The RISKS Digest
Volume 32 Issue 51

Monday, 22nd February 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


777 has engine problems on takeoff from Denver, drops large pieces of debris on local neighborhood, makes it back to airport safely
Lauren Weinstein
His Lights Stayed on During Texas's Storm. Now He Owes $16,752
Abbott appointees made ‘astonishing’ cuts to power reliability team
Houston Chronicle
Future warfare will feature autonomous weaponry
Malware Is Now Targeting Apple's New M1 Processor
Apple Is Going to Make It Harder to Hack iPhones With Zero-Click Attacks
IRS trifecta—not good news
UN discusses how not to kill the planet
Study of auto recalls shows carmakers delay announcements until they ‘hide in the herd’
The Race to Fix Virtual Meetings (AKA, the nightmare continues
Sign this 8-year-old up!
Gabe Goldberg
China Censors the Internet. So Why Doesn't Russia?
A reminder about U2F/FIDO security keys and account security
Google via LW
Can't make this up—panic culture
10TV via Gabe Goldberg
Current state of DDoS
IEEE Computer
Warning regarding fake Mars Probe video
Lauren Weinstein
UMass Amherst Team Helps Demonstrate Spontaneous Quantum Error Correction
Quantum networking progress
rod van meter
New Approach to 3D Printing of Human Tissue Closer to Reality
Brian P. Dunleavy
John Deere Promised Farmers It Would Make Tractors Easy to Repair. It Lied.
Re: Texas vs FERC's “best practices” for anticipating disasters
Mark Brader
Re: U.S. Water Supply Has Few Protections Against Hacking
Amos Shapir
Re: “Vaccine” passport?
Amos Shapir
Re: Incredibly poor software design costs Citigroup $500M
Jim Geissman
Re: Gorilla COVID risks
John Levine
Re: Spy pixels in emails have become endemic'
John Levine
Re: Japanese contact tracing software: Update on Cocoa bug
Anthony Thorn
Info on RISKS (comp.risks)

777 has engine problems on takeoff from Denver, drops large pieces of debris on local neighborhood, makes it back to airport safely

Lauren Weinstein <>
Sat, 20 Feb 2021 13:31:27 -0800

Definitely not what you want to see today—or any day—when you look out of a 777 window

His Lights Stayed on During Texas's Storm. Now He Owes $16,752 (NYTimes)

Gabe Goldberg <>
Sun, 21 Feb 2021 12:26:09 -0500

SAN ANTONIO—As millions of Texans shivered in dark, cold homes over the past week while a winter storm devastated the state's power grid and froze natural gas production, those who could still summon lights with the flick of a switch felt lucky.

Now, many of them are paying a severe price for it.

“My savings is gone,” said Scott Willoughby, a 63-year-old Army veteran who lives on Social Security payments in a Dallas suburb. He said he had nearly emptied his savings account so that he would be able to pay the $16,752 electric bill charged to his credit card—70 times what he usually pays for all of his utilities combined. “There's nothing I can do about it, but it's broken.”

Mr. Willoughby is among scores of Texans who have reported skyrocketing electric bills as the price of keeping lights on and refrigerators humming shot upward. For customers whose electricity prices are not fixed and are instead tied to the fluctuating wholesale price, the spikes have been astronomical.

The outcry elicited angry calls for action from lawmakers from both parties and prompted Gov. Greg Abbott, a Republican, to hold an emergency meeting with legislators on Saturday to discuss the enormous bills. […]

Under some of the plans, when demand increases, prices rise. The goal, architects of the system say, is to balance the market by encouraging consumers to reduce their usage and power suppliers to create more electricity.

But when last week's crisis hit and power systems faltered, the state's Public Utilities Commission ordered that the price cap be raised to its maximum limit of $9 per kilowatt-hour, easily pushing many customers' daily electric costs above $100. And in some cases, like Mr. Willoughby's bills rose by more than 50 times the normal cost. […]

Many of the people who have reported extremely high charges, including Mr. Willoughby, are customers of Griddy, a small company in Houston that provides electricity at wholesale prices, which can quickly change based on supply and demand.

