The RISKS Digest
Volume 32 Issue 44

Saturday, 9th January 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Y2K+21 Bugs reported: more echoes of Y2K
Bill Ricker
Microsoft says Russians hacked its network, viewing source code
WashPost
Scope of Russian Hacking Far Exceeds Initial Fears
NYTimes
Trump Officials Distorted Intelligence on Foreign Meddling
NYTimes
Voting Systems: The Cherry and the Cream, Life, Technology and more
Mark Cathcart
A journalist had a seizure while playing Cyberpunk 2077. Then she helped change the game.
WashPost
Insecure wheels: Police turn to car data to destroy suspects' alibis
NBC News
NYC prison website "bails out"
Gothamist
AI algorithms detect diabetic eye disease inconsistently
Medicalxpress.com
The Earth has been spinning faster lately
phys.org
Boeing to pay $2.5bn over 737 Max conspiracy
bbc.com
American Airlines says flight attendants forced to deal with politically motivated aggression
WHDH
Ticketmaster Pays Up for Hacking a Rival Company
WiReD
Internet detectives are identifying scores of pro-Trump rioters at the Capitol. Some have already been fired.
Jaclyn Peiser
Here's Why Car Thefts Are Soaring—Hint: Check Your Cup Holder
NYTimes
Why Markets Boomed in a Year of Human Misery
NYTimes
A Robotic Revolution for Urban Nature
Leeds
Re: Vaccines
Wol
Re: One Minute Left": Hockey, CoVID-19 ...vs hacking
Chris Drewe
Re: The U.S. Internet Is Being Starved of Its Potential
Henry Baker Chris Drewe
Re: References to Netscape and Mozilla in Brexit trade agreement
Attila the Hun Stanley Chow
Info on RISKS (comp.risks)

Y2K+21 Bugs reported: more echoes of Y2K

Bill Ricker <bill.n1vux@gmail.com>
Fri, 8 Jan 2021 19:39:21 -0500
I am aware of at least two YK21 bugs, being Y2K "window" patches that worked
through 2020-12-31 and wrapped to 1921 last weekend, one confirmed and one
semi-confirmed.  (And quite a few other systems having problems on the first
business day of the year that could be just normal new year policies for the
new year issues, or Y2k21.)

NWS GEMPAK graphical output for weather models (US)
https://twitter.com/pmarshwx/status/1345178416765677569
> GEMPAK has a Y2K21 bug that we have been working on all day.
> This mesoanalysis radar issue is one if the problems that has not been resolved.
> The mosaic-ing code is producing files with years 1921 and are unusable.
> ETA for fix remains unknown.

(I'm looking at it now, it's fixed. Images are tagged with YYMMDD/HHMM
"forecast valid" times, which apparently were expanded to YYYY for Y2K
compliance somewhere ... with a 1921-2020 window.)

Norwegian social welfare system(s)
https://twitter.com/skogesT/status/1344579147495075840
Twitter translation by google:

> There is certainly a corresponding Y2K / 2020/2021 bug in Infotrygd (the
> case processing system NAV uses for, among other things, child benefit).
> It is probably still Infotrygd that is used, such an error would not have
> occurred in a new computer system. (This is a typical I-letter.)

  [Welcome back, Bill!
  We had not heard from you since RISKS-4.86 in May 1987.
    Between Iraq and a Hard Place [Protect Your Phalanx] (William D. Ricker)
  PGN]


Microsoft says Russians hacked its network, viewing source code (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Fri, 1 Jan 2021 01:29:25 -0500
The firm did not say what type of code was accessed and said no changes to
the code were made.

https://www.washingtonpost.com/national-security/microsoft-russian-hackers-source-coce/2020/12/31/a9b4f7cc-4b95-11eb-839a-cf4ba7b7c48c_story.html


Scope of Russian Hacking Far Exceeds Initial Fears (NYTimes)

Peter Neumann <neumann@csl.sri.com>
Mon, 4 Jan 2021 14:08:58 PST
Goal of Intrusion Still Unknown:  Was it for spying or to insert hidden
traps?

