The RISKS Digest
Volume 32 Issue 50

Friday, 19th February 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Texas vs FERC's "best practices" for anticipating disasters
PGN
U.S. Water Supply Has Few Protections Against Hacking
WSJ
Python wheel-jacking in supply chain attacks
VDOO
A Windows Defender Vulnerability Lurked Undetected for 12 Years
WiReD
Mercedes-Benz cars giving out *wrong* location info
Car and Driver Magazine
Growing size of vehicle screens sparks safety concerns
The Center for Auto Safety
Forget Self-Driving Cars: the Pentagon Wants Autonomous Ships, Choppers, and Jets
WSJ
California DMV suffers massive third-party data breach
TechCrunch
Researcher hacks over 35 tech firms in novel supply chain attack
Ax Sharma
How faster Internet is being blocked by politics and poverty throughout the eastern U.S.
CNET
'Spy pixels in emails have become endemic'
BBC News
Google has bowed to pressure and will make 'significant' payments to Rupert Murdoch's News Corp
Business Insider
The losers in the news battle
Lauren Weinstein
Fixing Chrome 88's suddenly broken custom search-engine behavior
Lauren Weinstein
Facebook blocks news in Australia over government's payment rules
Dylan Byers
Woke teachers want Shakespeare cut from curriculum: 'This is about White supremacy'
Washington Times
Facebook to Label Climate Change Posts Like Covid, Vote Content
Yahoo!
France Ties Russia's Sandworm to a Multiyear Hacking Spree
WiReD
Citibank can't get back $900 million it wired by mistake
CNN
Incredibly poor software design costs Citigroup $500M
Matt Levine
Climate Change Could Shred Guitars Known for Shredding
Scientific American
Data breach warning after California DMV contractor hit by file-stealing ransomware
TechCrunch
Entitled People Are More Likely To Be Angry at Bad Luck
Scientific American
Who Should Stop Unethical A?I
Matthew Hutson
AI may mistake chess discussions as racist talk
Techxplore
"Holy cow. Bitcoin is using half a percent of all the world's electricity?
geoff goodfellow
Nvidia limits crypto-mining on new graphics card
msn.com
The IRS Cashed Her Check, Then the Late Notice Started Coming
ProPublica
Authorities have taken down the dark web's largest illegal marketplace vendor
The Verge
U.S. election cybersecurity
CDT
People answer scientists' queries in real time while dreaming
Scientific American
How Oracle Sells Repression in China
The Intercept
The Untold History of America's Zero-Day Market
WiReD
"Vaccine" passport?
Rob Slade
Man offered vaccine after error lists him as 6.2cm tall
BBC
Gorilla COVID risks
CNN
Japanese contact tracing software of Covid-19 patient on Android did not work for four months
Kyodo News
Bruce Schneier's CRYPTO-GRAM, 15 Feb 2021
PGN
Re: Calling All Ham Radio Operators
Bob Wilson
Info on RISKS (comp.risks)

Texas vs FERC's "best practices" for anticipating disasters

Peter Neumann <neumann@csl.sri.com>
Fri, 19 Feb 2021 10:49:28 PST
Richard Parker,
Texas Could Have Kept the Lights On:
  The state's powerful [sic] utilities failed to prepare for the worst
Editorial, *The New York Times*, 18 Feb 2021
https://www.nytimes.com/2021/02/17/opinion/texas-blackout-energy-abbott.html

Paul Krugman,
Texas, Land of Wind and Lies:
  When post-truth politics meets energy policy, the outlook is bleak
Editorial, *The New York Times*, 19 Feb 2021

PGN's mini-editorial for RISKS:

Many of the lessons from 35 years of the ACM Risks Forum have been massively
ignored in Texas, in this case resulting in massive power outages with no
potable water, and added difficulties for COVID-19 vaccines that needed deep
refrigeration).  The lessons from dozens of previous propagating outages
have been partially addressed in other states, with considerable diminution
in massively cascading multi-state fiascoes over time.  However, the earlier
notion of having spare electricity to share with other regions has been
deprecated, which could otherwise help out in emergencies.  Furthermore,
Texas's desire to go it alone has seriously backfired, especially in that
there were explicit warnings from the Federal Emergency Regulatory
Commission that extensive cold-hardening was needed after a serious cold
snap in 2011 that effected millions with no power—evidently ignored
without any sensible system engineering for resilience.  The Texas disaster
clearly violates the Albert Einstein principle: Everything should be made as
simple as possible but no simpler.  This is a horrible example of "much too
simple".  As usual, the blame can be widely distributed, but in this case
most of it is mercilessly self-inflicted.  Furthermore, the incredible
fantasy of the Governor and others in blaming this disaster on alternative
energy sources such as wind power borders on insanity.

In this case, even the "best practices" recommended by FERC a decade ago may
not have been good enough, but could have avoided much of the effects of
this disaster.

The loss of the Challenger shuttle was another example of a lesson to be
learned in anticipating cold weather (e.g., RISKS-5.78 and 5.80).  What made
that particularly unfortunate was that Roger Boisjoly had explicitly warned
not to launch in freezing weather because it was known that the O-rings
might not hold.  Thus, in that case the risks were known in advance, but not
adequately considered. (See RISKS-12.40 for more on that.)

