Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I am aware of at least two YK21 bugs, being Y2K "window" patches that worked through 2020-12-31 and wrapped to 1921 last weekend, one confirmed and one semi-confirmed. (And quite a few other systems having problems on the first business day of the year that could be just normal new year policies for the new year issues, or Y2k21.) NWS GEMPAK graphical output for weather models (US) https://twitter.com/pmarshwx/status/1345178416765677569 > GEMPAK has a Y2K21 bug that we have been working on all day. > This mesoanalysis radar issue is one if the problems that has not been resolved. > The mosaic-ing code is producing files with years 1921 and are unusable. > ETA for fix remains unknown. (I'm looking at it now, it's fixed. Images are tagged with YYMMDD/HHMM "forecast valid" times, which apparently were expanded to YYYY for Y2K compliance somewhere ... with a 1921-2020 window.) Norwegian social welfare system(s) https://twitter.com/skogesT/status/1344579147495075840 Twitter translation by google: > There is certainly a corresponding Y2K / 2020/2021 bug in Infotrygd (the > case processing system NAV uses for, among other things, child benefit). > It is probably still Infotrygd that is used, such an error would not have > occurred in a new computer system. (This is a typical I-letter.) [Welcome back, Bill! We had not heard from you since RISKS-4.86 in May 1987. Between Iraq and a Hard Place [Protect Your Phalanx] (William D. Ricker) PGN]
The firm did not say what type of code was accessed and said no changes to the code were made. https://www.washingtonpost.com/national-security/microsoft-russian-hackers-source-coce/2020/12/31/a9b4f7cc-4b95-11eb-839a-cf4ba7b7c48c_story.html
Goal of Intrusion Still Unknown: Was it for spying or to insert hidden traps? [or both and still more? PGN] David E. Sanger, Nicole Perlroth and Julian E. Barnes *The New York Times*, 3 Jan 2021
Julian E. Barnes, Charlie Savage, and Adam Goldman, *The New York Times*, 9 Jan 2021, Page A18 in the national edition The analytic ombudsman of the ODNI Barry A. Zulauft found "there was a loss of objectivity" and politicization in last year's threat reporting. A briefing to Congress omitted many findings of the Intelligence community's analysis of Kremlin activities leading up to the 2020 election. [Why are we not surprised? Half-page article. PGN-ed]
I've really stopped blogging as I didn’t want this blog to just become another place on the Internet full of rants about the failings of Trump administration. In my drafts folder I have 33 posts, most of them finished, about the lack of leadership and failings of the administration. I'll almost certainly never post them. However, I cannot let the current storm over voting machines, and voting systems, and how the election was stolen from Trump pass without comment. Back in May 2005, I was part of a pilot program to vote online in the UK General Election. As one of IBM UK most senior technical architects at the time, I requested and received a copy of the technical design guidelines for the system. Everything from how the web server was set-up, to how the backend database would record the vote, the audit trails, the security etc. https://markcathcart.com/2020/12/31/voting-systems-the-cherry-and-the-cream-ess/
"Cyberpunk 2077" publisher CD Projekt Red, worked with Game Informer's Liana Ruppert to alter certain sequences of the game following the reviewer's seizure. https://www.washingtonpost.com/video-games/2020/12/31/cyberpunk-2077-seizure/
Looser privacy standards for vehicle data are a treasure chest of data for law enforcement. https://www.nbcnews.com/tech/tech-news/snitches-wheels-police-turn-car-data-destroy-suspects-alibis-n1251939
The NYC Dept of Corrections Inmate Lookup Service website, which allows detainees to post their own bail using a credit card, has been down since December 19 (just over 2 weeks as of this writing). At least one person has been stuck in jail as a result, because his family could not travel to the Manhattan courthouse in person to pay the bail. The web site is also used by attorneys to track their clients as they move through the jail system, and by family members to deposit money into prisoner's commissary funds. These functions are also unavailble. https://gothamist.com/news/weeks-long-website-outage-makes-it-harder-rikers-island-detainees-post-bail
