Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
w“Over a period of 39 months, invasive keyhole wasps (Pachodynerus nasidens) at the Brisbane Airport were responsible for 93 instances of fully blocked replica pitot probes—vital instruments that measure airspeed—according to a study published November 25 in the open-access journal PLOS ONE by Alan House of Eco Logical Australia and colleagues.”
The essay suggests aircraft maintenance crews cover pitot probes to prevent their colonization when unused.
Would a power-on-self-test be able to discern if the inlet is bugged via fiber optic signal and sensor?
“Yet in recent decades, Boeing—like so many American corporations — began shoveling money to investors and executives, while shortchanging its employees and cutting costs.”
Profit pressures undercut engineering process and problem solving culture in a business that was a consumer product safety icon. FAA oversight capacity, neutered by self-certification measures, accelerated product life cycle completion with compromised safety.
Product safety, especially for software, and computer-based systems generally, implies the institutionalization of effective defect escape suppression mechanisms. Defects discovered earlier in a life cycle afford more time to consider their repair prioritization BEFORE release for sale. This practice assumes accountability for product life cycle process fulfillment. If governance profit or schedule pressures force accountability shirks, defects will free-flow to the customer.
Unlike the medical device industry, where device problem/patient problem history is consolidated for public inspection by the FDA's MAUDE and TPLC repositories, Boeing product defect escapes emerge via accident or mishap investigations.
Justice Louis Brandeis said, “Sunlight is said to be the best of disinfectants.” Public visibility into Boeing's release and qualification processes (test plans, test results, defects) should not be necessary or required. Restoration of shattered public trust requires demonstrated capability that overachieves both consumer expectations and flight safety metrics.
The company is rolling out a patch for the vulnerabilities, which allowed one researcher to break into a car in 90 seconds and drive away.
Tesla has always prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update: A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes. […]
I also heard a rumor—couldn't confirm with search—that you can't play Tesla radio without having headlights on. True or nonsense? Model dependent? Bug or feature?
[See also https://www.washingtonpost.com/technology/2020/11/23/tesla-modelx-hack/ spotted by Monty Solomon]
Intel and Nvidia chips power a supercomputing center that tracks people in a place where government suppresses minorities, raising questions about the tech industry's responsibility.
Dozens of leaked documents from Amazon's Global Security Operations Center reveal the company's reliance on Pinkerton operatives to spy on warehouse workers and the extensive monitoring of labor unions, environmental activists, and other social movements.
Now, if Assante had done his job properly, they were going to destroy it. And the assembled researchers planned to kill that very expensive and resilient piece of machinery not with any physical tool or weapon but with about 140 kilobytes of data, a file smaller than the average cat GIF shared today on Twitter.
30 lines of code = 140KB? Maybe we have to read the book to understand that.
Efforts to secure the Border Gateway Protocol have picked up critical momentum, including a big assist from Google.
From the archives: Say hello to the KGB software model that forecasted mushroom clouds.
“Let's play Global Thermonuclear War.”
Thirty-two years ago, just months after the release of the movie WarGames, the world came the closest it ever has to nuclear Armageddon. In the movie version of a global near-death experience, a teenage hacker messing around with an artificial intelligence program that just happened to control the American nuclear missile force unleashes chaos. In reality, a very different computer program run by the Soviets fed growing paranoia about the intentions of the United States, very nearly triggering a nuclear war.
“When we go into the world of cyber physical systems, like robots and self-driving cars, where time is crucial, linear temporal logic becomes a bit cumbersome, because it reasons about sequences of true/false values for variables, while STL allows reasoning about physical signals.”
STL == Signal Temporal Logic to accelerate AI training processes by enabling discernment of correct v. incorrect outcome detection.
Achievement of driverless vehicle (DV) fleet deployments with guaranteed accident and fatality reduction risk potential requires much more than a technological solution.
A sustained transition from human-driver-in-the-loop supremacy to DV-in-the-loop supremacy is required. This transition will be challenging for drivers, both silicon and carbon-based, especially in the earliest phases of widespread deployments.
DV hailing app terms of service may require passengers to indemnify the fleet operator against class action suit in the event of accident subject to fleet operator-sponsored arbitration, and mandatory acceptance of terms before DV boarding commences. No acceptance, no ride.
NHTSA regulations appear to green light DV fleet deployment. If the federal government generously underwrites an liability insurance pool, deployment will accelerate.