In our RISKS-related archives is also a major six-week complete power-outage
disaster in Quebec in the winter of 1996-1997 when transmission towers froze
and collapsed from the weight of ice under the prolonged hard freeze, and
the outage lasted for months.  Water was also a relevant issue there as in
Texas, because there were no available public water sources during the
entire outage.  (Surely, cold weather was not a surprise there.)


Python wheel-jacking in supply chain attacks (VDOO)

geoff goodfellow <geoff@iconia.com>
Thu, 18 Feb 2021 10:26:45 -1000
Recently, a novel supply-chain attack was published by security researcher
Alex Birsan, detailing how dependency confusion (or "name-squatting") in
package managers can be misused in order to execute malicious code on
production and development systems.

In short, most package managers such as pip and npm do not distinguish
between internal packages (hosted on internal company servers) and external
ones (hosted on public servers). [...]
https://www.vdoo.com/blog/python-wheel-jacking-supply-chain-attacks


U.S. Water Supply Has Few Protections Against Hacking (WSJ)

geoff goodfellow <geoff@iconia.com>
Sat, 13 Feb 2021 09:25:54 -1000
Vulnerabilities highlighted after cyber intruder tampered with treatment
plant in Florida

A Florida city whose water system was hacked last week said Friday that it
completed a federally mandated security-risk assessment three months ago,
but hadn't yet integrated the findings into its emergency plans.

The hacking incident—occurring after a security review—has thrown into
stark relief a vulnerability of the more than 50,000 community water systems
that supply most Americans with their drinking water: they don't have to
meet any national standard for cybersecurity.

That is in contrast to electric utilities, which have had to meet
increasingly stringent rules since 2008 for the physical and cybersecurity
of key assets and, more recently, for parts of their supply chains. Rules
for the electric industry are reinforced by monetary penalties for
violations.

On Feb. 5, an engineer at a water treatment plant in Oldsmar, Fla., in
Pinellas County, detected that a hacker had accessed the facility's control
system and attempted to increase the amount of lye used to treat the water
to a potentially dangerous level. The control engineer witnessed the
tampering, as a ghostly hand moved a cursor over his screen, and he reversed
it immediately, officials said. But the episode highlighted how few
protections are mandated to defend the U.S. water supply.

The incident comes as officials warn about the growing sophistication and
brazenness of attacks on critical infrastructure. Many attacks are never
publicly revealed, but The Wall Street Journal identified targets in a
Russian campaign in 2017 to pierce electric-utility defenses, by first
penetrating trusted suppliers, and another effort in 2019 by unidentified
hackers who targeted electric utilities in at least 18 states.

More recently, the government has said the sprawling SolarWinds hack,
disclosed in December, compromised more than half a dozen federal agencies
including the State, Commerce and Treasury departments, and critical
infrastructure organizations—whose names, as yet, haven't been revealed.

The federal government took a small step toward addressing the problem of
insufficient cyber-defenses in the water industry in 2018 with passage of
the America's Water Infrastructure Act. The law requires water providers
serving about 80% of the U.S. population to do security-risk reviews and
integrate findings into their emergency plans.

The biggest water providers were required to complete that work last year,
and all but 10 of 542 organizations complied, according to the Environmental
Protection Agency. But nearly 9,000 smaller suppliers—including the water
department in Oldsmar—have until the end of this year to complete their
reviews and implement findings.

The smallest of suppliers—the 40,000 organizations with fewer than 3,300
customers, each—are exempt.

Even though water systems must certify completion of their work to the EPA,
they aren't required to share copies of their work product with the agency.
As a result, the EPA doesn't actually assess the quality of their action.
Because the agency doesn't possess the documents, they are effectively
beyond the reach of federal public-records law.  [...]

Federal officials advised water utilities this week to take a hard look at
remote access tools, which have been especially popular during the
pandemic. Industry experts said many improvements can be made at little or
no expense—such as enforcing password protection and utilizing encryption
and firewalls—but that small utilities struggle with things as simple as
cyber training.

The Federal Bureau of Investigation, which is investigating the intrusion,
said it has probed other incidents in which desktop sharing software was
used as an attack vector against critical infrastructure providers.

Cybersecurity experts said preliminary information about the Oldsmar water
department—such as that employees shared a single password on TeamViewer
-- suggested broader security problems.

The Water Information Sharing and Analysis Center, a nonprofit clearinghouse
for threat information geared to water suppliers, said the incident appeared
to be “more opportunistic than sophisticated,'' partly because the intruder
didn't attempt to hide the fact he was messing with the chemical delivery
system.

Christopher Krebs, former director of the Cybersecurity and Infrastructure
Security Agency, said in congressional testimony Wednesday that it is
possible the intruder was a disgruntled employee or a foreign actor.
“That's why we do investigations,'' he said, adding that the municipal
utility's defenses were “not where anybody, any operational security
professional would like for that security posture to be.''

Unfortunately, he added, “Oldsmar is probably the rule rather than the
exception.''

He urged Congress to consider offering the industry more financial
assistance to make cyber upgrades.

An EPA official said the agency estimates that $750 billion is needed to
replace pipes, upgrade water treatment facilities and improve
cyber-preparedness at water utilities a big lift.

Kevin Morley, manager of federal relations for the American Water Works
Association, an industry group, said that $10 million was authorized in 2018
to help small utilities pay for security upgrades but Congress never
appropriated the money. There are other federal programs that provide grants
and low-interest loans.

https://www.wsj.com/articles/u-s-water-supply-has-few-protections-against-hacking-11613154238


A Windows Defender Vulnerability Lurked Undetected for 12 Years (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 13 Feb 2021 13:58:07 -0500
Microsoft has finally patched the bug in its antivirus program after
researchers spotted it last fall.

