The RISKS Digest
Volume 32 Issue 60

Saturday, 17th April 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


National Weather Service Internet systems crumbling as key platforms fail
737 MAX recidivus
Rob Slade
Cosmic rays causing 30,000 network malfunctions in Japan each year
The Japan Times
100 Million More IoT Devices Are Exposed and They Won't Be the Last
GPS is endangered by a misguided FCC decision made during the Trump administration
Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021
Zero Day Initiative
A Casino Gets Hacked Through a Fish-Tank Thermometer
Millions of Devices at Risk From NAME:WRECK DNS Bugs
Alex Scroxton
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp
“How can a democracy function if we can't talk to one another?” U.S. justices ask
Texas Man Charged With Planning To Blow Up Ashburn Data Center
Arlington VA Patch
NYPD's Robot Dog Returns to Work, Touching Off a Backlash
The Perils of Overhyping Artificial Intelligence For AI to Succeed, It First Must Be Able to Fail
Foreign Affairs
Microchip security continues to confound Pentagon
‘Miss’taken assumptions lead to plane incident
The Guardian
The UK Is Trying to Stop Facebook's End-to-End Encryption
Coinbase Makes Its Debut—and Bitcoin Arrives on Wall Street
My email account needs blockchain maintenance?
Rob Slade
Scientists studying solar try solving a dusty problem
Plan to install green energy storage on Williamsburg roof raises tenants' ire
Understanding fruit fly behavior may be next step toward autonomous vehicles
Self-driving vehicles
Car and Driver via Richard Stein
Supreme Court & Facebook Unwanted Automated Texts
Consumer Reports
Foreign intel services could abuse ad networks for spying
Henry Baker
NJ town: Our IT vendor ate our e-mails
North Jersey
Loot boxes in video games deemed close enough to gambling to warrant regulation
“Work From Home” being blamed for security risks
Rob Slade
He Built a $10 Billion Investment Firm. It Fell Apart in Days.
Marylanders could soon be fined $100 for intentionally releasing balloons
She called off her Wedding. The Internet will never forget
Scientists Create Online Games to Show Risks of AI Emotion Recognition
Nicola Davis
AI Comes to Car Repair, and Body Shop Owners Aren't Happy
The Foundations of AI Are Riddled With Errors
We tested the first state's vaccine passport: Here's what to expect
Rob Slade
Re: Antiscience Movement Is … Killing Thousands
José María Meteos Amos Shapir
People Count: People Count: Contact-Tracing Apps and Public Health
Susan Landau MIT Press 2021
Info on RISKS (comp.risks)

National Weather Service Internet systems crumbling as key platforms fail (WashPost)

Gabe Goldberg <>
Sun, 4 Apr 2021 21:54:07 -0400

Most of the agency's online systems went down Tuesday, and during last week's tornado outbreak in the South, a vital resource for relaying information crashed

737 MAX recidivus

Rob Slade <>
Sat, 10 Apr 2021 11:52:38 -0700

Some of the planes are grounded because they may not be grounded.

Cosmic rays causing 30,000 network malfunctions in Japan each year (The Japan Times)

Dave Farber <>
Mon, 5 Apr 2021 12:30:51 +0900

The Japan Times, 4 Apr 2021 (Bloomberg)

Nippon Telegraph and Telephone Corp. has found that cosmic rays are causing an estimated 30,000 to 40,000 temporary malfunctions in domestic network communication devices in Japan every year. 9BLOOMBERG)

Most so-called soft errors, or temporary malfunctions, in the firm's hardware are automatically corrected via safety devices, but experts said in some cases they may have led to disruptions.

It is the first time the actual scale of soft errors in domestic information infrastructures has become evident.

Soft errors occur when the data in an electronic device is corrupted after neutrons, produced when cosmic rays hit oxygen and nitrogen in the Earth's atmosphere, collide with the semiconductors within the equipment.

