, classrooms are too few, and too small, for completely effective
isolation.  Desktop and other barrier systems are possibly expensive and
time-consuming to construct and install in many places, and, in any case,
are limited at best.  Distance learning carries its own set of problems.
Handwashing is good, and, particularly in the younger grades, you can really
get students to buy into it.  But it's not complete.  (And forget trying to
get teenagers to do it regularly.)  And any teacher knows that telling kids,
especially in the primary grades, to keep physically distant from each other
is just not going to work.  (Actually, if you tell students in the primary
grades that it's a game, that their friends are radioactive, and that if
they get close enough for their outstretched hand to touch their friends'
outstretched hands they'll both explode, it'd probably work.  It's the
teenagers who seem to think that social distancing means six inches.)  And
I've written elsewhere about masks, but it is difficult to get kids,
particularly younger kids, to wear them consistently and properly.

However, when we look at assurance requirements, we find a much different
picture.  One of the assurance requirements is detailed contact tracing,
looking at where, how, and in what situations the infection actually (as
opposed to theoretically) does spread.  Part of this, of course, gives us
information about which controls actually do work.  But often it just gives
us information about risk levels.  And, even in these "resurgent" times,
schools are not dangerous places.

Detailed contact tracing has demonstrated that the number of actual
transmissions of the infection in schools is startlingly small, given the
problems we have just looked at with functional requirements and controls.
In British Columbia, while general case numbers jumped from 5,000 to over
20,000, there were only three outbreaks in schools, and, in those outbreaks,
it seems to be impossible to prove that any infections actually took place
*at* school.  Schools do seem to reflect the prevalence of the case numbers,
and, during this surge, exposure events at schools have increased, but cases
of actual transmission seem to be vanishingly small.

Unfortunately, we do not yet have enough data to know exactly why this is
the case.  It may be that children, particularly young children, have
differences in their immune systems that make them less susceptible to the
coronavirus, but that would not explain why there are almost no cases of
student to teacher transmission.  It may be that, despite the problematic
nature of the functional controls, the fact that children are better at
"sticking to the rules" means that the layered defence works better than in
adults (who often seem to think that wearing a mask means you can neglect
all the other safeguards).  At this point we still don't know enough to
explain it.

There are other things that the assurance requirement of detailed contact
tracing can demonstrate, but not explain.  We have seen that transmission in
restaurants is low, but transmission in bars is very much higher.  Why is
that the case?  The two situations are very similar.  Bars do the same level
of cleaning as restaurants, and often have the same capacity limitations.
Alcohol is served at restaurants as well as bars.  But bars have higher
transmission rates.  In fact, the data even shows that transmission rates,
in both bars *and* restaurants, is higher after 10 pm than before.  Why?  Is
it just because patrons are drunker (and drunk people make worse decisions
about sticking to the rules)?  We can't yet explain why, but we do know that
it is the case.

In security, we often pursue functional requirements and neglect assurance.
After all, it is functional requirements that direct us to technologies and
systems and processes that keep us safe.  But it is assurance requirements
that tell us whether the technologies and systems and processes actually
*do* keep us safe, or whether we are wasting resources on controls that
don't actually do anything for us.  We need that assurance.


Wrong GPS usual suspects First Responder avoidance

Dan Jacobson <jidanni@jidanni.org>
Mon, 16 Nov 2020 23:15:43 +0800
Today I noticed that my friends' cell phones' GPS all show the same wrong
place when not fully warmed up. Year in and year out.

So that got me thinking, there must be about one of these points every few
kilometers.

So all rescue departments need to do is keep a list of them. Then, say,
someone calls in "Help me, I'm at xxx.xxx,yyy.yyy," the First Responders
could reply, "Give your GPS a few more minutes to warm up, then call us
back."

Actually they don't need a full list. All they need is the algorithms of how
those points are arrived at. Yes, they are like 12.000 for 12.345, but
"binary". Sure, different chips have different algorithms. And maybe AGPS is
involved, etc. OK, now generate a list for your local area.

So next time somebody calls in with one of those suspect coordinate pairs,
right down to the millimeter, just tell them to take a deep breath...


Letter to Consumer Reports magazine

Gabe Goldberg <gabe@gabegold.com>
Sun, 15 Nov 2020 15:28:06 -0500
Your December TV ratings data includes "Data privacy" and "Data security"
columns not mentioned in text. Those deserve explanation, along with advice
for enhancing privacy/security. Such as not connecting "smart" TVs to the
Internet. I don't, and my large-screen TV works just fine, handling cable,
DVD, and Roku content. I avoid the TV snooping or compromising anything and
don't miss the TV's remote voice control feature since I use a universal
remote to control ALL devices. The TV whines occasionally that it longs to
go online but I don't let it—thus also avoiding problems with unneeded
software updates. TVs should be TVs, not computers.