https://medicalxpress.com/news/2021-01-ai-algorithms-diabetic-eye-disease.html "The researchers found that the algorithms don't perform as well as they claim. Many of these companies are reporting excellent results in clinical studies. But their performance in a real-world setting was unknown. Researchers conducted a test in which the performance of each algorithm and the performance of the human screeners who work in the VA teleretinal screening system were all compared to the diagnoses that expert ophthalmologists gave when looking at the same images. Three of the algorithms performed reasonably well when compared to the physicians' diagnoses and one did worse. But only one algorithm performed as well as the human screeners in the test." Diabetic retinopathy is a significant cause of blindness. The National Eye Institute at the NIH compiles and estimates DR incidence by demographic: age, ethnicity, gender, etc. Find the latest statistics, updated on 17NOV2020, at https://www.nei.nih.gov/learn-about-eye-health/resources-for-health-educators/eye-health-data-and-statistics/diabetic-retinopathy-data-and-statistics The NEI estimates ~7.4 million US persons were diagnosed with DR in 2010. This number is projected to reach ~11 million by 2030. The FDA's Total Product Lifecycle (TPLC) platform does not retrieve any linkage to medical device reports (MDRs) from 01JAN2016 through 31DEC2020 for product code PIB assigned to classify DR diagnostic devices. This MDR under-reporting deficit is notable. The TPLC record lists only 1 device, the IDX-DR manufactured by IDX LLC. https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=4513&min_report_year=2016. The company's De Novo classification request @ https://www.accessdata.fda.gov/cdrh_docs/reviews/DEN180001.pdf (retrieved on 07JAN2021) identifies false negative/positive risks and mitigations. The evaluation states these findings, "The following summarizes the key performance results of the IDx-DR study: Sensitivity: 87% Specificity: 90% Imageability: 96% PPV (Positive Predictive Value): 73% NPV (Negative Predictive Value): 96%" The performance numbers indicate that a significant patient population may experience an false negative/positive diagnostic IDX-DR finding. An ophthalmologist must review the IDX-DR's auto-diagnosis.
https://phys.org/news/2021-01-earth-faster.html "Adding a negative leap second could lead to problems, so some have suggested shifting the world's clocks from solar time to atomic time." This forum reports over 50 prior submissions on the subject of leap seconds. I did not investigate if a negative leap second was previously applied to timekeeping sources. Clock watchers take note!
https://www.bbc.com/news/business-55582496 "The US Justice Department said the firm chose 'profit over candour', impeding oversight of the planes, which were involved in two deadly crashes. "About $500m will go to families of the 346 people killed in the tragedies. "Boeing said the agreement acknowledged how the firm 'fell short'." Ambrose Bierce's "Devil's Dictionary" defines "CORPORATION, n. An ingenious device for obtaining individual profit without individual responsibility." See https://www.gutenberg.org/files/972/972-h/972-h.htm#link2H_4_0004 Indemnification serves a unique role in contract law: it is used to protect both the business entity and employees against product fault that injures. Many business websites, via terms of service, routinely state employee and corporate indemnification to shield their operations from consequences arising from error, accident, or product issue. Suppose, via contract law reform legislation, an indemnification exclusivity restriction was introduced which requires corporations (business entities, generally) that claim indemnification rights to apply to EITHER the entity or its employees, but not both. A change of this nature could introduce accountability for certain organizational actions, traceable to employees, conspire to enable injury not suppress it. How would this hypothetical change impact a business entity or the US economy? If the indemnification exclusivity restriction was enacted it might deter certain organizational and individual conduct known to jeopardize public health and safety.