Just because a vulnerability is old doesn't mean it's not useful.  Whether
it's Adobe Flash hacking or the EternalBlue exploit for Windows, some
methods are just too good for attackers to abandon, even if they're years
past their prime. But a critical 12-year-old bug in Microsoft's ubiquitous
Windows Defender antivirus was seemingly overlooked by attackers and
defenders alike until recently. Now that Microsoft has finally patched it,
the key is to make sure hackers don't try to make up for lost time.

https://www.wired.com/story/windows-defender-vulnerability-twelve-years/


Mercedes-Benz cars giving out *wrong* location info (Car and Driver Magazine)

danny burstein <dannyb@panix.com>
Mon, 15 Feb 2021 17:56:45 +0000 ()
Mercedes-Benz is recalling almost 1.3 million vehicles from the 2016 through
2021 model years to fix a problem with the communication module for the
eCall emergency call system. Affected vehicles could indicate the wrong
location to emergency services when used in case of an incident on the road.
[...]

The National Highway Traffic Safety Administration (NHTSA), in its recall
notice, says the problem is expected to affect 100 percent of the 1,292,258
Mercedes-Benz and Mercedes-AMG vehicles subject to the recall by
Mercedes-Benz USA

https://www.caranddriver.com/news/a35498170/mercedes-benz-emergency-call-system-recall/


Growing size of vehicle screens sparks safety concerns (The Center for Auto Safety)

Gabe Goldberg <gabe@gabegold.com>
Sun, 14 Feb 2021 21:18:13 -0500
Mercedes is unveiling a 56-inch smart screen in one of its cars later this
year, part of a new trend safety groups say could pose real dangers on the
road.

https://www.autosafety.org/growing-size-of-vehicle-screens-sparks-safety-concerns/


Forget Self-Driving Cars: the Pentagon Wants Autonomous Ships, Choppers, and Jets (WSJ)

ACM TechNews <technews-editor@acm.org>
Wed, 17 Feb 2021 13:05:51 -0500 (EST)
Andy Pasztor,*The Wall Street Journal*,  13 Feb 2021
via ACM TECHNEWS, Wednesday, February 17, 2021

The Pentagon is pushing for increased use of automation in the
U.S. military, outpacing efforts in commercial automation as officials aim
to counter technological advances among adversaries. These autonomous
technologies are expected to emerge in future civilian aircraft, air traffic
control systems, and drone applications, but unlike commercial automation,
there are concerns about the lack of regulation over the Pentagon's
initiatives. While these advanced systems will not be deployed immediately,
the recent $740 billion defense authorization bill includes provisions to
expand and promote automation across the military. Military projects in the
works include pairing an autonomous jet fighter with a traditional one in
mock dogfights and using autonomous helicopters to deliver supplies to
remote outposts, an autonomous vehicle for transporting ground troops,
undersea vehicles to carry cargo and gather intelligence, and artificial
intelligence to assume the role of a U-2 reconnaissance plane pilot for
navigation.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-297d5x228694x070110&


California DMV suffers massive third-party data breach (TechCruch)

Lauren Weinstein <lauren@vortex.com>
Thu, 18 Feb 2021 07:53:51 -0800
https://techcrunch.com/2021/02/18/california-motor-vehicles-afts-ransomware/


Researcher hacks over 35 tech firms in novel supply chain attack (Ax Sharma)

ACM TechNews <technews-editor@acm.org>
Wed, 17 Feb 2021 13:05:51 -0500 (EST)
Ax Sharma, BleepingComputer, 9 Feb 2021
via ACM TECHNEWS, Wednesday, February 17, 2021

Security researcher Alex Birsan launched a novel software supply chain
attack that breached the internal systems of more than 35 major companies,
including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and
Uber. The attack involved uploading malware to open source repositories like
PyPI, npm, and RubyGems, which then was distributed downstream automatically
into the company's internal applications. The attack did not need action by
the victim, unlike traditional typo-squatting or brandjacking attacks,
instead taking advantage of dependency confusion, a unique design flaw of
open-source ecosystems. Birsan explained that "vulnerabilities or design
flaws in automated build or installation tools may cause public dependencies
to be mistaken for internal dependencies with the exact same name." Birsan
has earned more than $130,000 from bug bounty programs and pre-approved
penetration testing arrangements for his research.
"https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/"


How faster Internet is being blocked by politics and poverty throughout the eastern U.S. (CNET)

geoff goodfellow <geoff@iconia.com>
Thu, 18 Feb 2021 12:10:41 -1000
*Biden's broadband plan faces a serious test case in Appalachia's digital
divide, where a potent mix of extreme poverty, lack of infrastructure and
poor data present tremendous hurdles to the president's dream of closing the
broadband gap.*

For one public school teacher in Laurel County, Kentucky, proper education
means making a painful and difficult decision. While her home is connected
to AT&T's U-Verse Internet service, it's only fast enough to support one
person at a time. So in the midst of a pandemic-driven mandate for remote
learning, she often has to choose between teaching her students and ensuring
her own school-age kids are able to log on.

"We have really done a horrible job making sure they have the means," said
the teacher, who requested we withhold her name out of fear of losing her
job.