How the U.S. Military Buys Location Data from Ordinary Apps

geoff goodfellow <geoff@iconia.com>
Mon, 16 Nov 2020 12:44:23 -1000
*A Muslim prayer app with over 98 million downloads is one of the apps
connected to a wide-ranging supply chain that sends ordinary people's
personal data to brokers, contractors, and the military.*  [...]
https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x


'Bot Battle' Shows What Happens When Two AI Programs Go On a Date (Vice)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 16 Nov 2020 12:55:11 -1000
To test its superiority, one AI company put out a call for tech firms to
challenge their AI bot head-to-head.

What happens when two AI programs go on a date? Well, apparently, a few
stumbles, a lot of flattery, and one, “It is exciting that I get to kill
people'' comment.

AI company Pandorabots, Inc. and Facebook AI have gone head-to-head in a
“Bot Battle'' for the ages. Streamed on Twitch, the two programs interacted
with each other for three weeks straight. Viewers were able to vote on
which company's mascot they believe held conversation the best.
Pandorabot's Kuki, a female embodied agent sporting a neon bob haircut, won
in a landslide victory picking up 78 percent of the vote. Her opponent was
Facebook's Blenderbot, who sports a “Make Facebook Great Again'' hat in true
Zucker-bro style.

Pandorabots created the competition to put their program on display, a
Medium post by Kuki's creator, Steve Worswick, explains. “We are planning
to get more bots—and some humans! —into the arena to hang with
Kuki. We will also continue to iterate and update the avatars," he wrote.

During the battle, which drew more than 400,000 views during the three-week
stream, the bots talked about everything from the election to an in-depth
history of Pac-Man. The two even gave an attempt at making jokes. Remember,
the conversation was completely autonomous from human involvement and the
bots are running day and night. Still, at best the conversation was
followable and somewhat complex. At times it turned into a staring contest
where nothing was said. Many of the silences were awkward. And other times
the conversation completely derailed into a splurge of courteous
compliments.  [...]

https://www.vice.com/en/article/5dpbaz/bot-battle-shows-what-happens-when-two-ai-programs-go-on-a-date


AI is wrestling with a replication crisis (MIT Tech Review)

geoff goodfellow <geoff@iconia.com>
Sun, 15 Nov 2020 11:00:02 -1000
*Tech giants dominate research but the line between real breakthrough and
product showcase can be fuzzy. Some scientists have had enough.*

Last month Nature published a damning response
<https://www.nature.com/articles/s41586-020-2766-y> written by 31 scientists
to a study from Google Health
<https://www.nature.com/articles/s41586-019-1799-6> that had appeared in the
journal earlier this year. Google was describing successful trials of an AI
that looked for signs of breast cancer in medical images. But according to
its critics, the Google team provided so little information about its code
and how it was tested that the study amounted to nothing more than a
promotion of proprietary tech.

“We couldn't take it anymore,'' says Benjamin Haibe-Kains, the lead author
of the response, who studies computational genomics at the University of
Toronto. “It's not about this study in particular—it's a trend we've
been witnessing for multiple years now that has started to really bother
us.''

Haibe-Kains and his colleagues are among a growing number of scientists
pushing back against a perceived lack of transparency in AI research.
“When we saw that paper from Google, we realized that it was yet another
example of a very high-profile journal publishing a very exciting study that
has nothing to do with science,'' he says. “It's more an advertisement for
cool technology. We can't really do anything with it.''

Science is built on a bedrock of trust, which typically involves sharing
enough details about how research is carried out to enable others to
replicate it, verifying results for themselves. This is how science
self-corrects and weeds out results that don't stand up. Replication also
allows others to build on those results, helping to advance the field.
Science that can't be replicated falls by the wayside.

At least, that's the idea. In practice, few studies are fully replicated
because most researchers are more interested in producing new results than
reproducing old ones. But in fields like biology and physics--and computer
science overall--researchers are typically expected to provide the
information needed to rerun experiments, even if those reruns are rare.

Ambitious noob...

[...]
https://www.technologyreview.com/2020/11/12/1011944/artificial-intelligence-replication-crisis-science-big-tech-google-deepmind-facebook-openai/


The iOS Covid App Ecosystem Has Become a Privacy Minefield (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 13 Nov 2020 18:29:40 -0500
An analysis of nearly 500 Covid-related apps worldwide shows major
differences in how much data they expect you to give up.