  [or both and still more?  PGN]

David E. Sanger, Nicole Perlroth and Julian E. Barnes
*The New York Times*, 3 Jan 2021


Trump Officials Distorted Intelligence on Foreign Meddling (NYTimes)

Peter Neumann <neumann@csl.sri.com>
Sat, 9 Jan 2021 09:26:01 PST
  Julian E. Barnes, Charlie Savage, and Adam Goldman,
  *The New York Times*, 9 Jan 2021, Page A18 in the national edition

  The analytic ombudsman of the ODNI Barry A. Zulauft found "there was a
  loss of objectivity" and politicization in last year's threat reporting.
  A briefing to Congress omitted many findings of the Intelligence
  community's analysis of Kremlin activities leading up to the 2020
  election.  [Why are we not surprised?  Half-page article.  PGN-ed]


Voting Systems: The Cherry and the Cream, Life, Technology and more (Mark Cathcart)

Gabe Goldberg <gabe@gabegold.com>
Fri, 1 Jan 2021 02:14:29 -0500
  I've really stopped blogging as I didn’t want this blog to just
  become another place on the Internet full of rants about the failings of
  Trump administration. In my drafts folder I have 33 posts, most of them
  finished, about the lack of leadership and failings of the administration.
  I'll almost certainly never post them.

  However, I cannot let the current storm over voting machines, and voting
  systems, and how the election was stolen from Trump pass without comment.

  Back in May 2005, I was part of a pilot program to vote online in the UK
  General Election. As one of IBM UK most senior technical architects at the
  time, I requested and received a copy of the technical design guidelines
  for the system. Everything from how the web server was set-up, to how the
  backend database would record the vote, the audit trails, the security
  etc.

https://markcathcart.com/2020/12/31/voting-systems-the-cherry-and-the-cream-ess/


A journalist had a seizure while playing Cyberpunk 2077. Then she helped change the game. (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Sun, 3 Jan 2021 02:39:21 -0500
"Cyberpunk 2077" publisher CD Projekt Red, worked with Game Informer's Liana
Ruppert to alter certain sequences of the game following the reviewer's
seizure.

https://www.washingtonpost.com/video-games/2020/12/31/cyberpunk-2077-seizure/


Insecure wheels: Police turn to car data to destroy suspects' alibis (NBC News)

Gabe Goldberg <gabe@gabegold.com>
Sun, 3 Jan 2021 04:16:15 -0500
Looser privacy standards for vehicle data are a treasure chest of data for
law enforcement.

https://www.nbcnews.com/tech/tech-news/snitches-wheels-police-turn-car-data-destroy-suspects-alibis-n1251939


NYC prison website "bails out" (Gothamist)

Ed Ravin <eravin@panix.com>
Mon, 4 Jan 2021 21:14:44 -0500
The NYC Dept of Corrections Inmate Lookup Service website, which allows
detainees to post their own bail using a credit card, has been down since
December 19 (just over 2 weeks as of this writing).

At least one person has been stuck in jail as a result, because his family
could not travel to the Manhattan courthouse in person to pay the bail.

The web site is also used by attorneys to track their clients as they move
through the jail system, and by family members to deposit money into
prisoner's commissary funds. These functions are also unavailble.

https://gothamist.com/news/weeks-long-website-outage-makes-it-harder-rikers-island-detainees-post-bail


AI algorithms detect diabetic eye disease inconsistently (Medicalxpress.com)

Richard Stein <rmstein@ieee.org>
Thu, 7 Jan 2021 11:20:45 +0800
https://medicalxpress.com/news/2021-01-ai-algorithms-diabetic-eye-disease.html

"The researchers found that the algorithms don't perform as well as they
claim. Many of these companies are reporting excellent results in clinical
studies. But their performance in a real-world setting was
unknown. Researchers conducted a test in which the performance of each
algorithm and the performance of the human screeners who work in the VA
teleretinal screening system were all compared to the diagnoses that expert
ophthalmologists gave when looking at the same images. Three of the
algorithms performed reasonably well when compared to the physicians'
diagnoses and one did worse. But only one algorithm performed as well as the
human screeners in the test."

