Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Politicians will continue to make stupid and ignorant comments about CoVID-19 and the vaccines.
People will still get hit by ransomware because they didn't make backups.
Not as many people as you think will be affected by ransomware because the media, and most companies, will continue to confuse ransomware and breachstortion.
The casino known as cryptocurrency will continue to operate even where gambling is illegal, and will swing wildly without any particular reason.
The media will continue to write articles completely misrepresenting quantum computing and its applications because they don't know the difference between quantum computing and quantum cryptography.
More companies will jump on the differential privacy bandwagon. Since they don't know what it actually is, none of them will actually use it.
Yet another security framework will be announced with great fanfare, and a minor industry will spring up with people consulting and teaching you how to use it and/or get certified for it. Because it has a new name, few will realize that it is just a minor variation on one of the existing security frameworks.
Even though we have just passed through a pandemic and have had ample examples of what went wrong with our business continuity plans, BCP will continue to be ignored.
Ignorance, misinformation, and disinformation will continue to be spread via social media.
Someone will promote yet another application for blockchain to solve an intractable problem, in a situation where blockchain technology is completely irrelevant.
Happy New Year…?
Microsoft says Russians hacked its network, viewing source code
“His worry is that the pandemic has accelerated the digitisation of health. While that has brought benefits such as consultations taking place online, he says the investment needed to keep Internet-connected systems and devices secure has not kept pace.”
Dr Abed says he often hears security researchers talk about hacking insulin pumps to kill someone. But he says a bigger risk is the fact that more devices are being connected together while remaining vulnerable, leading to the risk of a cascade effect. “He adds that his biggest worry is that criminals move from just locking organisations out of their health data to starting to tamper with it, posing risks to patient safety.”
The essay raises the alarm about medical record tampering: Laboratory results, prescription schedules, pre-existing condition summaries, diagnostic imaging, biopsy results, etc. may be manipulated to achieve a specific patient outcome.
Platform privilege escalations, and software supply chain back-doors, are known to enable system of record modifications that promote tampering for surveillance or ransomware extortion. Medical record tampering can be concealed.
Medical record tampering will require collaboration between medical and computer security forensic specialists to disprove medical misadventure. Are law enforcement and public health agencies prepared to engage these incidents?
As an aside:
The International Classification of Diseases reveals 114 distinct codes for “External Causes of Injuries” traced to medical misadventure. Visit https://icd10cmtool.cdc.gov/, select Fiscal Year “FY2018 — October 1 2017” and type in “misadventure” in the search bar.
No ICD-10 records are returned searching for “malware,” “ransomware,” “hacking,” “patient record,” “software,” etc. Search for “device” and there's a code (Y65.51) for “device implanted in correct surgical site” under “Wrong.”
Seconds after Usmaan Ahmad heard metallic bangs in his Tesla Model S last month and pulled off a suburban Dallas thoroughfare, flames started shooting out of his five-year-old car.
The sound was like “if you were to drop an axle of a normal car“ on the ground, Ahmad, 41, said. Only the car was intact, he recalled. Suddenly, as he stood on the side of the road, the car ignited in flames, concentrated around the front passenger-side wheel. “This was shooting out like a flamethrower,” recalled Ahmad, who works in strategy and business development for a health-care system.
The combustion of Ahmad's car is one of a growing number of fire incidents involving older Tesla Model S and X vehicles that experts say are related to the battery, raising questions about the safety and durability of electric vehicles as they age. The National Highway Traffic Safety Administration (NHTSA) is evaluating the fire of Ahmad's vehicle in Frisco, Tex., and has contacted Tesla over the matter, NHTSA spokesman Sean Rushton said this month. The agency opened an investigation last year into alleged battery defects that could cause fires in older Tesla sedans and SUVs. […] https://www.chron.com/business/article/A-Tesla-Model-S-erupted-like-a-flamethrower-It-15831399.php
(Via Dave Farber)
References to decades-old computer software are included in the new Brexit agreement, including a description of Netscape Communicator and Mozilla Mail as being “modern” services. Experts believe officials must have copied and pasted chunks of text from old legislation into the document. The references are on page 921 of the trade deal, in a section on encryption technology. It also recommends using systems that are now vulnerable to cyber-attacks. The text cites “modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x.”
A while back I wrote up a piece on the lessons that ice hockey brings to risk management. Today some lessons from hockey for CoVID-19 management, and thence to security.