The results show that only 47 of that subset of 359 apps use Google and
Apple's more privacy-friendly exposure-notification system, which restricts
apps to only Bluetooth data collection. More than six out of seven
Covid-focused iOS apps worldwide are free to request whatever privacy
permissions they want, with 59 percent asking for a user's location when in
use and 43 percent tracking location at all times.  Albright found that 44
percent of Covid apps on iOS asked for access to the phone's camera, 22
percent of apps asked for access to the user's microphone, 32 percent asked
for access to their photos, and 11 percent asked for access to their
contacts.

https://www.wired.com/story/covid-19-ios-apps-privacy/

I guess it wants to check whether your photo has been near photo of someone
with Covid.


Metrics and CoVID

Rob Slade <rmslade@shaw.ca>
Tue, 17 Nov 2020 06:01:53 -0800
Another security lesson from CoVID is in regard to metrics.  Those who have
tried to create security metrics will know, all too well, how difficult it
is to choose those that are actually useful, rather than just being
collections of numbers.  (Brotby and Hinson's PRAGMATIC acronym is very
helpful in providing guidance.)

Among the various statistics that CoVID has generated, such as case rates,
new cases, doubling time of cases, hospitalization rates, et cetera, one
single number that has been consistently useful is the positivity rate.
This is the number of cases confirmed, divided by the total tests done.
Donald Trump to the contrary, while there are a number of additional factors
to consider, it seems to be generally felt that a positivity rate of about
two percent is probably reasonable.  Any lower, and it is likely that you
are testing too many people too indiscriminately, and wasting money and
resources.  Any higher, and it is likely that you aren't testing enough, and
that cases are, or shortly will be, increasing.  Positivity has proven
itself "Relevant" from the PRAGMATIC list.

Recently, in British Columbia, we have seen how difficult it may be to keep
such metrics "Meaningful" and "Accurate."

BC, often known as "Hollywood North," is home to a thriving and active film
industry.  If you are a fan of Hallmark romances and mysteries, and other
such "made for TV" fare, chances are very good that they were shot here.
(When Gloria and I watch them, it is often as much to play "spot the
location" as to follow the plots.)  This is especially true now during the
pandemic, when BC has been a relatively safe place to do film shoots.  There
are, of course, a number of restrictions to keep filmmaking safe, some
imposed by local health authorities, and some required by unions,
particularly from the US and places where the case rates have been much
higher, demanding fairly stringent precautions.  CoVID testing, in
particular, is done regularly, and often very frequently, regardless of how
many cases turn up.

Testing for the movie industry is done at private labs, so as not to affect
lab capacity for the public health system.  However, even so, the testing is
"reportable," and thus the numbers make their way into public figures.  The
demands of the movie industry are such that 4-5,000 tests may be done daily,
at a time when the public testing capacity is about 16,000 tests per day.
Since the movie industry definitely "overtests," the movie numbers
artificially depress the overall positivity rate.  Our positivity rate in BC
may actually be twice what the published figures show.


Mac certificate check stokes fears that Apple logs every app you run (Ars Technica)

Monty Solomon <monty@roscom.com>
Mon, 16 Nov 2020 17:01:11 -0500
Amid concern that macOS logs app usage in real time, Apple issues assurances.

https://arstechnica.com/gadgets/2020/11/mac-certificate-check-stokes-fears-apple-logs-every-app-you-run/


Two-Factor Eggs in One Basket

Kent Borg <kentborg@borg.org>
Mon, 16 Nov 2020 15:42:54 -0800
A friend of mine got the newest Iphone. Being latest and greatest he wants
it to be all 5G-est, too, and that part isn't working right. Word is he
needed a different SIM, and I don't follow all the details.

Anyway, at this point some Verizon person probably needs to walk through
network settings to fix something set wrong. Okay.

But my friend takes covid-19 seriously and doesn't want to go to the
store. Okay, smart.

I'm sure he could go through the settings by phone call.

Nope: My friend hopped on the two-factor bandwagon and Verizon won't talk to
him without texting him aboard their two-factor ritual, and he says that
doesn't work with the new SIM. Sure, he could put in the old SIM where it
does work, but he needs to debug the 5G SIM…

I've always thought two-factor was a great idea for really high value
accounts, with lots of talented high end support at the ready, but I don't
understand why people think it scales to everyone for everything.