Diabetic retinopathy is a significant cause of blindness. The National Eye
Institute at the NIH compiles and estimates DR incidence by demographic:
age, ethnicity, gender, etc. Find the latest statistics, updated on
17NOV2020, at
https://www.nei.nih.gov/learn-about-eye-health/resources-for-health-educators/eye-health-data-and-statistics/diabetic-retinopathy-data-and-statistics

The NEI estimates ~7.4 million US persons were diagnosed with DR in 2010.
This number is projected to reach ~11 million by 2030.

The FDA's Total Product Lifecycle (TPLC) platform does not retrieve any
linkage to medical device reports (MDRs) from 01JAN2016 through 31DEC2020
for product code PIB assigned to classify DR diagnostic devices. This MDR
under-reporting deficit is notable.

The TPLC record lists only 1 device, the IDX-DR manufactured by IDX LLC.
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=4513&min_report_year=2016.

The company's De Novo classification request @
https://www.accessdata.fda.gov/cdrh_docs/reviews/DEN180001.pdf (retrieved on
07JAN2021) identifies false negative/positive risks and mitigations. The
evaluation states these findings, "The following summarizes the key
performance results of the IDx-DR study:

Sensitivity: 87%
Specificity: 90%
Imageability: 96%
PPV (Positive Predictive Value): 73%
NPV (Negative Predictive Value): 96%"

The performance numbers indicate that a significant patient population may
experience an false negative/positive diagnostic IDX-DR finding. An
ophthalmologist must review the IDX-DR's auto-diagnosis.


The Earth has been spinning faster lately (phys.org)

Richard Stein <rmstein@ieee.org>
Fri, 8 Jan 2021 10:31:27 +0800
https://phys.org/news/2021-01-earth-faster.html

"Adding a negative leap second could lead to problems, so some have
suggested shifting the world's clocks from solar time to atomic time."

This forum reports over 50 prior submissions on the subject of leap seconds.
I did not investigate if a negative leap second was previously applied to
timekeeping sources. Clock watchers take note!


Boeing to pay $2.5bn over 737 Max conspiracy (bbc.com)

Richard Stein <rmstein@ieee.org>
Fri, 8 Jan 2021 11:06:06 +0800
https://www.bbc.com/news/business-55582496

"The US Justice Department said the firm chose 'profit over candour',
impeding oversight of the planes, which were involved in two deadly crashes.

"About $500m will go to families of the 346 people killed in the tragedies.

"Boeing said the agreement acknowledged how the firm 'fell short'."

Ambrose Bierce's "Devil's Dictionary" defines "CORPORATION, n. An ingenious
device for obtaining individual profit without individual responsibility."
See https://www.gutenberg.org/files/972/972-h/972-h.htm#link2H_4_0004

Indemnification serves a unique role in contract law: it is used to protect
both the business entity and employees against product fault that
injures. Many business websites, via terms of service, routinely state
employee and corporate indemnification to shield their operations from
consequences arising from error, accident, or product issue.

Suppose, via contract law reform legislation, an indemnification exclusivity
restriction was introduced which requires corporations (business entities,
generally) that claim indemnification rights to apply to EITHER the entity
or its employees, but not both.

A change of this nature could introduce accountability for certain
organizational actions, traceable to employees, conspire to enable injury
not suppress it.

How would this hypothetical change impact a business entity or the US
economy? If the indemnification exclusivity restriction was enacted it might
deter certain organizational and individual conduct known to jeopardize
public health and safety.