The latest US motor vehicle traffic fatality statistics can be found here https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/813021 (retrieved on 20NOV2020). Whether or not STL, if integrated into the dv-onics, can reduce these fatalities remains to be seen.
Risk: Public safety.
“AI systems have found, through learned experience, that uncommunicated collusion can lead to higher profits. Such systems do not have to meet secretly in back rooms—instead, they use logic to discover that their company will make more money if they charge more for products. And if all of their competitors are using similar systems, they can all agree to raises prices and hold them there, without ever having to actually agree to do so. Worse, because they do not break any of the rules that have been established to prevent human price setters from colluding, there is nothing the law can do to stop them. At least not right now, based on current laws.”
Price fixing enforcement (see https://en.wikipedia.org/wiki/Price_fixing) requires access to pricing decisions.
A hypothetical PriceFixSnifferBot deployed by the Federal Trade Commission, the Consumer Finance Protection Bureau, or Securities Exchange Commission in the US might deter commercial enterprises from illegally exploiting (gaming) AI pricing systems.
Can a PriceFixSnifferBot correctly identify illegal price fixing traceable to a non-communicated conspiracy of AI systems owned and operated by commercial enterprises? It would imply continuous search of business pricing systems across economic sectors.
A likely violation of the US Constitution's 4th amendment preventing illegal search and seizure. Corporations, like people, are presumed innocent of illegality until proven guilty. A nationwide search warrant to prevent business price fixing across the economy? Reminiscent of a Philip K. Dick story plot.
What might trigger a PriceFixSnifferBot to identify illegal price fixing? The PriceSnifferBot would have to detect evidence of an algorithmic-enabled pricing conspiracy. An algorithmic bias standard would be needed for it to allege price bias.
The hypothetical algorithmic bias standard needs to equivalence the international system of units established for kilogram, meter, second, or ampere. These standards are fully dependent on the fundamental constants of nature (pi, Planck's constant, electron charge, etc.). Without this universal reference, political influence might adjust PriceFixSnifferBot deployment parameters to favor certain interests.
How to create an algorithm bias standard? Perhaps an analog computation, via a Whetstone bridge circuit with precision resistor components, could independently weigh a pricing system's algorithmic bias, thereby eliminating the human thumb from the scale.
Not hard to imagine a PriceGougeBot available for off-the-shelf purchase, or via open source at Git. Just-in-time to juice up the year-end holiday shopping experience.
Molly Sharlach, Princeton Engineering News, 17 Nov 2020 via ACM TechNews, 23 Nov 20202
Princeton University researchers have developed a machine learning (ML) technique for ensuring robots' safety and success in unfamiliar environments. The researchers came up with the technique by adapting ML frameworks from other fields to robotic movement and grasping. The new technique was tested in various simulations, and also validated by evaluating its use for obstacle avoidance using a small combination quadcopter/fixed-wing airplane drone that flew down a 60-foot-long corridor dotted with cardboard cylinders; it avoided those obstacles 90% of the time. The Toyota Research Institute's Hongkai Dai said, “ Over the last decade or so, there's been a tremendous amount of excitement and progress around machine learning in the context of robotics, primarily because it allows you to handle rich sensory inputs,” like images captured by a robot's camera.
You may be interested in the following ISPI-Brookings report:
F. Rugge (Ed.), AI in the Age of Cyber-Disorder ISPI-Brookings Report 23 Nov 2020
Quote: CFI Vice-Chairman Andrew Percy MP has urged Home Secretary Priti Patel to “immediately investigate” how cloud-based voice services “select their material and sources,” after learning that responses given by= the Amazon Alexa device “lend credibility to antisemitic views.” Full article at: https://cfoi.co.uk/cfi-vice-chairman-andrew-percy-mp-expresses-concern-over-amazon-alexa-responses-which-lend-credibility-to-antisemitic-views
Customer: “Yes you do sell vegan pizza. It's right there on your web page!”
Staff: “We are not responsible for pages you find on our website that are no longer linked from our homepage. No matter if you used Google to find them, or other nefarious means.”
As the Signal protocol becomes the industry standard, it's worth understanding what sets it apart from other forms of end-to-end encrypted messaging.
For years there has been a 3rd-party plugin for the Mozilla Thunderbird email client, called Enigmail, that enables the use of GnuPG and OpenPGP keyrings to sign and encrypt email. It included a fairly complete key management UI, and depended on an installation of the Windows port of OpenPGP. This meant I could have a single keyring and share it between Windows, Thunderbird and Cygwin.