'Most Secure' U.S. Election Not Without Problems

ACM TechNews <technews-editor@acm.org>
Wed, 18 Nov 2020 12:19:16 -0500 (EST)
Lucas Ropek, *Government Technology*, 16 Nov 2020
via ACM TechNews, Wednesday, November 18, 2020

Although federal officials declared the 2020 presidential election the "most
secure in American history," there were still technical problems. Alleged
software glitches caused mistakes in vote tabulation for both presidential
and local races in certain counties, while some communities suffered
temporary miscounts due to clerical errors. Threats of foreign interference
appear to have been countered by greater vigilance and stronger
cyberdefenses by watchdogs like the Cybersecurity and Infrastructure
Security Agency, and multi-stakeholder collaboration and information
sharing. However, disinformation and misinformation have continued to fuel
polarization of the electorate. Former ACM president Barbara Simons urges
greater transparency and committed investment in auditable machinery as top
priorities, along with curtailing the use of paperless voting machines.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28148x226823x070792&


Election Security Experts Contradict Trump's Voting Claims (Nicole Perlroth)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 17 Nov 2020 15:43:35 PST
Nicole Perlroth, *The New York Times*, 16 Nov 2020
Election Security Experts Contradict Trump's Voting Claims
https://www.nytimes.com/2020/11/16/business/election-security-letter-trump.html

Fifty-nine of the country's top computer scientists and election security
experts rebuked President Trump's baseless claims of voter fraud and hacking
on Monday, writing that such assertions are “unsubstantiated or are
technically incoherent.''

The rebuttal, in a letter to be published on various websites, did not
mention Mr. Trump by name but amounted to another forceful corrective to the
torrents of disinformation that he has posted on Twitter.  “Anyone
asserting that a U.S. election was *rigged* is making an extraordinary
claim, one that must be supported by persuasive and verifiable evidence.''
In the absence of evidence, they added, it is simply `speculation'.  “To
our collective knowledge, no credible evidence has been put forth that
supports a conclusion that the 2020 election outcome in any state has been
altered through technical compromise,'' they wrote.  [...]


Blockchain Voting Risks Undetectable Nation-Scale Failures (Stilgherrian)

ACM TechNews <technews-editor@acm.org>
Mon, 16 Nov 2020 12:18:26 -0500 (EST)
Stilgherrian, ZDNet, 16 Nov 2020
via ACM TechNews, Monday, November 16, 2020

A study by Massachusetts Institute of Technology (MIT) researchers labeled
assertions that Internet- and blockchain-based voting would boost election
security "misleading," adding that they would "greatly increase the risk of
undetectable, nation-scale election failures." The MIT team analyzed
previous research on the security risks of online and offline voting
systems, and found blockchain solutions are vulnerable to scenarios where
election results might have been erroneously or deliberately changed. The
MIT researchers proposed five minimal election security mandates: ballot
secrecy to deter intimidation or vote-buying; software independence to
verify results with something like a paper trail; voter-verifiable ballots,
where voters themselves witness that their vote has been correctly recorded;
contestability, where someone who spots an error can persuade others that
the error is real; and an auditing process.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28090x22672ex070514&


Did you know that Dominion's voting software "Allows staff to adjust tally based on review of scanned ballot images? (Twitter)

the keyboard of geoff goodfellow <geoff@iconia.com>
Tue, 17 Nov 2020 07:22:00 -1000
> 4https://twitter.com/CodeMonkeyZ/status/1328342166007992323
> So there would be a record if anything was changed.

PGN Response:

If you believe audit records cannot be hacked, we are still offering the
Brooklyn Bridge at a huge discount.

On the other hand, the DREs of a decade ago when we were fighting the lack
of an audit trail did not even pretend to have a meaningful audit trail.


<>
Date: Fri, 13 Nov 2020 14:39:51 -0800
From: Henry Baker <hbaker1@pipeline.com>
Subject: What happens when you test TCL TV's

  [Henry's two contributions to this issue were as longer than the rest of
  the issue.  I have seriously foreshortened both.  If you want the full
  story for the first one, please ask Henry to sent it to you.  The second
  has a URL for the PGN-ed text.  PGN]

The Chinese have us by their Ten TCL's :-)

You really have to read this TCL 'Smart' TV vulnerability report all the way
through; you don't have to be a Linux wizard to start laughing, and it gets
better and better as you read!

I don't know which is scarier: the vulnerabilities themselves, or the lack
of response from TCL together with a sneaky 'silent' update to 'fix' these
(wink, wink) 'bugs'.

I knew there was a reason why I never enabled the Internet connection on my
'smart' TV; I allow HDMI only.

Previews:

"Port 22 open and allowing SSH access as root:root out of the box"

"When in the history of your career... Have you ever needed to serve the
entire filesystem... over http?"

TCL me, Elmo!!

https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/

Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World's 3rd
Largest TV Manufacturer.


'Cheating detection' goes full Orwell during pandemic

Henry Baker <hbaker1@pipeline.com>
Mon, 16 Nov 2020 09:03:04 -0800
I've heard of the 'school-to-prison pipeline', but I had no idea how short
this pipeline had become...