The company passes the wholesale price directly to customers, charging an additional $9.99 monthly fee. Much of the time, the rate is considered affordable. But the model can be risky: Last week, foreseeing a huge jump in wholesale prices, the company encouraged all of its customers—about 29,000 people—to switch to another provider when the storm arrived. But many were unable to do so.

Katrina Tanner, a Griddy customer who lives in Nevada, Texas, said she had been charged $6,200 already this month, more than five times what she paid in all of 2020. She began using Griddy at a friend's suggestion a couple of years ago and was pleased at the time with how simple it was to sign up.

The money quote—literally:

William W. Hogan, considered the architect of the Texas energy market design, said in an interview this past week that the high prices reflected the market performing as it was designed.

Welcome to TX.

Abbott appointees made ‘astonishing’ cuts to power reliability team before deadly Texas storm

Lauren Weinstein <>
Fri, 19 Feb 2021 14:52:27 -0800

Abbott appointees made ‘astonishing’ cuts to power reliability team before deadly Texas storm

Future warfare will feature autonomous weaponry (WashPost)

Gabe Goldberg <>
Sun, 21 Feb 2021 13:34:54 -0500

The Washington Post

Advanced AI means weapons operating faster, leaving human operators and their molasses reflexes behind. Roper said that because of the way AI capabilities are accelerating, being behind means the United States might never catch up, which is why he's pushing to move fast and get AI out into combat. “It doesn't make sense to study anything in the era of AI. It's s better to let the AI start doing and learning, because it's a living, breathing system, very much like a human, just silicon based.” […]

The United States isn't alone in venturing into this territory. Nearly two decades ago, Britain built a missile called the Brimstone that was meant to go after enemy vehicles it selected on its own after being released from British Tornado fighters. Two computer algorithms—not the pilots — dictated its actions. Brimstone wasn't exactly an example of AI: Its algorithms were written by people, whereas AI weapons will rely on code computers write themselves—extensive programming that's nearly impossible to review and verify. Still, when the missile was ready for use, British commanders ” in the midst of combat in Ira— were facing strong public pressure about civilian casualties and worries about international law. All military commanders, under the rules of war, must be able to show that they discriminate between legal military targets and civilians, something that's hard to do if the missile rather than a person is deciding what to strike. Ultimately, Royal Air Force commanders chose not to deploy the missile in Iraq, instead spending a year redesigning it to add a mode allowing pilots to pick the targets.

First companies were people, now AI is people. I thought it was just Soylent Green that's people…

Malware Is Now Targeting Apple's New M1 Processor (WiReD)

Gabe Goldberg <>
Sun, 21 Feb 2021 00:59:13 -0500

Two distinct strains of malware have already adjusted to the new silicon just months after its debut. […] For now, the native M1 malware that researchers have found doesn't seem to be a desperately dangerous threat in itself. But the emergence of these new strains is a warning that there's more to come—and that detection tools need to bridge the gap to be ready.

…so the arms race continues.

Apple Is Going to Make It Harder to Hack iPhones With Zero-Click Attacks (Vice)

Monty Solomon <>
Mon, 22 Feb 2021 14:35:31 -0500

Multiple exploit developers tell Motherboard an upcoming change in iOS could make zero-click exploits harder to pull off.

IRS trifecta—not good news (WashPost)

Gabe Goldberg <>
Sun, 21 Feb 2021 15:42:40 -0500

Inside the IRS: The department is charged with the stimulus and tax season is barely hanging on The Washington Post

The IRS is contending with those challenges while navigating a depleted workforce and years of underfunding. Congress has cut the agency's annual appropriation by 20 percent since 2010, chipping away at workplace morale and expertise.