Cases of soft errors have increased as electronic devices with small and high-performance semiconductors have become more common. Temporary malfunctions have sometimes led to computers and phones freezing, and have been regarded as the cause of some plane accidents abroad.

Masanori Hashimoto, professor at Osaka University's Graduate School of Information Science and Technology and an expert in soft errors, said the malfunctions have actually affected other network communication devices and electrical machinery at factories worldwide.

There is a chance that ‘greater issues’ will arise as society's infrastructure becomes ‘more reliant on electronic devices’ that use such technologies as artificial intelligence and automated driving, Hashimoto said.

He emphasized the need for the government and businesses to further research and implement countermeasures.

However, identifying the cause of soft errors and implementing measures against them can be difficult due to them not being reproducible in trials, unlike mechanical failures.

NTT therefore measured the frequency of soft errors through an experiment whereby semiconductors are exposed to neutrons, and concluded there are about 100 errors per day in its domestic servers.

Although NTT did not reveal if network communication disruptions have actually occurred, the company said it was “implementing measures against major issues” and “confirming the quality of the safety devices and equipment design through experiments and presumptions.”

100 Million More IoT Devices Are Exposed and They Won't Be the Last (WiReD)

Gabe Goldberg <>
Wed, 14 Apr 2021 19:41:06 -0400

The Name:Wreck flaws in TCP/IP are the latest in a series of vulnerabilities with global implications.

GPS is endangered by a misguided FCC decision made during the Trump administration (WashPost)

Gabe Goldberg <>
Thu, 15 Apr 2021 13:05:27 -0400

The Biden administration has an opportunity to undo a potentially devastating ruling that ignored government-wide, bipartisan criticism.

Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021 (Zero Day Initiative)

geoff goodfellow <>
Wed, 14 Apr 2021 14:06:05 -1000

The 2021 spring edition of Pwn2Own <> hacking contest concluded last week on April 8 with a three-way tie between Team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade.

A total of $1.2 million was awarded for 16 high-profile exploits over the course of the three-day virtual event organized by the Zero Day Initiative (ZDI).

Targets with successful attempts included Zoom, Apple Safari, Microsoft Exchange, Microsoft Teams, Parallels Desktop, Windows 10, and Ubuntu Desktop operating systems.

Some of the major highlights are as follows:

The Zoom vulnerabilities <> exploited by Daan Keuper and Thijs Alkemade of Computest Security are particularly noteworthy because the flaws require no interaction of the victim other than being a participant on a Zoom call. What's more, it affects both Windows and Mac versions of the app, although it's not clear if Android and iOS versions are vulnerable as well. […]

A Casino Gets Hacked Through a Fish-Tank Thermometer (Entrepeneur)

Amos Shapir <>
Fri, 16 Apr 2021 17:49:35 +0300

Hackers gain entry to a casino's internal net via a fish tank, and steal list of customers:

Millions of Devices at Risk From NAME:WRECK DNS Bugs (Alex Scroxton)

ACM TechNews <>
Wed, 14 Apr 2021 12:09:28 -0400 (EDT)

Alex Scroxton, Computer Weekly, 13 Apr 2021 via ACM TechNews, 14 Apr 2021

Researchers at cybersecurity provider Forescout Research Labs and Israeli cybersecurity consultancy JSOF discovered nine new Domain Name System (DNS) vulnerabilities that could imperil more than 100 million connected Internet of Things (IoT) devices, at least a third of them located in the UK. Collectively designated NAME:WRECK, the bugs affect four popular Transmission Control Protocol/Internet Protocol (TCP/IP) stacks: FreeBSD, IPnet, Nucleus NET, and NetX. Malefactors who exploit the vulnerabilities in a denial of service or remote code execution attack could disrupt or hijack targeted networks. Forescout's Daniel dos Santos said, “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks, and so we encourage all organizations to make sure they have the most up-to-date patches for any devices running across these affected IP stacks.”

Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027)

geoff goodfellow <>
Wed, 14 Apr 2021 14:00:06 -1000

CENSUS has been investigating for some time now the exploitation potential of Man-in-the-Disk (MitD) [01] vulnerabilities in Android. Recently, CENSUS identified two such vulnerabilities in the popular WhatsApp messenger app for Android [34]. The first of these was possibly independently reported to Facebook and was found to be patched in recent versions, while the second one was communicated by CENSUS to Facebook and was tracked as CVE-2021-24027 [33]. As both vulnerabilities have now been patched, we would like to share our discoveries regarding the exploitation potential of such vulnerabilities with the rest of the community.

In this article we will have a look at how a simple phishing attack through an Android messaging application could result in the direct leakage of data found in External Storage (/sdcard). Then we will show how the two aforementioned WhatsApp vulnerabilities would have made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions. With the TLS secrets at hand, we will demonstrate how a man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise [05] protocol keys used for end-to-end encryption in user communications.

Android 10 introduced the scoped storage feature [13], as a proactive defense against these types of attacks. With scoped storage, apps get by default access only to their own content on External Storage. Apps bearing a certain permission [36] can also access content shared by other applications. Finally, full access to External Storage is only granted to special purpose apps (e.g. file managers) that have been audited by Google. Android 11 is the first version to fully enforce the scoped storage rules on all apps, while Android 10 included a permissive mode of operation to provide developers with the needed time to transition to the new file access scheme.

The techniques presented in this article apply to mobile devices running Android versions up to and including Android 9. It is possible to perform similar attacks using file-based access in Android 10, but we have not included these for reasons of brevity. Even without Android 10 in the picture, the number of affected devices remains quite large. Appbrain statistics [35] hint that devices running Android up to and including version 9 may very well constitute a 60% of all devices running Android today. […]

“How can a democracy function if we can't talk to one another?” U.S. justices ask (Reuters)

geoff goodfellow <>
Wed, 14 Apr 2021 14:22:31 -1000

Two U.S. Supreme Court justices from opposite ends of the ideological spectrum are calling on Americans to learn to talk civilly to each other or risk lasting damage to the nation's democratic system.

Speaking in a pre-recorded discussion released on Wednesday, liberal Justice Sonia Sotomayor and conservative Justice Neil Gorsuch both bemoaned the current state of public discourse, which they said was abetted by the spread of disinformation on social media.

The United States in the past year has endured a contentious presidential campaign, former President Donald Trump's false claims of a stolen election, an attack on the U.S. Capitol by a pro-Trump mob and police incidents that triggered protests against racial injustice.

“We have a … very heated debate going on. And that's not necessarily a bad thing, but it can turn into an awful thing, into something that destroys the fabric of our community, if we don't learn to talk to each other,” Sotomayor said. […]

Texas Man Charged With Planning To Blow Up Ashburn Data Center (Arlington VA Patch)

Gabe Goldberg <>
Mon, 12 Apr 2021 18:05:11 -0400

Federal prosecutors have charged Seth Aaron Pendley of Wichita Falls, Texas, with trying to blow up an Amazon data center in Ashburn. […] Last Thursday, Pendley again met with the undercover FBI agent to pick up what he believed to be explosive devices. However, the agent gave Pendley inert devices. After the agent showed Pendley how to arm and detonate the devices, the defendant loaded them into his car, according to the complaint. Pendley was then arrested by FBI agents who monitored the delivery of the inert devices.

Brilliant, give street name and show picture! Fortunately, this one's a moron—but why paint a bulls eye for someone else?

NYPD's Robot Dog Returns to Work, Touching Off a Backlash (NYTimes)

Gabe Goldberg <>
Thu, 15 Apr 2021 13:04:33 -0400

Deployed at a public housing building, the device drew condemnation as a stark example of police power and misplaced priorities.

A group of police officers marched out of a public housing building in Manhattan on Monday with a man who they said had a gun and had been hiding in an apartment with a woman and her baby.

But it was what came out of the building next that really grabbed attention while feeding into a far-reaching debate about policing in New York: a 70-pound robotic dog outfitted with lights, cameras and artificial intelligence.