One pandemic-driven solution in Kentucky has been to put mobile hotspots in
public school parking lots so kids without internet at home can keep up with
schoolwork, but that isn't without its own flaws.
<https://www.cnet.com/news/drastically-speed-up-your-android-phones-hotspot-with-this-simple-setting/>
"If they don't have gas money to come and get their child at the school
when they're sick, they're sure not going to have gas money to drive to the
school every day to download their assignments," she said.  [...]
https://www.cnet.com/features/biden-broadband-plan-digital-divide-appalachia-rural-test-case/


'Spy pixels in emails have become endemic' (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Feb 2021 12:36:06 -0500
The use of "invisible" tracking tech in emails is now "endemic", according
to a messaging service that analysed its traffic at the BBC's request.

Hey's review indicated that two-thirds of emails sent to its users' personal
accounts contained a "spy pixel", even after excluding for spam.

Its makers said that many of the largest brands used email pixels, with the
exception of the "big tech" firms.

Defenders of the trackers say they are a commonplace marketing tactic.

And several of the companies involved noted their use of such tech was
mentioned within their wider privacy policies.

https://www.bbc.com/news/technology-56071437

Hardly news, just a reminder...


Google has bowed to pressure and will make 'significant' payments to Rupert Murdoch's News Corp (Business Insider)

Lauren Weinstein <lauren@vortex.com>
Wed, 17 Feb 2021 13:55:02 -0800
It's difficult to disagree with Jeff Jarvis' view as described in this
article. This is a slippery slope that goes a significant way toward
breaking the fundamental principles of the Web, toward a "pay to link" model
that would destroy competition and could leave the big boys the only ones
standing. And this could make disinformation/misinformation problems worse
as well. -L

https://www.businessinsider.com/google-news-payments-deal-rupert-murdoch-wall-street-journal-australia-2021-2


The losers in the news battle

Lauren Weinstein <lauren@vortex.com>
Wed, 17 Feb 2021 21:18:24 -0800
The ultimate losers in the battle between news organizations, Facebook, and
Google, isn't any of those. It's ordinary users, who will be impotent
observers as the Internet they've come to know collapses around them in a
sea of pay-to-link sites that will bleed the Web dry.


Fixing Chrome 88's suddenly broken custom search-engine behavior

Lauren Weinstein <lauren@vortex.com>
Sat, 13 Feb 2021 21:29:15 -0800
Fixing Chrome 88's suddenly broken custom search engine behavior

[C'mon Google!] In the last 24 hours or so, the standard Chrome
"custom search engines" shortcut behavior (e.g. yt<space> to search on
YouTube), that I've depended on for many years, stopped working in
Chrome 88.

To fix it: Go to: chrome://flags/#omnibox-keyword-search-button
DISABLE. Then RELAUNCH.

Please don't suddenly change stuff like this, Google, without any warning or
explanation! And please don't deprecate this fix!


Facebook blocks news in Australia over government's payment rules (Dylan Byers)

Lauren Weinstein <lauren@vortex.com>
Wed, 17 Feb 2021 12:34:11 -0800
https://www.nbcnews.com/tech/tech-news/facebook-blocks-news-australia-governments-payment-rules-rcna292

Facebook said Wednesday that Australian users and publishers will not be
able to post news content to its social network after the country's
government threatened to force it to pay publishers.

The announcement is the most significant and severe split between Facebook
and a foreign government over growing calls for big tech companies to pay
publishers to feature their content.  [...]


Woke teachers want Shakespeare cut from curriculum: 'This is about White supremacy' (Washington Times)

geoff goodfellow <geoff@iconia.com>
Thu, 18 Feb 2021 12:13:55 -1000
The crown teachers once put on William Shakespeare now lies uneasy upon his
head as the English playwright comes under assault from teachers who fault
his unwoke attitudes regarding race, sexuality, gender and class.

For the new breed of teachers, Shakespeare is seen less as an icon of
literature and more as a tool of imperial oppression, an author who should
be dissected in class or banished from the curriculum entirely.

“This is about white supremacy and colonization,'' declared the teachers who
founded #DisruptTexts, a group that wants staples of Western literature
removed or subjected to withering criticism.

The anti-Shakespeare teachers say fans of the plays ignore the author's
problematic worldview. They say readers of Shakespeare should be required to
address the “whiteness'' of their thinking.

If Shakespeare must be taught, these educators say, then it should be
presented with watered-down versions of the original or supplemental texts
focused on equality issues.  [...]
https://www.washingtontimes.com/news/2021/feb/15/woke-teachers-want-shakespeare-cut-curriculum-abou/


Facebook to Label Climate Change Posts Like Covid, Vote Content (Yahoo!)

Peter Neumann <neumann@csl.sri.com>
Thu, 18 Feb 2021 14:24:16 PST
Facebook Inc. will begin labeling some user posts that mention climate
change in the same way it has annotated posts discussing elections and
Covid-19, a sign the social network is taking climate-related
misinformation more seriously.

The labels will direct users to Facebook's Climate Science Information
Center—an existing hub that includes related news articles, climate
change data and recommendations for Pages to follow. The new labels will be
added to some posts about climate change, regardless of their accuracy, a
strategy Facebook has used with other widely discussed topics as a way to
fight falsehoods.

Chief Executive Officer Mark Zuckerberg has argued that the best way to
keep misinformation from spreading on its networks is not just to remove
misleading posts, but to offer people accurate information from
authoritative sources. The labels are rolling out first to users in the
U.K., though the plan is to bring them to more countries soon, according to
a Facebook blog post.