The reduction of human capital—the IRS's most valuable resources, experts say—risks further running the agency aground in 2021. More than 21,000 full-time employees left the agency between 2010 and 2019, including many of its most skilled and tenured professionals. As part of sustained budget cuts pushed by congressional Republicans upset over perceived bias within the agency, the IRS spent years cutting back on training, too, Reardon said, making it harder to adjust to an already hectic year.

Tax season 2021: A tornado is coming A supersize list of some of the issues people will face this year

President Biden may struggle to get new $3,000 benefit to many of America's poorest families The White House touts plan as dramatically curbing child poverty, but questions abound about implementation

Starve the IRS, then create chaos for it. What could go wrong…

UN discusses how not to kill the planet (UNEP)

geoff goodfellow <>
Sun, 21 Feb 2021 12:12:01 -1000

Humans are making Earth a broken and increasingly unlivable planet through climate change, biodiversity loss and pollution. So the world must make dramatic changes to society, economics and daily life, a new United Nations report says.

Unlike past U.N. reports that focused on one issue and avoided telling leaders actions to take, Thursday's report combines three intertwined environment crises and tells the world what's got to change. It calls for changing what governments tax, how nations value economic output, how power is generated, the way people get around, fish and farm, as well as what they eat.

“Without nature's help, we will not thrive or even survive,” Secretary-General Antonio Guterres said. “For too long, we have been waging a senseless and suicidal war on nature. The result is three interlinked environmental crises.”

“Our children and their children will inherit a world of extreme weather events, sea level rise, a drastic loss of plants and animals, food and water insecurity and increasing likelihood of future pandemics,” said report lead author Sir Robert Watson, who has chaired past UN science reports on climate change and biodiversity loss.

“The emergency is in fact more profound than we thought only a few years ago,” said Watson, who has been a top level scientist in the U.S. and British governments.

This year “is a make-it or break-it year indeed because the risk of things becoming irreversible is gaining ground every year,” Guterres said. “We are close to the point of no return.”

The report highlighted what report co-author Rachel Warren of the University of East Anglia called “a litany of frightening statistics that hasn't really been brought together:”

“In the end it will hit us,” said biologist Thomas Lovejoy, who was a scientific advisor to the report. “It's not what's happening to elephants. It's not what's happening to climate or sea level rise. It's all going to impact us.”

The planet's problems are so interconnected that they must be worked on together to be fixed right, Warren said. And many of the solutions, such as eliminating fossil fuel use, combat multiple problems including climate change and pollution, she said.

The report “makes it clear that there is no time for linear thinking or tackling problems one at a time,” said University of Michigan environment professor Rosina Bierbaum, who wasn't part of the work.

In another break, this report gives specific solutions that it says must be taken.

This report uses the word “must” 56 times and “should” 37 times. There should be 100 more because action is so crucial, said former U.N. climate chief Christiana Figueres, who wasn't part of the report.

“Time has totally ran out. That's why the word ‘8must’ is in there,” Figueres said.

The report calls for an end to fossil fuel use and says governments should not tax labor or production, but rather use of resources that damages nature.

“Governments are still playing more to exploit nature than to protect it,” Guterres said. “Globally, countries spend some 4 to 6 trillion dollars a year on subsidies that damage the environment.”

Scientists should inform leaders about environmental risks “but their endorsement of specific public policies threatens to undermine the credibility of their science,” said former Republican Rep. Bob Inglis, who founded the free market climate think tank

The report also tells nations to value nature in addition to the gross domestic product when calculating how an economy is doing.

Getting there means changes by individuals, governments and business, but it doesn't have to involve sacrifice, said UN Environment Programme Director Inger Andersen.

“There's a country that has been on that path for 25 years: Costa Rica,” Andersen said. “Yes, these are difficult times, but more and leaders are stepping in.”