The four-legged device had only gone into and out of the building's lobby without playing an active role in the operation, the police said. Still, its mere presence at a public housing building ignited a fierce backlash, with many people condemning it as a stark example of police power and misplaced priorities even as calls to address both roil the United States.

“You can't give me a living wage, you can't raise a minimum wage, you can't give me affordable housing; I'm working hard and I can't get paid leave, I can't get affordable child care,” Representative Jamaal Bowman, a first-term Democrat who represents parts of the Bronx and Westchester County, said in a video posted on Twitter. “Instead we got money, taxpayer money, going to robot dogs?” […]

After the New York police deployed their dog during a hostage situation in the Bronx in February, Representative Alexandria Ocasio-Cortez, a Democrat who represents parts of the borough and Queens, likened the Digidog on Twitter to a ‘robotic surveillance ground’ drone. […]

In response to questions about the robotic dog, the Police Department on Wednesday referred to a February tweet that said New York officers had been using robots for 50 years in hostage situations and hazardous material settings where humans could be in danger. […]

“We're powerless,” she said. “We're like the scapegoats in society. To further read that they are trying it out and testing it out on us — everything that happens bad in our community happens here first.”

Where to start, looking at this nonsense, much of it from people who should know better. Cops use robot dog to avoid putting people in danger, people are hysterical.

The Perils of Overhyping Artificial Intelligence For AI to Succeed, It First Must Be Able to Fail

David Farber <>
Wed, 7 Apr 2021 14:25:57 +0900

Microchip security continues to confound Pentagon (Techxplorre)

Richard Stein <>
Sat, 10 Apr 2021 10:22:29 +0800

“The Pentagon is trying to find out how industry does it. The department is writing into the contracts it signs with chip designers and foundries a requirement to provide access to corporate data on assessing chip reliability, according to Brett Hamilton, deputy principal director of the Pentagon's microelectronics office, which is part of the office of the undersecretary for research and engineering.”

Enhanced corporate transparency—disclosure of microelectronic design, test, manufacturing data (test plans, results, design reviews, internal discussions) can reveal issues affecting intellectual property design/publication viability and/or manufactured product reliability.

Over-the-shoulder inspection of commercial operations assumes the looker possesses the subject matter to intelligently assess the content for engineering merit and risk.

When an unaddressed issue materializes in a supplier's product (e.g., a design defect), what action should the product designer or manufacturer, or customer, undertake to mitigate it? Who should pay for the mitigation?

Risk: Risk of risks

‘Miss’taken assumptions lead to plane incident (The Guardian)

Eli the Bearded <*>
Fri, 9 Apr 2021 14:41:24 -0400 (EDT)

An update to the airline's reservation system while its planes were grounded due to the coronavirus pandemic led to 38 passengers on the flight being allocated a child's “standard weight” of 35kg as opposed to the adult figure of 69kg.
This caused the load sheet—produced for the captain to calculate what inputs are needed for take-off—to state that the Boeing 737 was more than 1,200kg lighter than it actually was.
Investigators described the glitch as “a simple flaw” in an IT system. It was programmed in an unnamed foreign country where the title “Miss” is used for a child and “Ms” for an adult female.

The fix is apparently somewhat flawed:

The operator subsequently introduced manual checks to ensure adult females were referred to as ‘Ms’ on relevant documentation.

Risk is bad heuristics instead of asking for needed information (“adult or child?”) from the customers.

The UK Is Trying to Stop Facebook's End-to-End Encryption (WiReD)

Gabe Goldberg <>
Sun, 4 Apr 2021 22:07:01 -0400

The government's latest attack is aimed at discouraging the company from following through with its planned rollout across platforms.