With version 78, the folks at Mozilla made Enigmail obsolete (and non-functional), replacing it with built-in OpenPGP integration. Sounds good, right? Wrong! The new implementation is extremely limited compared to Enigmail, but it has a couple of major flaws. One is inconvenient, but the other is a security hole big enough to drive a train through.
With Enigmail, every time you wanted to sign an outgoing message, you were required to type in the key's passphrase. There may have been an option to cache the passphrase for a few minutes, I didn't use it, but I have a dim memory of the timeout being quite short.
Thunderbird's OpenPGP integration does things differently. First, it uses its own internal keyring. No more sharing a single keyring among different OpenPGP implementations. Highly inconvenient as I now have to manage two identical keyrings.
The real problem is in passphrase management. When you import a private key, Thunderbird asks for your passphrase and stores it. From that point forward, it does not prompt for the passphrase when using it to sign an outgoing email. They claim the encryption used for the passphrases is “safe”.
There's another feature called “Master Password”, but that's just security veneer as it is requested only once, at session startup. Most people leave their email client running in the background continuously. Anyone with physical access to the machine can now impersonate you with ease. And then there's the use case of a shared computer. If you want PGP encryption without the glaring risk, you cannot use Thunderbird.
I went to the Mozilla bug database to see what others have said. There are several bugs filed, all closed and dismissed with comments like “Just lock your computer. Problem solved”. I filed my own bug https://bugzilla.mozilla.org/show_bug.cgi?id=1679455
We'll see what happens.
A wave of damaging attacks on hospitals upended the lives of patients with cancer and other ailments. “I have no idea what to do.”
23,600 hacked databases have leaked from a defunct ‘data breach index’ site Site archive of Cit0day.in has now leaked on two hacking forums after the service shut down in September.
Cit0Day Breach Collection Files: How to Check If Your Email Is Compromised
Previously, many reports confirmed that the Cit0Day leak has breached 13 billion user records from 23,000 hacked databases. It is difficult to tell if your email is among the other accounts that were compromised.
…not exactly clear what to do about this, if you've been good about using unique passwords for everything.
This is not a rare incident: An image of an operator's screen suddenly appears in the middle of a live TV broadcast. The funny part of this one is that the screenshot shows a view of a directory containing some videos, and a text file named “Alt F9 username and password”—almost an open invitation to hackers to break into the system and, if they can figure out which application uses “Alt F9”, to manipulate the video files there!
Video at: https://youtu.be/YK0LBXV2bTs?t=7
GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services https://krebsonsecurity.com/2020/11/godaddy-employees-used-in-attacks-on-multiple-cryptocurrency-services/
U.S. Representative Rashida Tlaib, a progressive first-term lawmaker, has cosponsored a bill requiring stablecoins like Facebook's Libra to be issued by banks.
… although it does sound more like the other guy was demanding a bribe, but it's still troubling and slightly ironic.
iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever
Before Apple patch, Wi-Fi packets could steal photos. No interaction needed. Over the air.
Quebec premier Francois Legault has promised a sort of four day “visiting period” December 24th to 27th over Christmas, if les Quebecois will behave themselves nicely in the week before and after. http://newsletters.cbc.ca/c/1e0JJjHQpUTXDnsEwMZFgBCttS4
This proposition is so bizarre it makes my head spin. It is akin to the saying that expecting the world to treat you nicely because you are a good person is like expecting a bull not to charge you because you are a vegetarian. Yes, I know that we all have COVID fatigue, and that mental health is an issue, but thinking that you can make this kind of deal with a virus reveals a profound misunderstanding of the situation.
The pandemic risk is not this type of risk. You can't make deals with it. It won't agree not to attack you on Tuesday if you behave properly today. You have to isolate, you have to wash your hands, you have to keep physically distant, and you have to wear a mask if you aren't physically distant ALL THE TIME. Or, if you are in close contact with someone who is infected (even if neither you nor they know it) you will get sick. You don't get to do deals. You don't get to not wash your hands just because you, personally, find wearing a mask more difficult than you think other people do.
Look, putting it in infosec terms, you don't get to click on that dangerous link, safely, just because you have not clicked on three dangerous links previously. If you click on the link, you are going to get the drive-by download installed on your machine, and the blackhats are going to steal all your financial information, contacts, and accounts. You have to keep up your guard ALL THE TIME.