BC Premier John Horgan has already provided the initial sports analogy. He pointed out that, when running a marathon race, and the final tape comes in site, you don't relax. You dig down and put all your reserves into one final sprint. The CoVID-19 point being that we now have a vaccine. In fact, more than one, with more showing promise of coming on stream shortly. But, as the sports analogy suggests, just because we have a vaccine doesn't mean we stop isolating at home, or physical distancing when out, or handwashing at every turn, or wearing a mask.
The equivalent hockey analogy is “the final minute.” Hockey periods are twenty minutes long. (With some exceptions that we don't need to go into, now.) For nineteen minutes, the clock just shows the remaining time in minutes and seconds. But, for the final minute of each period, the clock counts down seconds and tenths of seconds.. Because hockey scores are so low, people forget how fast hockey is, as a game. The whole play can go from end to end, in six seconds (and, in a breakaway, even less). This means that, theoretically, in the final minute of a period or a game, the play can go end to end ten times over. And I've seen an Olympic gold medal game decided in the final three seconds. So, when the final minute comes, you put everything you've got into the game.
CoVID-19 can be equally fast moving. Let the Rt number go above one, and you start getting exponential growth. As human beings, we only barely understand linear growth, so we don't automatically see the implications of exponential growth, but it's what leads to chain reactions and explosions. So you can have case numbers in single digits and think that you have everything under control. And then it gets a little higher, and you think case numbers in the 30s are OK. And then you think case numbers in the hundreds are OK, and then 300s, and then thousands, and all of a sudden your whole medical system is overwhelmed. And, at that point, a vaccine becomes problematic. Because we don't know how well the vaccine will work on people already infected. And gathering people for vaccines might be a problem if there is high community transmission. Also, the vaccines we've got aren't “one and done.” So far the vaccines that have been approved require two shots, with time between and after, so the “final minute” stretches to possibly two and a half months even after you get your first shot. Plus the fact that the vaccine production is only starting, and the fact that 95% effective is not 100% effective, so nobody is safe until everybody in the world is safe, and …
The first security lesson to take from this is that there is only so much we can learn from attacking systems. Many teachers think that teaching security students to attack systems will teach them valuable lessons. That is true, but only so far. There is one lesson that attacking cannot teach you, and that is that, when attacking, you only have to be right once. When you are defending, you have to be right ALL THE TIME. In security, you can never let your guard down. Not even when you are looking forward to homomorphic encryption or differential privacy or blockchain or cloud or whatever new technology you think is going to be the “magic bullet” “vaccine” that will render security obsolete. (Spoiler alert: security will never be obsolete.)
While I was thinking of this, I was also watching the World Juniors. And the Canada versus Slovakia game presented another “last minute” lesson. Something else that tends to happen in the last minute of the game is “pulling the goalie.” In hockey you are only allowed to have six men on the ice at any one time. One of these is generally the goalie. But in certain situations, where your team is down by a single goal, and the last minute is coming up, you sometimes take the goalie off the ice so that you can add an extra attacker. This is a desperation move, which is why you only do it when you are going to lose anyway. In the Canada/Slovakia game, Canada was leading two to nothing when they got a penalty in the last few minutes. This means Canada has to take a man off the ice for a time, and the Slovaks had a five-to-four man advantage. Being two goals down, and a man up, the Slovaks decided it was worth the risk to pull the goalie, give themselves a six- to-four two man advantage, and it paid off: they got a goal. Then they got overconfident. With the teams back at even strength, they pulled the goalie again, to give themselves a man advantage. They put the pressure on in the Canadian zone, but one pass back to their point man at the blue line hopped over his stick. As he turned to get it, a Canadian player got past him and picked up the puck. Well, when you have the puck and are ahead of the race, and are facing an empty net, the only question remaining is whether you will panic, shoot too soon, and miss. The Canadian player didn't panic, and the game ended three to one. (Yet another risk management lesson from hockey.)
In regard to the pandemic, we are relying on the benefits of the vaccine. But we can't rely on that too much, or too soon. As with security, we need to think of defence in depth. The vaccine is one layer, but relying solely on the vaccine is a desperation move, and it carries enormous risks. We need to keep using our protections of isolation, handwashing, distancing, and so forth, right to the end of the game.
Whirlpool has been hit by ransomware.
And a new, and more infectious/transmissible strain of the coronavirus has been discovered in the UK and other countries.
In both cases, my response is: so what? We know how to fix this.
In terms of ransomware, there always has been a fix. Make a backup. It's an old protection, and one that protects against a wide variety of threats. It's not flashy, and it's not the latest new security buzzword. But it works. (And, OK, there are backups that don't work against ransomware, or certain types of ransomware, but there are different types of backups, and having multiple types of backup is yet another form of backup. Redundant backup isn't redundant if you need it.)