Facebook has been used to spread climate misinformation in much the same way
the service is used for sharing all kinds of misleading posts. False
statements about climate change reviewed by Facebook's fact-checkers are
flagged, but unlike Covid-19 misinformation, climate posts are not typically
removed. That's because Facebook doesn't consider most climate
misinformation to pose an imminent threat of harm, which is the bar for
removing false information from the service.  [...]
https://finance.yahoo.com/news/facebook-label-climate-change-posts-110000858.html


France Ties Russia's Sandworm to a Multiyear Hacking Spree (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Feb 2021 19:14:58 -0500
A French security agency warns that the destructively minded group has
exploited an IT monitoring tool from Centreon.

https://www.wired.com/story/sandworm-centreon-russia-hack/


Citibank can't get back $900 million it wired by mistake

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Feb 2021 11:37:13 -0500
New York (CNN Business)After committing one of the "biggest blunders in
banking history," Citibank won't be allowed to recover the almost half a
billion dollars it accidentally wired to Revlon's lenders, a US District
Court judge ruled.

Citibank, which was acting as Revlon's loan agent, meant to send about $8
million in interest payments to the cosmetic company's lenders.  Instead,
Citibank accidentally wired almost 100 times that amount, including $175
million to a hedge fund. In all, Citi (C) accidentally sent $900 million to
Revlon's lenders.

https://www.cnn.com/2021/02/16/business/citibank-revlon-lawsuit-ruling/index.html


Incredibly poor software design costs Citigroup $500M (Matt Levine)

George Mannes <gmannes@gmail.com>
Wed, 17 Feb 2021 13:34:31 -0500
>From the incomparable Bloomberg columnist Matt Levine
  (Relevant excerpts from paywalled item):

... The “easiest (or perhaps only)'' way to pay off some lenders but not
others was to instruct the software to pay off all the lenders! But tell it
only to *pretend* to pay them! Just send that money to a wash account! This
is all fine! Let's read another horrifying paragraph!

Because the vast majority of wire transactions processed by Citibank using
Flexcube involve the payment of funds to third parties, any payment entered
into the system is released as a wire payment unless the maker suppresses
the default option. Citibank's internal Fund Sighting Manual provides
instructions for suppressing Flexcube's default. When entering a payment,
the employee is presented with a menu with several *boxes* that can be
*checked* along with an associated field in which an account number can be
input. The Fund Sighting Manual explains that, in order to suppress payment
of a principal amount, “ALL of the below field[s] must be set to the wash
account: FRONT[;] FUND[; and] PRINCIPAL''—meaning that the employee had
to check all three of those boxes and input the wash account number into the
relevant fields.

This is just demented stuff. If you want to send out interest payments in
cash, but send the principal payment to the wash account, you have to check
the box next to PRINCIPAL and also the boxes next to FRONT and FUND.
PRINCIPAL sounds like principal: You are sending the principal to the wash
account, sure, right, yes, check that box.  FRONT and FUND sound like
nothing. So the Citi operations people messed it up:

Notwithstanding these instructions, Ravi, Raj, and Fratta all believed --
incorrectly—that the principal could be properly suppressed solely by
setting the PRINCIPAL field to the wash account. Accordingly, as Ravi built
out the transaction between 5:15 and 5:45 p.m. in his role as maker, he
checked off only the PRINCIPAL field, neglecting the FRONT and FUND
fields. Figure 1, below, “is an accurate image of the Flexcube screen after
[Ravi] input the data.''

At 5:45 p.m., Ravi emailed Raj for approval of the transaction, explaining
that “Princip[al] to Wash A[ccount] & Interest to DDA A[ccount].'' The
“DDA Account'' referenced the Demand Deposit Account, which is an
operational, external-facing account used by Citibank to collect payments
from customers and make transfers to lenders. After reviewing the
transaction, Raj believed—incorrectly—that the principal would be sent
to the wash account and only the interest payments would be sent out to the
Lenders.  Raj then emailed Fratta, seeking final approval under the six-eye
review process, explaining “NOTE: Principal set to Wash and Interest Notice
released to Investors.'' Fratta, also believing incorrectly that the default
instructions were being properly overridden and the principal payment would
be directed to the wash account, not to the Lenders, responded to Raj via
email, noting, “Looks good, please proceed. Principal is going to wash.''

The software gave him a warning, but not a very good one:

Raj then proceeded with the final steps to approve the transfers, which
prompted a warning on his computer screen—referred to as a “stop sign''
-- stating: “Account used is Wire Account and Funds will be sent out of the
bank. Do you want to continue?'' But “[t]he stop sign' did not indicate the
amount that would be sent out of the bank,' or whether it constituted an
amount equal to the intended interest payment, an amount equal to the
outstanding principal on the loan, or a total of both.'' Because Raj
intended to release “the interim interest payment to [the] [L]enders,'' he
therefore clicked “YES.''

Here's Figure 1; it does not particularly explain itself:

See, the “don't actually send the money'' box next to “PRINCIPAL'' is
checked, but that doesn't do anything, you have to check two other boxes to
make it not actually send the money.