With this type of thinking, I am not looking forward to the coming months. The US is already in a bad way, and American Thanksgiving is coming up next week, right? Take a lesson from us, in Canada. We let our guard down for our Thanksgiving, which is in October (at the actual harvest season, not just a kickoff for Christmas shopping season), and we are definitely paying for it now. If those of you in the Unexplored Southern Area party on Thanksgiving and then again at Christmas, there won't be any of you left by the time the vaccines actually come out.
Look, this isn't the virus that stole Christmas. Think of other ways to “get together,” separately. That's why God invented Zoom and Whatsapp and Facetime. (And Jit.si. I'm dying to try out Jit.si. Somebody just installed it on our Vancouver Security SIG Slack.) (I hate Slack.) I'm pretty sure you can find someone on Doordash who will deliver turkey. But don't think of packing together in a house this Christmas. It's dangerous. And no “moral contract” will change that.
Now go call your Mum on Whatsapp.
IBM has found that companies and governments have been targeted by unknown attackers, prompting a warning from the Homeland Security Department.
“Most” of the side effects are reportedly “mild and short-term.”
The British government is funding the development of an artificial intelligence tool to track and log what it anticipates will be a “high volume” of adverse reactions to the upcoming COVID-19 vaccine once it becomes widely distributed.
A “contract award notice
<https://ted.europa.eu/udl?uri=TED:NOTICE:506291-2020:TEXT:EN:HTML&src=0>” posted to the European Union public procurement tracker Tenders Electronic Daily states that the U.K.'s Medicines and Healthcare products Regulatory Agency plans to deploy “an Artificial Intelligence (AI) software tool” to “process the expected high volume of COVID-19 vaccine Adverse Drug Reaction (ADRs) and ensure that no details from the ADRs' reaction text are missed.”
“It is not possible to retrofit the MHRA's legacy systems to handle the volume of ADRs that will be generated by a COVID-19 vaccine,” the contract notice continues. “Therefore, if the MHRA does not implement the AI tool, it will be unable to process these ADRs effectively.”
“This will hinder [the MHRA's] ability to rapidly identify any potential safety issues with the COVID-19 vaccine and represents a direct threat to patient life and public health.”
The contract, which is worth $2 million, was awarded in September to Genpact (UK) Ltd. The posted announcement states that “reasons of extreme urgency” related to the pandemic have “accelerated the sourcing and implementation of a vaccine specific AI tool.”
COVID vaccine safety expected to be ‘similar to other types of vaccines’ […] https://justthenews.com/politics-policy/coronavirus/uk-will-use-ai-tool-process-high-volume-expected-adverse-reactions
The hackers behind TrickBot have begun probing victim PCs for vulnerable firmware, which would let them persist on devices undetected.
Lessons Learned From the 2020 Presidential Election
Timnit Gebru, one of the few Black women in her field, had voiced exasperation over the company’s response to efforts to increase minority hiring.
Got woken up by a spam/telemarketer/vishing call today. Obvious machine generated “voice” telling me it was calling from “Amazon Prime Number …”
> Oh no! There most certainly is no fee for creating a discussion here :-)
> Thank you for letting me know - we'll look into fixing this and report back. ;-)
I bet it's the old story: Older users choose larger fonts, that younger designers never expected would then exceed their tiny boxes and get clipped… in just the wrong places!
Please note: We are using a passwordless system to manage Snopes Accounts. This means we'll email you a verification code each time you log in. If you do not receive your verification code within a few minutes of logging in, please check your spam folder.
We're using a passwordless login system for a few key reasons:
[What could go wrong with that? So having your email compromised automatically compromises every site using this system, what a great time saver. GG]
“We are satisfied with little, but even that little is impossible today.”
When Captain Alexander Ovchinnikov took over command of the ship Gobustan in Istanbul, the term COVID-19 hadn't been coined yet, quarantine was was the stuff of apocalyptic science fiction, and few people outside of China knew where Wuhan was. It was December 25, 2019. Ovchinnikov, 39, was still on that ship through the summer, along with 11 other crew members: The second engineer was Russian too, the cook was Ukranian, and the rest were from Azerbaijan. At least one had been on board since October 2019, and none of them had received a salary since January. The crew of Gobustan had been stuck since June 16 in the Italian port of Ravenna, on the Adriatic Sea. “We live like in prison. We get up, have breakfast, do some routine activities, then we have dinner and go to bed,” said Ovchinnikov. Their days were all the same and the stillness was shaken only by cleaning and maintenance activities. Sure enough, the ship was clean as a whistle.