In the same way, we know exactly what to do to protect against the novel “novel coronavirus”. Yes, it is more transmissible. That means it may spread more rapidly through the population. But that will only happen if we don't take the proper precautions. And we already know what the proper precautions are. Stay home as much as you can. Wash your hands. If you must go out, stay six feet or two metres away from people. (Since the new strain is more infectious, you might want to increase that to eight feet or two and a half metres, just to be on the safe side.) Don't have or go to parties in person. (You can Zoom all you want.) Follow the WHO's Five Heroic Acts. Wear a mask for extra protection. This is not rocket science, and it's not new. We know what to do, and all we have to do is do it.
Yes, it's a pain. Yes, it's inconvenient. (In both cases.) Yes, it's going on for a long time. (Mind you, in terms of the pandemic, it's a lot shorter than either world war …) But we know what to do. So don't panic, and just do it.
Now go make a backup. And then wash your hands.
“Forty-one railroads were required to install PTC systems — seven Class I railroads, Amtrak, 28 commuter railroads and five freight railroads that regularly host commuter passenger service.”
“Nearly 100 host and tenant railroads, associations, service providers and suppliers were involved in the project, the Federal Railroad Administration said.”
“‘At its core, PTC is a risk-reduction system that will make a safe industry even safer, and provide a solid foundation upon which additional safety improvements will be realized,’ Federal Railroad Administration Administrator Ronald L. Batory said in a statement.”
“BNSF San Bernardino Case Study: Positive Train Control Risk Assessment” https://rosap.ntl.bts.gov/view/dot/28265 abstract states (select words CAPITALIZED for emphasis by submitter):
“The Federal Railroad Administration funded the BNSF San Bernardino Case Study to verify its Generalized Train Movement Simulator (GTMS) risk assessment capabilities on a planned implementation of the I-Electronic Train Management System (I-ETMS) positive train control (PTC) system. The analysis explicitly simulated a 10-year period of railroad operations. During simulation, ALL initiating errors and failures of PTC-preventable accidents were captured and stored along with the entire system state. Subsequent analysis conducted repeated simulations based on random draws from these stored initiating system states to generate hazards and accidents with equivalent statistical confidence of more than 300 years of conventional Monte Carlo simulation. Subject to model assumptions, Base Case mean time to accident (MTTA) for collisions by type is: head-head 4.5 years, head-tail 11.8 years, and sideswipe 2.56 years. An over-speed derailment accident is predicted with a frequency of once every 8.6 years; risk of work zone accident is negligible. As modeled, I-ETMS mitigates ALL but negligible risk of PTC-preventable accidents with a high degree of confidence. A sensitivity analysis confirms these results. Changes to operating assumptions that could indicate greater risk in the Base Case actually show small variance in total risk. However, there is greater variance in the mix of accidents by accident type. ”
One hopes that the GTMS platform, or its latest instantiation, has been updated to account for “100 host and tenant railroads, associations, service providers and suppliers” concurrently inter-operating via a common PTC communication and signaling specification.
PTC deployment opens the supply chain risk doors: network intrusion during maintenance updates can weaken or corrupt automatic state management. Operational errors cab arise from human factors.
A simulation is only as good as built-in assumptions and applied stimulus conditions permit. Were non-deterministic stimulus conditions applied to GTMS to show that “impossible” incidents are detected and appropriate PTC actions are initiated in response?
Peter Dizikes, MIT News 10 Dec 2020 via ACM TechNews, 28 Dec 2020
Researchers at the Massachusetts Institute of Technology (MIT), Northwestern University, and the University of Chicago contend Russia's use of North Korean IP addresses for a cyberattack during the opening ceremonies of the 2018 Winter Olympics underscored the need for a new cybersecurity strategy involving selective retaliation. Said MIT's Alexander Wolitzky, “If after every cyberattack my first instinct is to retaliate against Russia and China, this gives North Korea and Iran impunity to engage in cyberattacks.” After extensive modeling of scenarios in which countries are aware of cyberattacks against them but have imperfect information about the attacks and attackers, the researchers found a successful strategy involves simultaneously improving attack detection and gathering more information about the attackers' identity before retaliating. Wolitzky added, “If you blindly commit yourself more to retaliate after every attack, you increase the risk you're going to be retaliating after false alarms.” https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28acex2271a5x071819&
Apple lost its copyright lawsuit against Corellium, a small security research company that sells its customers the ability to more easily find bugs in Apple's mobile operating system. The federal judge in the case ruled Corellium's business was protected under the “fair use” provision of copyright law.