American Airlines says flight attendants forced to deal with politically motivated aggression (WHDH)

Gabe Goldberg <gabe@gabegold.com>
Thu, 7 Jan 2021 23:44:03 -0500
(CNN) American Airlines says it is taking several new precautionary
measures, including no longer serving alcohol on flights to and from
Washington, DC, as one union reported several incidents during which flight
attendants were “forced to confront passengers exhibiting politically
motivated aggression towards other passengers and crew.''

https://whdh.com/news/american-airlines-says-flight-attendants-forced-to-deal-with-politically-motivated-aggression-on-dc-flights/


Ticketmaster Pays Up for Hacking a Rival Company (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 8 Jan 2021 00:44:13 -0500
Ticketmaster has agreed to pay a $10 million criminal fine after admitting
its employees repeatedly used stolen passwords and other means to hack a
rival ticket sales company.

https://www.wired.com/story/ticketmaster-pays-up-hacking-rival-company/


Internet detectives are identifying scores of pro-Trump rioters at the Capitol. Some have already been fired. (Jaclyn Peiser)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 8 Jan 2021 12:21:13 -0700
Jaclyn Peiser, *The Washington Post*, 8 Jan 2021

https://www.washingtonpost.com/nation/2021/01/08/capitol-rioters-fired-doxed-online/

Excerpt:

  Since most of the rioters stormed the Capitol maskless, online detectives
  had a unique opportunity to easily identify them. And many made it even
  easier—they live-streamed their participation and later bragged about
  their escapades.

  Using journalists' p photos and videos, as well as live-stream videos from
  rioters, untold Twitter users and Instagram accounts have been feverishly
  working since Wednesday to ID and name the participants who stormed the
  halls of the Capitol, ransacking lawmakers' offices and occupying the
  House Chamber.

   [This reminds me of Tom Lehrer's line from The Boy Scout's Song --
   Be Prepared: Don't write naughty words on walls if you can't spell.
   PGN]


Here's Why Car Thefts Are Soaring—int: Check Your Cup Holder (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Fri, 8 Jan 2021 23:47:15 -0500
https://www.nytimes.com/2021/01/06/nyregion/car-thefts-nyc.html


Why Markets Boomed in a Year of Human Misery (NYTimes)

David Farber <farber@keio.jp>
Sat, 2 Jan 2021 13:36:54 +0900
https://www.nytimes.com/2021/01/01/upshot/why-markets-boomed-2020.html


A Robotic Revolution for Urban Nature (Leeds)

ACM TechNews <technews-editor@acm.org>
Wed, 6 Jan 2021 12:31:59 -0500 (EST)
University of Leeds (UK), 5 Jan 2021 via ACM TechNews, 6 Jan 2021

An international team of more than 170 experts led by the UK's University of
Leeds evaluated the opportunities and challenges facing the use of robotic
technology for urban nature and green space. Former Leeds researcher Mark
Goddard said, "Understanding how robotics and autonomous systems will affect
our interaction with nature is vital for ensuring that our future cities
support wildlife that is accessible to all." Robotics, autonomous vehicles,
and drones could help reduce existing pollution and traffic congestion, but
they also might produce their own pollution, so cities may require
re-planning to accommodate them. Leeds' Martin Dallimer said, "We need to
make sure that the public, policymakers, and robotics developers are aware
of the potential pros and cons, so we can avoid detrimental consequences and
fully realize the benefits."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28c7dx227281x070785&


Re: Vaccines (RISKS-32.43)

Wols Lists <antlists@youngman.org.uk>
Fri, 1 Jan 2021 01:29:03 +0000
On 31/12/20 21:57, RISKS List Owner wrote:
> So far the vaccines that have been approved require two
> shots, with time between and after, so the "final minute" stretches to
> possibly two and a half months even after you get your first shot.

And the risk here? Listening to the news reports without understanding the
science.

As I understand it the FIRST dose is "fully effective" after three weeks,
and is in excess of 60% effective. That is, 6 out of 10 are protected
against the virus. Of the remaining 4, NONE of them are likely to get
seriously ill. So here in the UK the aim is to give as many people as
possible their first dose, and not worry about the second dose at the
moment.

The second dose raises protection to about 90%, and is believed also to
extend the period that immunity lasts, although there is less certainty
about that. But if, as all the evidence suggests, the first dose is
sufficient to prevent people from being hospitalised, then it's done its
job.