When they discovered the error the next day, their first reaction was not
to email the lenders asking for the money back (that was their second
reaction); their *first *reaction was to email tech support to say the
software was broken:

At 10:26 a.m., Fratta emailed Citibank's technology support group:
“Yesterday we processed a payment with Principal to the wash and Interest
to be sent to lenders. All details in the front end screens yesterday le[d]
us to believe that the payment would be handled in that manner. . . .
Screenshots provided below indicating that the wash account . . . is present
and boxes checked appropriately for the principal components.''  Fratta then
forwarded the same email to members of his team, with the subject line
“Urgent Wash Account Does not Work.'' He stated: “Flexcube is not working
properly, and it will send your payments out the door to
lenders/borrowers. The wash account selection is not working. This lead
[sic] to ~1BN going out the door in error yesterday for an ABTF Deal,
Revlon.'' ...

Over the course of the day, Fratta learned that the principal payments --
which were made with Citibank's own money, as Revlon had provided funds only
for the interim interest payments to be made in connection with the roll up
transaction—were not caused by a technical error, but by human error: the
failure to select the FRONT and FUND fields when inputting the default
override instructions in Flexcube.

Nope, nope, he was right the first time, this whole setup is a “technical
error.'' Citi's software will only let you pay principal to some lenders if
you pretend to pay it to every lender, and it will only let you pretend to
pay principal to every lender if you check the “just pretend'' box next to
“PRINCIPAL'' (fine!) and “FUND'' (what?) and “FRONT'' (what even?). What a
terrifying thing......l


Climate Change Could Shred Guitars Known for Shredding (Scientific American)

Richard Stein <rmstein@ieee.org>
Sun, 14 Feb 2021 09:44:58 +0800
https://www.scientificamerican.com/podcast/episode/climate-change-could-shred-guitars-known-for-shredding/

"It is the wood that the rock greats have sworn by—swamp ash, in the form
of their Fender Telecaster and Stratocaster guitars—for over 70 years. If
you've ever listened to rock, you've probably heard a swamp ash, solid body
guitar. But now, climate change is threatening the wood that helped build
rock and roll."

Rock n' roll will never die, but the next generation of inspirational
guitarists, and their rich riffs, may not mature without solid-body swamp
ash stringed instruments. Amplifiers that go to 11 can't fix Fender
Stratocaster extinction.


Data breach warning after California DMV contractor hit by file-stealing ransomware (TechCrunch)

Gabe Goldberg <gabe@gabegold.com>
Fri, 19 Feb 2021 15:29:42 -0500
California's Department of Motor Vehicles is warning of a potential data
breach after a contractor was hit by ransomware.

The Seattle-based Automatic Funds Transfer Services (AFTS), which the DMV
said it has used for verifying changes of address with the national database
since 2019, was hit by an unspecified strain of ransomware earlier this
month.

In a statement sent by email, the DMV said that the attack may have
compromised “the last 20 months of California vehicle registration records
that contain names, addresses, license plate numbers and vehicle
identification numbers.” But the DMV said AFTS does not have access to
customers' Social Security numbers, dates of birth, voter registration,
immigration status or driver's license information, and was not compromised.

https://techcrunch.com/2021/02/18/california-motor-vehicles-afts-ransomware/?guccounter=1


Entitled People Are More Likely To Be Angry at Bad Luck (Scientific American)

Richard Stein <rmstein@ieee.org>
Thu, 18 Feb 2021 11:00:49 +0800
https://www.scientificamerican.com/article/entitled-people-are-more-likely-to-be-angry-at-bad-luck/

"Defeat is never fun, but losing a game of poker is less painful when it's
due to the luck of the draw rather than an opponent who's cheating.
Unfairness fires people up, whereas bad luck just disappoints.

"But interestingly, this isn't true for everyone. In a series of studies, we
found that people who have higher levels of psychological entitlement—who
believe they deserve good things—actually felt victimized and angered
when they experienced, remembered or imagined bad luck befalling them."

Where would the technology industry be if luck preordained investment
outcomes? Is the game of life imperceptibly fixed for some and not others?
Fortitude sustains human perseverance, though the myth of Sisyphus reminds
us that effort does not always render beneficial outcome.

That luck serves a significant role in personal or collective achievement,
or underachievement, or at least the perception of it, is both devastating
and demoralizing. Resorting to luck as the sole determinant of success
reinforces the desperate idiom that "Man plans and God laughs."


Who Should Stop Unethical AI? (Matthew Hutson)

Jan Wolitzky <jan.wolitzky@gmail.com>
Mon, 15 Feb 2021 06:44:57 -0500
At artificial-intelligence conferences, researchers are increasingly alarmed
by what they see.

Matthew Hutson, *The New Yorker*, 15 Feb, 2021

https://www.newyorker.com/tech/annals-of-technology/who-should-stop-unethical-ai


AI may mistake chess discussions as racist talk (Techxplore.com)

Richard Stein <rmstein@ieee.org>
Fri, 19 Feb 2021 10:13:39 +0800
https://techxplore.com/news/2021-02-ai-chess-discussions-racist.html

'"We don't know what tools YouTube uses, but if they rely on artificial
intelligence to detect racist language, this kind of accident can happen,"
KhudaBukhsh said. And if it happened publicly to someone as high-profile as
Radic, it may well be happening quietly to lots of other people who are not
so well known.'

Would discussion of "rainbow-sprinkled cookies" or an "all red, queen-high
flush" crash Youtube's AI platform?

Risk: AI misclassification.