(Via Dave Farber)
EFF, 26 Dec 2020 <https://www.eff.org/deeplinks/2020/12/us-internet-being-starved-its-potential>
Over a year ago, EFF raised the desperate need for the United States to have a universal fiber infrastructure plan in order to ensure that all Americans can obtain access to 21st century communications technology. Since then, we've produced technical research showing why fiber is vastly superior to all the alternative last mile broadband options in terms of its future potential, published legal research on how the U.S. regulatory system started getting it wrong (as far back as 2005), and suggested a path forward at the federal and state level (including legislation) for transitioning the U.S. communications infrastructure toward a fiber-for-all future.
Since then, the pandemic changed our world, as remote work and education became a necessity for most people. At the very start of the stay-at-home orders, EFF expressed our concern that our failure to deliver ubiquitous, affordable, future-proofed infrastructure is going to hurt the most vulnerable. People that lack fiber infrastructure are stuck with second-class Internet access with limited potential as prices continue to rise, slow speeds become obsolete, and needs for better access grow. Most notably, in response to these problems, the House of Representatives passed a universal fiber plan as part of the COVID-19 recovery effort, and we continue to make the case to the U.S. Senate, which has passed no universal 21st-century broadband plan, as to why Majority Whip Clyburn's Affordable, Accessible Internet Act is the federal answer.
But so long as our local, state, and federal governments do not prioritize delivering future-proofed infrastructure to all people, our ability to make full use of the 21st century Internet will be limited. New services and applications will be tested and created in Asia, not here, and the next Silicon Valley premised on high upload low latency applications and services will not be in California.
America Is Behind by Choices Made by a Handful of Political and Regulatory Leaders
A billion fiber optic connections to the Internet are coming online in just a few years. A large majority of them will be in Asia, primarily led by China. These connections have already proven to be future-proof, capable of reaching not just gigabit speeds, but multi-gigabit speeds. Fiber is not only faster; it's also cheaper long-term.
No other connection even comes close by comparison. The future of the Internet is going to be fiber. Just not in the United States. Yet. We could still change this.
But for now, the United States remains woefully behind dozens of advanced economies, with an overwhelming amount of the infrastructure dependent on slow legacy infrastructure primarily built in the late 20th century. Those legacy copper and coaxial cable connections have failed to deliver robust enough connectivity to handle the immediate remote work and remote education needs of COVID-19 pandemic. They will not handle the future.
Moreover, their costs are increasing due to obsolescence and will be useless for future applications and services dependent on high-speed, low latency access. This lack of ubiquitous fiber is one of the reasons why the United States is so far behind 5G speeds available, even on downloads (see chart below).
On average, the United States has the slowest, most expensive Internet access market among advanced economies, which is choking off the Internet's ability to be a force for improving American lives while the world marches forward. What the Internet becomes in the mid-to-late 21st century will not be an American story, unless we aggressively course-correct our infrastructure policies soon.
America Doesn't Need a Broadband Plan, it Needs a Fiber Infrastructure Plan
A decade ago, the FCC issued a congressionally mandated National Broadband Plan establishing a goal of connecting 100 million U.S. homes to 100 mbps download and 50 mbps upload by 2020. While advancements in national download speeds have occurred due to some cable industry changes, hybrid fiber/coaxial cable systems are still failing to deliver robust upload speeds. In fact, during the pandemic when broadband access demand is extremely high, cable systems failed to deliver.
Essentially, the COVID-19 crisis increased our Internet usage by a year's worth of growth in a few weeks.
Fiber was able to handle it, cable was not (and 5G just barely exists). Our technical analysis of broadband access options found overwhelmingly conclusive evidence that the inherent capacity in a fiber wire is orders of magnitude greater than all of the alternative wire and wireless options. And most recently we are now seeing wireless industry acknowledgement of the importance of widespread fiber to 5G's future (but an absence of solutions other than “give us more money”).
While many in government will talk about how we need to get broadband to everyone, what they should really be talking about is how we get 21st-century-ready fiber infrastructure to everyone. This distinction is important because we have already spent billions upon billions of dollars building broadband with virtually nothing to show for it. That happened because we subsidized slow speeds on any old network with little expectation of future increases in capacity. For example, Frontier Communications received a large amount of federal subsidy but wasn't forced to begin long term upgrades to cost-efficient fiber, resulting in the telecom carrier's bankruptcy. They took all those federal dollars straight to the grave because all that was required was to deliver 10 mbps download/ 1 mbps upload Internet to as many people as possible. Those federal dollars were then squandered on propping up obsolete copper networks in rural markets, instead of long-term fiber, forcing us to have to spend the money again now on fiber.