(aiui, CoVid is a cold virus, so hopefully it will soon settle into the
background, everyone will have had either the disease or a vaccine, and it
will do the rounds re-infecting everyone once a year or so, but residual
immunity from the previous bout will protect them from serious side
effects. Just like the existing cold viruses ...)


Re: One Minute Left": Hockey, CoVID-19 ...vs hacking (RISKS-32.43)

Chris Drewe <e767pmk@yahoo.co.uk>
Sat, 2 Jan 2021 22:27:35 +0000
Coronavirus Vaccine Roll-Out

This has been mentioned in the newspapers already, for instance (including
RISKS's favourite phrase):

> Welcome to the year of the vaccine. What could possibly go wrong?

https://www.telegraph.co.uk/news/2020/12/31/welcome-year-vaccine-could-possibly-go-wrong/

As others have said, if we have to wait until 100% of the population have
been vaccinated then we'll be waiting forever, so at what point do we
consider the project to have been 'completed'?  I write as one in virtual
house arrest due to the current lockdown restrictions in my area.


Re: The U.S. Internet Is Being Starved of Its Potential (RISKS-32.43)

Henry Baker <hbaker1@pipeline.com>
Fri, 01 Jan 2021 09:03:25 -0800
I'm putting some effort into this reply, because I suspect that the new
administration is itching to make some multi-trillion-dollar infrastructure
'bridges to nowhere' mistakes. I love & support the EFF, but I think that
they need to rethink some of their arguments.

I attended a lot of fiber conferences in the 1990's and came close to making
several major investments in fiber tech companies and service
providers. Luckily, I didn't, and thereby avoided some catastrophic
financial losses.

Fiber is every bit as good as is claimed, and in many cases even better:
e.g., fiber can carry quantum information (for quantum key distribution),
which no traditional digital networks can handle.

So what's wrong? The same thing that's wrong with Flint, MI's leaded water
distribution system; the same thing that's wrong with pre-1978 apartments
still loaded with lead paint; the same thing that's wrong with an
electricity grid full of coal-fired and oil-fired power plants.  It's also
the same thing that's wrong with my pre-Internet house not being wired with
CAT5/6/7 cabling (nor obsolete multimode fiber).

There's an old IBM joke: "The reason that God was able to create the world
in seven days is that he didn't have to worry about the installed base".

If you want to build a fibered, sun-powered distributed-grid, leadless
world, its cheaper to build brand new cities than attempting to retrofit the
old ones. UCLA found this out when it cost many times replacement cost to
earthquakeproof their existing campus—they did it anyhow for hysterical
reasons, but oops!—they did it without fiber, so these now
earthquake-resistant buildings aren't loaded with high-speed fiber.

Nature already knows this: the way to grow a new nervous and circulatory
system is to start from scratch. But the system being built is intimately
tied to the state of the technology art at the time of building, so that
wonderful state-of-the-art 2020 fiber is going to look pretty silly in 2100.

I watched European cities do a somewhat better job to get fibered: many
unexpected utilities stepped up to provide fiber right-of-way access,
including *sewer*, *transit*, and electrical power utilities. Many EU cities
*future-proofed* their infrastructure by not laying fiber itself, but by
installing *empty* plastic conduits through which more modern fiber could
later be installed by *air-blowing the fibers*.

In my local county, I tried to convince the Supervisors that they should
install empty fiber conduit *every time they dug a trench*.  The conduit is
so cheap relative to the cost of trenching, that even if 95% of this conduit
is *never used*, the county would still be way ahead of the game. I never
even got to first base.

The answer for the remainder of the 21st C. is radio—specifically
satellite networks—e.g., SpaceX's Starlink. The needed infrastructure can
be built in space, so that there's no infinite list of rights-of- way
holders to buy off. Is Starlink or equivalent as good as fiber?  No, but
it's a heck of a lot better than paying through the nose for TV cable
Internet, and I expect *competition* (!!!) in space-based Internet systems,
unlike fiber, which is still stuck playing 1930's Monopoly.