"Holy cow. Bitcoin is using half a percent of all the world's electricity?

geoff goodfellow <geoff@iconia.com>
Wed, 17 Feb 2021 13:11:45 -1000
https://twitter.com/Ryan-Knutson/status/1362167579461226497


Nvidia limits crypto-mining on new graphics card (msn.com)

Richard Stein <rmstein@ieee.org>
Fri, 19 Feb 2021 10:25:54 +0800
https://www.msn.com/en-xl/news/other/nvidia-limits-crypto-mining-on-new-graphics-card/ar-BB1dNJev

"Nvidia said the software for its forthcoming GeForce RTX 3060 card will
limit how efficiently it can process Ethereum transactions by about 50%.

"This will make it less economical for miners to use the card for mining
Ethereum."

A software throttle is an exploit target.


The IRS Cashed Her Check, Then the Late Notice Started Coming (ProPublica)

Gabe Goldberg <gabe@gabegold.com>
Fri, 19 Feb 2021 14:23:48 -0500
https://www.propublica.org/article/the-irs-cashed-her-check-then-the-late-notices-started-coming


Authorities have taken down the dark web's largest illegal marketplace vendor

Monty Solomon <monty@roscom.com>
Thu, 18 Feb 2021 22:49:59 -0500
Authorities have taken down the dark web's largest illegal marketplace
https://www.theverge.com/2021/1/12/22227929/darkmarket-shutdown-europol-worlds-largest-illegal-marketplace


U.S. election cybersecurity (CDT)

<Peter G Neumann>
Tue, 16 Feb 2021 17:10:11 -0800
The Center for Democracy and Technology has issued a relevant report:

https://cdt.org/wp-content/uploads/2021/02/2021-02-02-CDT-Agenda-for-US-Election-Cybersecurity-KAS-FINAL.pdf


People answer scientists' queries in real time while dreaming (Scientific American)

Richard Stein <rmstein@ieee.org>
Fri, 19 Feb 2021 17:25:29 +0800
https://www.scientificamerican.com/article/people-answer-scientists-queries-in-real-time-while-dreaming/

"Researchers demonstrate that during REM sleep, people can hear—and
respond to—simple questions (What is eight minus six?)"

Not difficult to imagine an exploitation of this capability. For instance, a
CxO for a publicly listed company asked a yes-or-no question: 'Will your
shop achieve projected profitability this quarter?'

Risk: Sleep-talking.


How Oracle Sells Repression in China (

Gabe Goldberg <gabe@gabegold.com>
Fri, 19 Feb 2021 15:24:57 -0500
In its bid for TikTok, Oracle was supposed to prevent data from being passed
to Chinese police. Instead, it’s been marketing its own software for their
surveillance work.

https://theintercept.com/2021/02/18/oracle-china-police-surveillance/


The Untold History of America's Zero-Day Market (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 15 Feb 2021 20:04:47 -0500
https://www.wired.com/story/untold-history-americas-zero-day-market/

A bit too breathless and incoherent...


"Vaccine" passport?

Rob Slade <rmslade@shaw.ca>
Tue, 16 Feb 2021 11:59:18 -0800
I'm not holding my breath, waiting for one.

I have, previously, mentioned John McAfee's "enterprise" regarding a similar
certificate or passport for swingers in the time of AIDS.  The thing just
isn't workable, at best, and, at worst, it can be a positive danger.

You're going to have to carry some kind of document or card.  Let's say it's
a card.  Now, does it just give contact info for a centralized database?
(One version I saw just used a QR code on your phone, so that definitely
seems to just be a "pointer" situation.)  *How* centralized?  This is going
to be used for international travel, one would think, if it is going to be
used at all.  So which countries are going to sign on?  And which are going
to accept a database in some other jurisdiction?  And which are going to
accept having their citizens' data stored by someone else?

OK, so what if we make it a smart card and store it on the phone.  Same
problems with jurisdiction.  Which countries are going to agree (within the
next few months, please) to a standard for data storage on such a card?  And
start producing them, all to the same specs.

Then we have the data.  There are the details of the vaccine.  Which version
of the vaccine?  Which lot number?  What is the date of administration?
(Oh, and, by the way, all vaccine administration points are going to have to
be prepared to input *and verify* all this information at the time you get
your shot.)  (Every single nurse-practitioner's office and pharmacy.)  (And
the details of who entered the info is going to have to be there as well,
for verification.)  Is it a multi-shot regimen?  Did you get your booster?

That's a lot of data.  And, if someone gets access to it, a lot more can be
inferred from it.  Like where you were on a given date and time ...

Oh, and, by the way, there are some additional data points we should add.
Like, have you been tested?  What type of test?  What date?  [...]

I see *lots* of problems ...


Man offered vaccine after error lists him as 6.2cm tall

Amos Shapir <amos083@gmail.com>
Fri, 19 Feb 2021 14:08:17 +0200
Yet another case of GIGO:
https://www.bbc.com/news/uk-england-merseyside-56111209

A young man was offered a vaccine despite not being in any risk group.  It
turns out his height was registered as 6.2cm instead of 6'2", which resulted
in a BMI number of about 28,000—which the system flagged as "clinically,
morbidly-obese".


Gorilla COVID risks (CNN)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 16 Feb 2021 13:22:53 -0700
https://www.cnn.com/2021/02/16/africa/gorilla-covid-selfie-safety-scli-intl-scn/

Jack Guy, CNN, 16 Feb 2021

  Tourists who take selfies with wild mountain gorillas could put the
  primates at risk of developing Covid-19, according to new research.

  Scientists from Oxford Brookes University, England, looked at hundreds of
  Instagram posts from people visiting the animals in East Africa and found
  most tourists were close enough to gorillas to spread viruses and
  diseases, according to a press release from the university on Tuesday.