(CNN) American Airlines says it is taking several new precautionary measures, including no longer serving alcohol on flights to and from Washington, DC, as one union reported several incidents during which flight attendants were “forced to confront passengers exhibiting politically motivated aggression towards other passengers and crew.'' https://whdh.com/news/american-airlines-says-flight-attendants-forced-to-deal-with-politically-motivated-aggression-on-dc-flights/
Ticketmaster has agreed to pay a $10 million criminal fine after admitting its employees repeatedly used stolen passwords and other means to hack a rival ticket sales company. https://www.wired.com/story/ticketmaster-pays-up-hacking-rival-company/
Jaclyn Peiser, *The Washington Post*, 8 Jan 2021 https://www.washingtonpost.com/nation/2021/01/08/capitol-rioters-fired-doxed-online/ Excerpt: Since most of the rioters stormed the Capitol maskless, online detectives had a unique opportunity to easily identify them. And many made it even easier—they live-streamed their participation and later bragged about their escapades. Using journalists' p photos and videos, as well as live-stream videos from rioters, untold Twitter users and Instagram accounts have been feverishly working since Wednesday to ID and name the participants who stormed the halls of the Capitol, ransacking lawmakers' offices and occupying the House Chamber. [This reminds me of Tom Lehrer's line from The Boy Scout's Song -- Be Prepared: Don't write naughty words on walls if you can't spell. PGN]
University of Leeds (UK), 5 Jan 2021 via ACM TechNews, 6 Jan 2021 An international team of more than 170 experts led by the UK's University of Leeds evaluated the opportunities and challenges facing the use of robotic technology for urban nature and green space. Former Leeds researcher Mark Goddard said, "Understanding how robotics and autonomous systems will affect our interaction with nature is vital for ensuring that our future cities support wildlife that is accessible to all." Robotics, autonomous vehicles, and drones could help reduce existing pollution and traffic congestion, but they also might produce their own pollution, so cities may require re-planning to accommodate them. Leeds' Martin Dallimer said, "We need to make sure that the public, policymakers, and robotics developers are aware of the potential pros and cons, so we can avoid detrimental consequences and fully realize the benefits." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28c7dx227281x070785&
On 31/12/20 21:57, RISKS List Owner wrote: > So far the vaccines that have been approved require two > shots, with time between and after, so the "final minute" stretches to > possibly two and a half months even after you get your first shot. And the risk here? Listening to the news reports without understanding the science. As I understand it the FIRST dose is "fully effective" after three weeks, and is in excess of 60% effective. That is, 6 out of 10 are protected against the virus. Of the remaining 4, NONE of them are likely to get seriously ill. So here in the UK the aim is to give as many people as possible their first dose, and not worry about the second dose at the moment. The second dose raises protection to about 90%, and is believed also to extend the period that immunity lasts, although there is less certainty about that. But if, as all the evidence suggests, the first dose is sufficient to prevent people from being hospitalised, then it's done its job. (aiui, CoVid is a cold virus, so hopefully it will soon settle into the background, everyone will have had either the disease or a vaccine, and it will do the rounds re-infecting everyone once a year or so, but residual immunity from the previous bout will protect them from serious side effects. Just like the existing cold viruses ...)
Coronavirus Vaccine Roll-Out This has been mentioned in the newspapers already, for instance (including RISKS's favourite phrase): > Welcome to the year of the vaccine. What could possibly go wrong? https://www.telegraph.co.uk/news/2020/12/31/welcome-year-vaccine-could-possibly-go-wrong/ As others have said, if we have to wait until 100% of the population have been vaccinated then we'll be waiting forever, so at what point do we consider the project to have been 'completed'? I write as one in virtual house arrest due to the current lockdown restrictions in my area.
I'm putting some effort into this reply, because I suspect that the new administration is itching to make some multi-trillion-dollar infrastructure 'bridges to nowhere' mistakes. I love & support the EFF, but I think that they need to rethink some of their arguments. I attended a lot of fiber conferences in the 1990's and came close to making several major investments in fiber tech companies and service providers. Luckily, I didn't, and thereby avoided some catastrophic financial losses. Fiber is every bit as good as is claimed, and in many cases even better: e.g., fiber can carry quantum information (for quantum key distribution), which no traditional digital networks can handle. So what's wrong? The same thing that's wrong with Flint, MI's leaded water distribution system; the same thing that's wrong with pre-1978 apartments still loaded with lead paint; the same thing that's wrong with an electricity grid full of coal-fired and oil-fired power plants. It's also the same thing that's wrong with my pre-Internet house not being wired with CAT5/6/7 cabling (nor obsolete multimode fiber). There's an old IBM joke: "The reason that God was able to create the world in seven days is that he didn't have to worry about the installed base". If you want to build a fibered, sun-powered distributed-grid, leadless world, its cheaper to build brand new cities than attempting to retrofit the old ones. UCLA found this out when it cost many times replacement cost to earthquakeproof their existing campus—they did it anyhow for hysterical reasons, but oops!