Coinbase Makes Its Debut—and Bitcoin Arrives on Wall Street (WiReD)

Gabe Goldberg <>
Thu, 15 Apr 2021 18:00:33 -0400

All of this means that Coinbase's listing is a little like bitcoin's stock market debut, too. Which is weird, when you think about where bitcoin started. In his 2019 book, Narrative Economics, the Nobel Prize-winning economist Robert Shiller describes the rise of bitcoin as a feat of storytelling. There was the benefit of being the first, he writes, and in the technology's unique independence from authority, which the story held made it a hedge against government collapse and inflation. Others, including Bloomberg's Joe Weisenthal, have gone so far as to call bitcoin a “faith-based” asset. Faith as in religion. It started with its pseudonymous prophet, Satoshi Nakamoto, who compiled the code and vanished. It has code words, a sacred white paper, a ritualistic schedule for ‘halving’ the creations of new blocks on the chain. Yes, all assets require faith. But faith in the dollar is not faith in a physical paper or a coin, it's in the US government. With bitcoin, the faith is in the thing itself, the network that generates the coins and keeps them secure.

The conviction of bitcoin's adherents is important, given the lack of earthly evidence for its value. Bitcoin is scarce, sure, because the code ensures only 21 million bitcoins will ever be created. But that doesn't make it an investible asset on its own. There are limited use cases. Bitcoin can't be spent efficiently, much as people are trying to make that happen. The network in which people place their faith is still somewhat immature, leading to fears that the bitcoin market could be subject to manipulation.

The masses have not been resoundingly faithful to this movement. The mathematical epidemiologist Adam Kucharski, known for his work explaining the transmission of diseases like Covid-19, writes about bitcoin as a form of contagion spread through word of mouth and media mentions. But in network terms, the series of booms and busts reveals a disconnected contagion — an epidemic that flares up but doesn't spread too far. During a frenzy lots of people jump in, and the value rises, for a while, but the overall impact is limited. Recent surveys suggest that fewer than 10 percent of Americans have dabbled in cryptocurrency. About half of those people said they have regrets.

My email account needs blockchain maintenance?

Rob Slade <>
Tue, 13 Apr 2021 14:42:35 -0700

OK, this is a weird one.

I've got what is obviously some type of phishing spam, which reports that my email account needs some kind of blockchain maintenance in order to improve user experience and reduce the rate of spam. (Nice touch.)

Yeah. I'll get on that right away.


Scientists studying solar try solving a dusty problem (

Richard Stein <>
Mon, 5 Apr 2021 21:03:39 +0800

“Solar's getting deployed, but we're losing energy because solar's getting deployed in dusty locations.”

“The energy lost annually from soiling amounts to as much as 7% in parts of the United States to as high as 50% in the Middle East.”

Where's the Rosie, the Jetson's robot maid, when you need her (it)?

The Middle East, during the heat of the day, is dangerous for human health: sunstroke, dehydration, etc. The article mentions a patent that can indicate when to deploy cleanup, which costs ~US$ 5K for a 10MW photovoltaic installation that powers ~2Khomes. Sol's photons might be free, but to catch and convert into power is costly.

Risk: Housekeeping operation expense from dust accumulating on photovoltaic packages (reduced photon to electron conversion efficiency).

Plan to install green energy storage on Williamsburg roof raises tenants' ire (Bklyner)

Gabe Goldberg <>
Tue, 6 Apr 2021 19:25:11 -0400

A proposal to install energy infrastructure on a Williamsburg roof to ease the load on north Brooklyn's power grid faces angry opposition from tenants who say they're being left in the dark.

Risks? Power infrastructure, NIMBY, landlords.

Understanding fruit fly behavior may be next step toward autonomous vehicles (

Richard Stein <>
Wed, 7 Apr 2021 20:38:35 +0800

“With over 70% of respondents to a AAA annual survey on autonomous driving reporting they would fear being in a fully self-driving car, makers like Tesla may be back to the drawing board before rolling out fully autonomous self-driving systems. But new research from Northwestern University shows us we may be better off putting fruit flies behind the wheel instead of robots.”