Study of auto recalls shows carmakers delay announcements until they ‘hide in the herd’ (

Richard Stein <>
Mon, 22 Feb 2021 21:59:56 +0800

‘“The implication is that auto firms are either consciously or unconsciously delaying recall announcements until they are able to hide in the herd,” said George Ball, assistant professor of operations and decision technologies and Weimer Faculty Fellow at the Indiana University Kelley School of Business. “By doing this, they experience a significantly reduced stock penalty from their recall.”’

The auto industry's product defect disclosure practice illustrates a callous disregard for public safety, an exemplary model of “Profit Without Honor” (see

History teaches that commercial product defect discovery and disclosure depend on profit-driven organizational behavior. Foreknowledge of brand killing defects often fails to motivate governance actions to mitigate them when profits are risked. Boeing's MCAS, Volkswagen's defeat device, Morton-Thiokol's ( SRB O-ring, and Takada's airbag inflator serve as significant examples.

Should product defect disclosure processes, purposely delayed to protect profits, be penalized? The threat of a stiff fine, and civil or criminal prosecution, may restore product safety disclosure fidelity and reaffirm responsible corporate citizenship.

Risk: Product defect disclosure latency

The Race to Fix Virtual Meetings (AKA, the nightmare continues (NYTimes)

Gabe Goldberg <>
Sun, 21 Feb 2021 13:25:25 -0500

Sick of boring grids of heads? A new crop of start-ups aims to bring some serendipity and spark to remote meetings.

Good comment:

Please stop. I do not want to add actor and or a performance artist to my job description. So far, It is just a meeting. I understand virtual conferences and speakers. Virtual reality on the home-front needs a rethink. The true reality that we are not, for the most part, interested in replacing or finding a work-around solution to in-person contact with a fantasy. If you want to monetize further “zoom” meetings etc., and their counterparts, say so. Where is the hue and cry for an extended, more upbeat meeting arena? Now, let's talk about something substantial like the currently existing “digital divide,” so there is not another crater being created between the “haves and the have nots.”

Sign this 8-year-old up!

Gabe Goldberg <>
Sun, 21 Feb 2021 12:55:23 -0500

She's got a real future as a cybersecurity Red Team member…

The grifter: someone's 8 year old niece

The prize: Playing virtual hooky permanently (School Zoom calls)

The marks: sister, brother in law, teacher, school's s computer teacher, principal and Zoom's support team

The con: How she pulled it off

China Censors the Internet. So Why Doesn't Russia? (NYTimes)

Lauren Weinstein <>
Sun, 21 Feb 2021 08:02:14 -0800

A reminder about U2F/FIDO security keys and account security (Google)

Lauren Weinstein <>
Sun, 21 Feb 2021 11:29:32 -0800

U2F/FIDO is superior to other 2sv (2-step verification) authentication systems because it's a “what you know and what you have” system that makes such a difference. The phisher doesn't have your key. When Google implemented this internally, successful phishing dropped to zero.

Using U2F/FIDO security keys to protect your Google account:

Can't make this up—panic culture (10TV)

Gabe Goldberg <>
Sun, 21 Feb 2021 12:48:03 -0500

Spare roses placed on Walmart cars triggers sex trafficking panic

Dozens of roses were left on vehicles, leading people to call the sheriff's office, which issued a warning about a potential tie to human trafficking.

Punchline: At end, after it's revealed as a friendly/loving gesture after fellow spent $300 on roses when proposing to his girlfriend, and they decided to share the flowers, sheriff said it's a good reminder to be vigilant and report anything unusual—instead of telling people to get a grip. No, it's a reminder to not start/believe ridiculous rumors.

Current state of DDoS (IEEE)

Peter Neumann <>
Sat, 20 Feb 2021 10:28:19 PST

Dan Geer suggests: in light of the Texas fiasco (RISKS-32.50), it might be worth your checking this item out:

Article in the current IEEE Computer :

21 Years of Distributed Denial-of-Service: Current State of Affairs Eric Osterweil and Angelos Stavrou, George Mason University and Lixia Zhang, UCLA

Warning regarding fake Mars Probe video

Lauren Weinstein <>
Sat, 20 Feb 2021 10:24:23 -0800

WARNING: While the new Mars probe has audio capability for the first time, a video racking up views claiming to be video & audio from the new probe is reportedly a fake, with video from an older probe and audio of unknown origin. The new probe has not sent audio or video yet.