—they did it without fiber, so these now earthquake-resistant buildings aren't loaded with high-speed fiber. Nature already knows this: the way to grow a new nervous and circulatory system is to start from scratch. But the system being built is intimately tied to the state of the technology art at the time of building, so that wonderful state-of-the-art 2020 fiber is going to look pretty silly in 2100. I watched European cities do a somewhat better job to get fibered: many unexpected utilities stepped up to provide fiber right-of-way access, including *sewer*, *transit*, and electrical power utilities. Many EU cities *future-proofed* their infrastructure by not laying fiber itself, but by installing *empty* plastic conduits through which more modern fiber could later be installed by *air-blowing the fibers*. In my local county, I tried to convince the Supervisors that they should install empty fiber conduit *every time they dug a trench*. The conduit is so cheap relative to the cost of trenching, that even if 95% of this conduit is *never used*, the county would still be way ahead of the game. I never even got to first base. The answer for the remainder of the 21st C. is radio—specifically satellite networks—e.g., SpaceX's Starlink. The needed infrastructure can be built in space, so that there's no infinite list of rights-of- way holders to buy off. Is Starlink or equivalent as good as fiber? No, but it's a heck of a lot better than paying through the nose for TV cable Internet, and I expect *competition* (!!!) in space-based Internet systems, unlike fiber, which is still stuck playing 1930's Monopoly. A standard complaint about space-based infrastructure: latency. But these new satellite systems are low-Earth-orbit systems, and their latency is based upon the speed of light in *free space*, while the latency of fiber is based upon the speed of light in fiber, which is typically only ~2/3 the speed of light in free space. (Yes, there are 'hollow core' fibers which provide lower latencies, but the vast majority of fiber isn't 'hollow core'.) By the 22nd C., we'll have burrowing robots that may finally be able to lay a hollow core fiber infrastructure *cheaply*. But let's not make the same mistake that California is making by building 'high speed rail' systems that go from nowhere to nowhere else; unless the fiber comes into your own home, it won't matter to you. Around 1990, when I still lived in Los Angeles, a fiber was laid down my street right in front of my house (NOT by any of the TV cablecos). I visit the area every year or so, and even after 30 years, no home fiber connections have ever been made. We don't want to repeat this experience 300 million times over.
Telecomms infrastructure costs When I worked in telecomms, one of the problems was figuring out how to pay for infrastructure costs; if you build a road you can charge tolls, but data traffic is simultaneously expensive to pay for transporting and costs nothing to carry. The item is from the company where I worked in a discussion about the costs of traveling by public transport vs. your own car, in the sense that the car costs a lot to buy but the marginal cost of using it is small, whereas you can pay a lot for a bus/train ticket but nothing if you don't use it: > This apportioned cost argument has proved to be a major pain in the rear > at times. For example, our telecomms company bought some SDH [synchronous > digital hierarchy] equipment a while back. It was cheaper, per unit > capacity, than the older PDH equipment. But, being new, the SDH equipment > had little actual usage, whilst the PDH equipment, having been around for > a while, was full. > After cost apportionment as you described [dividing cost by number of > users], the result was that the small amount of traffic on SDH had to pay > for all of the overheads on SDH, whilst the large amount of traffic on PDH > paid the overheads for PDH. The result was that the empty, cheap SDH > capacity was made 'more expensive' than the full, more expensive PDH > capacity. > People were therefore moving their circuits off the cheaper, empty SDH > equipment onto the full, expensive PDH equipment because it saved them > money! This prompted further PDH purchases. https://www.telegraph.co.uk/news/2020/12/31/welcome-year-vaccine-could-possibly-go-wrong/
Gordon Lennox refers [RISKS 32.43] to the inclusion in the Brexit trade agreement of references to decades-old computer software. For context, this appears in ANNEX LAW-1: EXCHANGES OF DNA, FINGERPRINTS AND VEHICLE REGISTRATION DATA. The text was very possibly copied from paragraph 5.4. Protocols and Standards to be used for encryption mechanism: s/MIME and related packages of [EU] Council Decision 2008/616/JHA, dated 2008 - which I believe to be the most 'up-to-date' on this topic to come from the European Commission [says a lot!]. However, its inclusion in context might be defensible on the grounds that, in exchanges of data between disparate bodies internationally, adopting the lowest common denominator is a practical necessity. It is also worth noting that parts (at least) of the UK's National Health Service were likely still using Excel 2003 as late as mid-2020, some six years after it went out of support. Government upgrades IT at a glacial rate.
Brexit deal mentions Netscape browser and Mozilla Mail. The reason is not as stupid as one might think: https://www.theregister.com/2020/12/31/brexitl_obsolete_tech_explained/
Please report problems with the web pages to the maintainer