A standard complaint about space-based infrastructure: latency. But these
new satellite systems are low-Earth-orbit systems, and their latency is
based upon the speed of light in *free space*, while the latency of fiber is
based upon the speed of light in fiber, which is typically only ~2/3 the
speed of light in free space. (Yes, there are 'hollow core' fibers which
provide lower latencies, but the vast majority of fiber isn't 'hollow
core'.)

By the 22nd C., we'll have burrowing robots that may finally be able to lay
a hollow core fiber infrastructure *cheaply*. But let's not make the same
mistake that California is making by building 'high speed rail' systems that
go from nowhere to nowhere else; unless the fiber comes into your own home,
it won't matter to you.

Around 1990, when I still lived in Los Angeles, a fiber was laid down my
street right in front of my house (NOT by any of the TV cablecos).  I visit
the area every year or so, and even after 30 years, no home fiber
connections have ever been made. We don't want to repeat this experience 300
million times over.


Re: The U.S. Internet Is Being Starved of Its Potential (RISKS-32.43)

Chris Drewe <e767pmk@yahoo.co.uk>
Sat, 2 Jan 2021 22:27:35 +0000
Telecomms infrastructure costs

When I worked in telecomms, one of the problems was figuring out how to pay
for infrastructure costs; if you build a road you can charge tolls, but data
traffic is simultaneously expensive to pay for transporting and costs
nothing to carry.  The item is from the company where I worked in a
discussion about the costs of traveling by public transport vs. your own
car, in the sense that the car costs a lot to buy but the marginal cost of
using it is small, whereas you can pay a lot for a bus/train ticket but
nothing if you don't use it:

> This apportioned cost argument has proved to be a major pain in the rear
> at times. For example, our telecomms company bought some SDH [synchronous
> digital hierarchy] equipment a while back. It was cheaper, per unit
> capacity, than the older PDH equipment. But, being new, the SDH equipment
> had little actual usage, whilst the PDH equipment, having been around for
> a while, was full.

> After cost apportionment as you described [dividing cost by number of
> users], the result was that the small amount of traffic on SDH had to pay
> for all of the overheads on SDH, whilst the large amount of traffic on PDH
> paid the overheads for PDH. The result was that the empty, cheap SDH
> capacity was made 'more expensive' than the full, more expensive PDH
> capacity.

> People were therefore moving their circuits off the cheaper, empty SDH
> equipment onto the full, expensive PDH equipment because it saved them
> money! This prompted further PDH purchases.

https://www.telegraph.co.uk/news/2020/12/31/welcome-year-vaccine-could-possibly-go-wrong/


Re: References to Netscape and Mozilla in Brexit trade agreement (RISKS-32.43)

Attila the Hun <attilathehun1900@tiscali.co.uk>
Fri, 1 Jan 2021 10:33:13 +0000
Gordon Lennox refers [RISKS 32.43] to the inclusion in the Brexit trade
agreement of references to decades-old computer software.

For context, this appears in ANNEX LAW-1: EXCHANGES OF DNA, FINGERPRINTS AND
VEHICLE REGISTRATION DATA.

The text was very possibly copied from paragraph 5.4. Protocols and
Standards to be used for encryption mechanism: s/MIME and related packages
of [EU] Council Decision 2008/616/JHA, dated 2008 - which I believe to be
the most 'up-to-date' on this topic to come from the European Commission
[says a lot!].

However, its inclusion in context might be defensible on the grounds that,
in exchanges of data between disparate bodies internationally, adopting the
lowest common denominator is a practical necessity.

It is also worth noting that parts (at least) of the UK's National Health
Service were likely still using Excel 2003 as late as mid-2020, some six
years after it went out of support.  Government upgrades IT at a glacial
rate.


Re: References to Netscape and Mozilla in Brexit trade agreement (RISKS-32.43)

Stanley Chow <stanley.chow@pobox.com>
Thu, 31 Dec 2020 20:08:12 -0500
Brexit deal mentions Netscape browser and Mozilla Mail.
The reason is not as stupid as one might think:

https://www.theregister.com/2020/12/31/brexitl_obsolete_tech_explained/

Please report problems with the web pages to the maintainer

Top