I think they may possibly have misspelled "proctoring" when they referred to
contacting a back door into your computer.  :-)

Drew Harwell, *The Washington Post*
Cheating-detection companies made millions during the pandemic.  Now
students are fighting back.  [...]

https://www.msn.com/en-us/news/us/cheating-detection-companies-made-millions-during-the-pandemic-now-students-are-fighting-back/ar-BB1aX8Qa


Re: How to F Up and Aiport, including What It's Like to Stress-Test Berlin's Brand New Airport (Goldberg)

"John Levine" <johnl@iecc.com>
13 Nov 2020 20:04:19 -0500
The Radio Sp├Ątkauf podcast has a five part series called "How to F*
Up an Airport" on the bizarre and sad history of the new Berlin airport.

Many of the failures were due to political interference and a staggering
level of arrogance and incompetence, but a certain amount is technical, such
as the fact that physics tells us that if you increase the size of the
terminal, the ventilation requirements and particularly the emergency smoke
removal ventilation do not scale linearly. Or that it is not a good idea to
cram power and signal wires into the same undersized pipe.

It includes a segment about the dress rehearsal described in the Atlas
Obscura page. They said it included plenty of very bad coffee.

https://player.fm/series/how-to-feuk-up-an-airport


Re: Facial recognition used to identify Lafayette Square protester accused of assault (Levine, RISKS-32.37)

Chuck Jackson <clj@jacksons.net>
Fri, 13 Nov 2020 21:46:10 -0500
Here's a quote (emphasis added) from *The Washington Post* article on this
event:

  After the demonstration, Park Police tracked him through Twitter and sent
  the image to the Maryland-National Capital Park Police in Prince George's
  County, which ran it through NCRFRILS, returning Michael Joseph Peterson
  Jr. as a possible match, the court documents state. *Authorities said they
  also found a backpack at the scene of the protests containing Peterson's
  ID.*

Apparently, he took off leaving his driver's license behind.


Re: CPU-Heat Sink Thermal Paste Effectiveness (Stein, RISKS-32.37)

Charles Cazabon <charlesc-risks-digest@pyropus.ca>
Fri, 13 Nov 2020 21:23:14 -0600
(1) No AMD Ryzen processor from the Ryzen 5, Ryzen 7, or Ryzen 9 families,
whether from the 1st-gen 1000 series, 2nd-gen 2000-series, 3rd-gen 3000
series, or the new 5000 series requires liquid cooling.  All are perfectly
capable of working at their full specified speeds with a quality air cooler;
all but the most recent top-spec versions shipped with such a cooler.  They
can typically be overclocked, and they will overclock better with liquid
cooling, but it is by no means necessary.

(2) Pretty much any substance with a significant amount of water in it will
transfer heat effectively from a CPU to its heatsink (*); CPU cooling is
simply not a particularly demanding application.  The advantages in quality
heatsink thermal compounds are not in efficacy, but in other areas - less
"creep" out of the joints, easier application, longer life without drying
out, etc.

(*) Dan Rutter of dansdata.com famously did a comparison in 2002 of various
thermal compounds, from cheap white zinc-based thermal paste to fancy
silver-loaded silicone formulations, to toothpaste (!) and vegemite (!!).
http://www.dansdata.com/goop.htm


Re: Whale Sculpture Stops Train From Plunge in the Netherlands (RISKS-32.37)

Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
Mon, 16 Nov 2020 22:32:18 -0700
 > It was only a fluke that the driver wasn't killed.

 >  [But "a fluke" is also a fish, which the whale is not.  PGN]

It was just a fluke it landed on a fluke, which is a tail of a whale, and
nobody was killed, so it's a whale of a tale about "Whale Tails", which is
named a fluke as well as called a fluke.

  [Also a parasitic worm, and a barb on an anchor, arrow, harpoon, hook,
  etc.  Anyone care to take this any further in those directions: limerick
  perhaps?

  See also Whale sculpture catches crashed Dutch metro train:
	https://www.bbc.com/news/world-europe-54780430
  ]


Re: "Did you know that Dominion's voting software "Allows staff to adjust tally based on review of scanned ballot images"? (RISKS-32.38)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 18 Nov 2020 13:43:53 PST
> So there would be a record if anything was changed.

If you believe audit records cannot be hacked, we are still offering the
Brooklyn Bridge at a huge discount.

On the other hand, the DREs of a decade ago when we were fighting the
lack of an audit trail did not even pretend to have a meaningful audit trail.

Please report problems with the web pages to the maintainer

Top