  "The risk of disease transmission between visitors and gorillas is very
  concerning," said study lead author Gaspard Van Hamme, an Oxford Brookes
  University alumnus who started work on the study during his masters
  program.

  "It is vital that we strengthen and enforce tour regulations to ensure
  gorilla trekking practices do not further threaten these already imperiled
  great apes."


Japanese contact tracing software of Covid-19 patient on Android did not work for four months (Kyodo News)

Chiaki Ishikawa <ishikawa@yk.rim.or.jp>
Mon, 15 Feb 2021 16:51:48 +0900
The following item explains it all.

https://english.kyodonews.net/news/2021/02/6437947c3d50-suga-apologizes-for-glitch-in-japans-covid-19-contact-tracing-app.html

A contact tracing app dubbed "COCOA" in Japan has failed miserably on
Android phones since September update, but obviously no one at the health
ministry or the development company who contracted the work verified the
operation on a real phone despite there are SNS posts of Covid-19 patients
who mentioned that their family members' phone did not report the exposure
warning at all.

I think the issue is due to a few factors.:

- Apple/Google publishes so called Exposure Notification API and implements
its functionality on their respective OS. The specs from two companies
disagreed on a few minor points.  Obviously, there have been updates, and
new specs are hard to read as many in ICT industry can attest. This type of
specs is read only by geeks and not many complain loudly that they are
written poorly. But I digress.

Only some really serious developers noticed the subtle difference between
the API published for iOS and Android.  A blog in Japanese about the bug. It
refers to the github issue comments that first reported the issue from
programmer's point of view.
https://zenn.dev/zipperpull/articles/20210210-cocoa-bug  (in
Japanese).

- Apple/Google have asked the health authorities of countries/regions only
one such app is used in the region. This I suppose is due to the privacy
concerns.

This made the selection of developers a bit difficult since there had been a
few independent groups who already have more or less working samples. (I
don't know if they were bug-free or not.).  Eventually, one of the developed
software was chosen as the basis of COCOA and a maintenance company was
chosen whose main function, it thought, was the operation/maintenance of
anonymous patient database (anonomized by apple/goole algorithms, I think.)

But actually, due to the API change over the long run, the app needed to be
maintained as well for both on iOS and Android. Somehow the Android update
got buggy but no real world phone tests did not take place if I understand
correctly. This is probably due to the unpreparedness of the development
company, but I am not sure.

If this were an ordinary software bug, I would say"OK, a bug is always
there, let's fix it and move on.".

However, when the app was relied on the health authority of the region where
I live (Kanagawa prefecture), it is not such an easy-to-ignore bug.  The
authority stated in early January, citing lack of man-power, that it would
rely on this failing app to keep track of people who come into contact with
known Covid-19 patients instead of human-based tracing.  This means that
those who relied on Android version of the app got short shrift and worse.
I am not even sure if iOS version is working correctly since there has been
a report from an iOS user who got Covid-19 and yet her family members
iPhones did not report the exposure. Hmm...

I use Android and have removed the app for now.


Bruce Schneier's CRYPTO-GRAM, 15 Feb 2021

Peter Neumann <neumann@csl.sri.com>
Mon, 15 Feb 2021 10:52:16 PST
  [I am including the ToC for this issue of Bruce Schneier's CRYPTO-GRAM
  because it illustrates an incredible increase in the breadth and
  pervasiveness of serious security attacks.  FYI.  You might want your own
  subscription (it's free) if this is of interest to you.  PGN]

For back issues, or to subscribe, visit Crypto-Gram's web page
[https://www.schneier.com/crypto-gram/].

Read this issue on the web
[https://www.schneier.com/crypto-gram/archives/2021/0215.html]

     1. Cell Phone Location Privacy
     2. Injecting a Backdoor into SolarWinds Orion
     3. Sophisticated Watering Hole Attack
     4. SVR Attacks on Microsoft 365
     5. Insider Attack on Home Surveillance Systems
     6. Massive Brazilian Data Breach
     7. Dutch Insider Attack on COVID-19 Data
     8. Police Have Disrupted the Emotet Botnet
     9. New iMessage Security Features
     10. Including Hackers in NATO Wargames
     11. Georgia's Ballot-Marking Devices
     12. More SolarWinds News
     13. Another SolarWinds Orion Hack
     14. Presidential Cybersecurity and Pelotons
     15. NoxPlayer Android Emulator Supply-Chain Attack
     16. SonicWall Zero-Day
     17. Web Credit Card Skimmer Steals Data from Another Credit Card Skimmer
     18. Ransomware Profitability
     19. Attack against Florida Water Treatment Facility
     20. Medieval Security Techniques
     21. Chinese Supply-Chain Attack on Computer Systems


Re: Calling All Ham Radio Operators

Bob Wilson <wilson@math.wisc.edu>
Mon, 15 Feb 2021 15:19:40 -0600
As a ham myself, I want to point out this has nothing to do with ham radio
operators. (Many of us do happily use Morse, but we are not the only such
people in the world!) Ham radio is a flourishing activity (the US has more
licensed hams now than ever in the past, something like three quarters of a
million) that in addition to being a hobby enjoyed by many is a valuable
contribution to national security and safety, and should not be (be)smirched
with any connection to that hacking attack!  Bob Wilson

Please report problems with the web pages to the maintainer

Top