UMass Amherst Team Helps Demonstrate Spontaneous Quantum Error Correction

ACM TechNews <>
Fri, 19 Feb 2021 12:40:31 -0500 (EST)

UMass Amherst, 11 Feb 2021, via ACM TechNews, 19 Feb 2021

University of Massachusetts Amherst researchers have devised a novel form of quantum error correction (QEC) featuring spontaneous, or passive, correction. The passive QEC method specifically designs the friction or dissipation experienced by a quantum bit (qubit). UMass Amherst's Chen Wang said, “Although our experiment is still a rather rudimentary demonstration, we have finally fulfilled this counterintuitive theoretical possibility of dissipative QEC. Looking forward, the implication is that there may be more avenues to protect our qubits from errors and do so less expensively. Therefore, this experiment raises the outlook of potentially building a useful fault-tolerant quantum computer in the mid to long run.”

Quantum networking progress (

rod van meter <>
February 19, 2021 at 11:43:12 AM GMT+9

[Via David Farber's IP]

New paper (though not yet peer reviewed) from TU Delft, the leading experimental group using solid state qubit memories connected via single photons:

And this interested Nature enough that they have a news article on it, quoting yours truly:

This is important because it's the first time that coupling entanglement across more than one hop has been done using solid state memories.

New Approach to 3D Printing of Human Tissue Closer to Reality (Brian P. Dunleavy)

ACM TechNews <>
Fri, 19 Feb 2021 12:40:31 -0500 (EST)

Brian P. Dunleavy, UPI, 16 Feb 2021 via ACM TechNews; Friday, February 19, 2021

Carnegie Mellon University researchers have developed a new approach to three-dimensional (3D) bioprinting that fixes problems caused by gravity in the bioinks. The Freefrom Reversible Embedding of Suspended Hydrogels approach involves 3D printing in a “support bath,” which holds the bioinks in place until they are cured and provides an environment that maintains high cell viability. Use of the support bath overcomes the challenges of 3D printing soft materials in air, as gravity distorts soft and liquid bioinks that are deposited in a layer-by-layer manner using a syringe pump. Although the technology already has been used to bioprint functional heart valves and contractile cardiac ventricles, Carnegie Mellon's Daniel J. Shiwarski said clinical use of printed tissue is “still years away.”

John Deere Promised Farmers It Would Make Tractors Easy to Repair. It Lied.

Peter Neumann <>
Sun, 21 Feb 2021 12:32:11 PST

Re: Texas vs FERC's “best practices” for anticipating disasters (RISKS-32.50)

Mark Brader <msb@Vex.Net>
Fri, 19 Feb 2021 19:09:11 -0500 (EST)
> In our RISKS-related archives is also a major six-week complete power-outage
> disaster in Quebec in the winter of 1996-1997 when transmission towers froze
> and collapsed from the weight of ice under the prolonged hard freeze, and the
> outage lasted for months…  (Surely, cold weather was not a surprise there.)

Prolonged cold weather was not a surprise, but what they hadn't planned for was prolonged freezing rain.

Re: U.S. Water Supply Has Few Protections Against Hacking (RISKS-32.50)

Amos Shapir <>
Sat, 20 Feb 2021 12:51:50 +0200

It seems that no notice was taken of a similar incident in Israel in April 2020; the attack (trying to increase chlorine level in water supply) and infiltration method (taking over the controlling OS by remote access) may indicate that the same hackers were involved.

Re: “Vaccine” passport? (RISKS-32.50)

Amos Shapir <>
Sat, 20 Feb 2021 13:16:56 +0200

FWIW, I just received my Israeli “Green Passport”. It is distributed as a PDF document, containing (plain text on a green background): Name (in Hebrew and English), ID number, passport number, DOB, date of inoculation (which is one week after receiving 2nd dose) and expiration date (6 months later).