This is why slow networks actually cost more than fiber; the number of years the investment remains useful is relevant to your total costs. The only state in the U.S. that appears to have escaped this fate was North Dakota, where nearly 67% of the state's residents have gigabit fiber (the U.S. average sits around 30% of households). The reason broadband looks so different there is because local private and local public providers spent those dollars on fiber (and notably no national carriers sell broadband in North Dakota). Big legacy industry would love for the government to continue to spend large amounts of money on slow speed perpetual subsidies (which is still happening today from the FCC and in states like California) because it solves nothing and maintains their slow Internet monopoly.
Continued government spending on this approach though is akin to giving the Joker a pile of cash and watching him set it on fire.
The Absence of Regulation Is Part of the Problem
The thing that holds back the large national broadband providers is the resistance to making long term investments in infrastructure as opposed to short term profits. As noted earlier, large publicly traded ISPs are ill-equipped to address the national need for fiber because of its high upfront costs and their standard three- to five-year return on investment formulas for determining where to build. This is why even densely populated cities like New York City (NYC) had to spend six years suing Verizon to expand fiber, despite the fact that it is completely profitable to serve all of New York City in the aggregate.
There are very few legitimate reasons densely populated cities like Los Angeles and Oakland aren't near universal fiber at this point. Knowing this, EFF has called on the California Public Utilities Commission (CPUC) to simply require every broadband provider providing service throughout a major city with a population density in excess of 1,000 people per square mile to give everyone fiber as a condition of doing business in the state. It is already against state law to discriminate based on socio-economic status and the evidence is coming in that fiber is going to high-income and skipping low income neighborhoods. In fact, given that income can serve as a proxy for race, recent studies are showing that black neighborhoods are being skipped by fiber in Los Angeles County and high-speed access is being deployed along in a discriminatory fashion in Oakland that matches past redlining that occurred with housing.
California's state law is already clear that you aren't allowed to profit from unreasonable discrimination, but the regulator has to enforce those laws for it to matter. The FCC can also address this problem, but only after it reverses the federal deregulation that occurred in 2017 when it repealed net neutrality as part of the Restoring Internet Freedom Order. When broadband carriers are required to operate in a non-discriminatory manner (as required if we treat them as common carriers), it is much more than net neutrality, it is about how they deliver access infrastructure to the public as well. Until then, it will be on states and local governments to address this problem.
Localism in Broadband and Investments in Fiber Will Be How We Get 21st Century Access to All People
If the large national carriers are ill-equipped to take on the societal challenge of connecting everyone to robust 21st-century ready access to the Internet, then we need to explore our alternatives and to rethink the government's approach. The most promise appears to come from smaller, locally-held private and public entities who can take on long term patient investments without being subject to Wall Street fast profit expectations. Such entities are deploying fiber where national carriers have long ignored and are building the 21st century in areas previously left behind such as a Missouri cooperative United Fiber delivering fiber to the home at a density of only 2.5 people per square mile or the joint venture between Alabama Power (the state's electric utility) and Mississippi's C-Spire to deliver fiber to the home throughout the state of Alabama.
ACM TechNews, 30 Dec 2020, via Leah Crane, New Scientist, 10 Dec 2020
Amazon researcher Aleksander Kubica won the world's first quantum chess tournament during the virtual Practical Quantum Computing (Q2B) conference. Quantum chess incorporates ideas from quantum mechanics, with pieces able to be placed into a superposition of two locations, for instance, or entangled with one another. The winner must capture the opponent's king and make a robust quantum measurement of its location. California Institute of Technology's Spiros Michalakis said, “It's like you're playing in a multiverse but the different boards [in different universes] are connected to each other.” Cantwell noted the ultimate goal of quantum chess is to provide a familiar mechanism for teaching the basics of quantum mechanics. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28b2cx2271bbx071822&
Yes, it really is, and “loss of trust” in democratic institutions is a principal objective of state-hackers and other anti-democratic actors. If not the principal objective; can democracy function without trust?
> “The public is not being stupid when they decide what to believe based on > political biases.”
This misses the point that political actors are responsible for escalating the loss of trust. So if not stupid then gullible.
Whom do you now trust? Surely not politicians? (You never did in the past).
Please report problems with the web pages to the maintainer