Risks? Flags of convenience, politics, corruption, malfeasance…
RISKS doesn't usually post cartoons, but Randall Munroe's XKCD today is appropriate:
“I'll never install a smart home smoke detector. It's not that I don't trust the software—it's that all software eventually becomes email, and I know how I am with email.”
Those who use Microsoft 365 can now get a “Productivity Score.” And so can the boss. https://www.independent.co.uk/life-style/gadgets-and-tech/microsoft-365-office-surveillance-productivity-b1761570.html
How many times do you use email, or chat? Do you turn off the Webcam when on video meetings? Employees are ranked against their peers. Optionally, the boss can also share the data with Microsoft, in order to see how your company is doing against the competition. Which means Microsoft gets lots and lots and lots of company and user data.
Privacy issues, much?
“So there are fewer people involved, and the PC is going to be more secure for it.”
Interesting statement. Open-source proponents might make exactly the opposite argument.
I recall a story I was told some 20 years ago while being driven along the road in question, that the CCTV operators overseeing the operation of the HOV 3+ lanes on the I395 (Shirley Highway) had observed that the passenger seats of many vehicles appeared to be occupied by opera divas in full song.
It is truly an abomination that a line of mass-produced consumer products would be released with such egregious security failings. However, in my world and perhaps in certain parts of the REAL world, SSH on my home cable router is port-forwarded to a machine that is not the television. And on my TCL 40S330 purchased 20-Nov-2020 ssh and telnet are both rejected at that host.
I don't have any comment on the serving up of the file system… well hardly any.
Taking up Brian Inglis's suggestion of a Limerick (RISKS-32.38) …
In Holland they tell a tall tale, Of a train that was stopped by a whale. It seemed quite a fluke, But it earned a rebuke, For the driver, whose train left the rail.
Right—far too many household objects have delusions of computerhood (toothbrush with timer and several brushing modes, blood pressure monitor, electric razor charging station with multiple indicator lights, etc.). I actually don't mind them having localized/isolated computing power but I'm selective about what goes online. For example, I could connect garage door opener to Internet and control it with smartphone app—but no.
>> TVs should be TVs, not computers.
> That's how TVs are used in our household, but the horse is already out of > the barn. You could also say watches should be watches, vacuum cleaners > should be vacuum cleaners, phones should be phones, cars should be cars, > refrigerators should be refrigerators. The issue is cooked. What may not > be cooked is how we end up regulating the privacy and security > issues. I hope not, in any case.
> Before me is a copy of the notes for a talk I gave several times in the > early 1990s to groups in Europe in which one slide asks “What's the > difference between a computer with a television in it and a television > with a computer in it?” and the next answers “None”. I wanted to > prepare them for a networked future with active media where computing and > networking would be so widespread and common as to be invisible.
> I can't recall that they ever got it. > > Pete Kaiser
I do not agree its conclusion. While I agree that passwords should be complex and long, rather passphrases, and ideally go along with second factor authentication, the problem in the below lies somewhere else: in the increasing need to register with an email address / password combination to even the simplest webpages to get some random content (newsletters, bulletin boards, etc.) such that the website owners can market those email addresses. The risk of exposure of personal information, if those sites are compromized, on that pages is zero. The password complexity (and use of 2FA) should be proportional to the risk --- where PII is at stake, complex passwords & 2FA are a must. But for a page where I am forced to register just with an email address to access content, like RISKS, any password can do.
And this points out why one should NEVER use a so-called “password manager” because they are inherently untrustworthy and have access to all your passwords.
If you want to publish all your passwords for everyone to see, why not just write them on a sticky-note and stick it on your window, or send it as a letter to the editor of your local newspaper? Or post them on Twitter or whatever the kids are using these days …
It took just 48 hours for the first person to get there.
When officials in Utah on Monday revealed they had found a shimmering, metal structure deep in the Red Rock desert, they refused to say exactly where.
They hoped that would be enough to deter amateur adventurers from setting off to find it, risking getting dangerously lost in the process.
But there was little chance that people would abide by this advice. By Wednesday, pictures were emerging on Instagram of people triumphantly posing with the monolith, eager to show the world that they had got there first - even if the wider mystery of why it is there remains unsolved.
They were aided by Internet sleuths who had quickly geo-located the structure on Google Earth and posted the co-ordinates online.
The risk? Trying to keep secrets.
Please report problems with the web pages to the maintainer