Then there are details of each dose: Date, type (Pfizer), production (BNT162b2, probably BioNtech), batch number, and health provider organization which administered it.

There is also a QR code containing (in base64-encoded plain text) XML code of the fields: “idType” (probably indicating Israeli ID or foreign passport), “idNum”, “certNum” (a hex value, which doesn't appear on the card itself), “fullName” (in Hebrew only), “immunedSince” (date value) “expirationDate” (date value).

It seems that the “certNum” field is an attempt at validation, but it's unclear how it may be used.

Re: Incredibly poor software design costs Citigroup $500M (RISKS-32.50)

“Jim” <>
Sat, 20 Feb 2021 16:48:47 -0800

The interface reminds one of programming a computer from the 1950s by setting the console switches. It probably made sense to the designer, though, because he knew too much about the process. Take-away: Double-check the expert's ideas. (And double-check transactions that represent a large loss.)

Re: Gorilla COVID risks (CNN, RISKS-32.50)

“John Levine” <>
20 Feb 2021 13:36:04 -0500
>  Tourists who take selfies with wild mountain gorillas could put the
>  primates at risk of developing Covid-19, according to new research.

Funny you should mention that. Today's NY Times has a piece on the gorillas at the San Diego Safari Park, the open air annex to the SD Zoo.

The noises of nature sometimes carry broader meanings. The howl of a wolf signifies that wildness endures. The gronk of Canada geese moving south overhead reminds Americans to brace for winter. The sound of a coughing gorilla signals that Covid-19 is an even bigger problem than we thought. …

Re: Spy pixels in emails have become endemic' (BBC News)

“John Levine” <>
20 Feb 2021 15:22:30 -0500

Risks of press releases!

If you read the article, you'll see it's actually a thinly rewritten press release for a commercial service that purports to block web bugs, the standard name for what he calls “spy pixels.”

They are annoying and creepy, but they are very much not news. Here's a description of them the EFF published over 20 years ago:

They're also not hard to avoid. Mail programs like Thunderbird only load images from senders who you've marked as friendly. I still use Alpine to read my mail. Since it runs in a terminal window, it doesn't render images at all, just shows you where they are in the message and what they point to.

The least malicious excuse for them I've seen for web bugs is that smart marketers use them to see who is reading their mail, and stop sending mail to people who consistently don't open the message. I'm not sure how persuasive that is, but it does have some plausible benefit.

Oh, and the strangest thing is that in most cases they're completely pointless. Any image in any HTML mail message can be used to track who is opening the mail. (I did some experiments a while back.) Why point an arrow at yourself by using an obvious transparent 1x1 image?

Re: Japanese contact tracing software: Update on Cocoa bug (Ishikawa, RISKS-32.50)

Anthony Thorn <>
Sun, 21 Feb 2021 10:00:06 +0100

Kyosuke Yamamoto, Asahi, 19 Feb 2021 Japan's defective contact-tracing app COCOA gets bug fix update

Bugs have been fixed in Japan's COVID-19 contact-tracing smartphone app COCOA, the health ministry announced 18 Feb, starting distribution of the updated version the same day. COCOA, introduced to alert users if they come into close contact with someone who has tested positive for COVID-19, had failed to send Android users notifications since the end of last September.

Despite the correction, users still will have to restart the app once a day for it to operate properly.

The new version also fixes two other previously unpublicized bugs, one that kept some iPhone users from getting notifications depending on their OS version, and one that initialized the app on some mobile phones, mostly iPhones, after it had been used for a while.

The ministry had said on 3 Feb 2021 that bugs were not reported among iPhone users.

In announcing the new update, the ministry asked Android users to update their phones to the corrected version and to restart the app once a day and asked iPhone users to update to the latest iOS14.


Please report problems with the web pages to the maintainer