The essay discusses Drosophila's ability to learn how to navigate an environment (using heat obstacles), and applies the mechanism to simulate a DV's learning ability. The simulation incorporated a genetic algorithm to optimize evolution. It concludes:

“This simulation demonstrated that ‘hard-wired’ vehicles eventually evolved to perform nearly as well as flies. But while real flies continued to improve performance over time and learn to adopt better strategies to become more efficient, the vehicles remain ‘dumb’ and inflexible.” tabulates animal neuron and synapse counts, proxies for learning and intelligence capabilities.

Drosophila have ~250K neurons/10M synapses. Homo sapiens have ~9.0*10^10 neurons/10^14 synapses. Order 10^5 neuron/synapse count difference. A very large neural network simulation applies ~2.5M neurons: “The four biggest challenges in brain simulation,” from 24JUL2019 retrieved from on 07APR2014.

Somewhere in the fly and homo sapien neuroanatomies, there's learning and intelligence capabilities that enable survival, despite individual mistakes.

No telling what size neural network, or how many, are deployed by a commercial DVonics (driverless vehicle-onics) platforms. Clearly, environmental stimulus (obstacles and other conditions) provides valuable input to adjust behavior that minimizes harmful outcome.

Risk: Neural network evolution and representation limits of complex human behaviors (aka common sense and contextual awareness).

Potential news headline: Bug brain beats Buick bot at Daytona 500

Self-driving vehicles

Richard Stein <>
Wed, 7 Apr 2021 11:57:32 +0800

'“NHTSA's general and voluntary guidance of emerging and evolutionary technological advancements shows a willingness to let manufacturers and operational entities define safety. We urge NHTSA to lead with detailed guidance and specific standards and requirements,” the letter states'

DV industry self-regulation is a good idea, but organizational overreach introduces significant public health and safety risks that can render spectacular failures (e.g. Boeing 737-MAX). Public embrace of DV fleets summoned from handheld hailing apps will not materialize without widespread consumer trust.

Brands earn trust from marketplace performance history (Alka Seltzer, anyone?), often a decades-long endeavor consisting of public trial and error, and sometimes spectacular failures that sadly teach and refine regulations affecting product design, engineering and manufacturing. These incidents comprise the technological equivalent of Niles Eldredge and Stephen J. Gould's punctuated evolution.

“One of the NTSB's concerns is the testing of potential autonomous-driving technology on public roads without any sort of standard methodology for NHTSA to track vehicle data. In June 2020, the Department of Transportation (DOT) announced a voluntary Automated Vehicle Transparency and Engagement for Safe Testing (AV TEST) initiative. But without making it compulsory, there's no penalty for failing to report an issue with a test vehicle.”

DV software stacks are apparently opaque about decision logic that affects movement, steering, etc. NHTSA would need to see these logs for post-mortem accident triage. And so would a trial by jury.

Imposing and enforcing mandatory regulations on DV industry products will establish governance accountability that partially balances profit pursuit and public safety trust. Regulatory enforcement will slow DV innovation — the playground will close up—as a trade that enables deployment of stable, though quirky (non-deterministic), DV fleets.

DV technology's safety promise, and public trust, remains to be earned by showing a significant reduction in traffic accidents, injuries, and fatalities. Few elected officials possess the bravado, and enlightened wisdom, to approve local deployments that place their electorates in harm's way. Potentially unrecoverable losses: brand outrage and human causalities represent the DV industry's Darwinian survival challenge.

(The latest reporting about Waymo's Phoenix deployment can be found here: “Angry Residents, Abrupt Stops: Waymo Vehicles Are Still Causing Problems in Arizona,” 31MAR2021

Supreme Court & Facebook Unwanted Automated Texts (Consumer Reports)

Gabe Goldberg <>
Wed, 7 Apr 2021 20:49:49 -0400

The court ruling could open door for a flood of unwanted robocalls and texts on consumers' cell phones

The Supreme Court on Thursday unanimously ruled (PDF) in favor of Facebook in a dispute over whether unwanted text notifications sent by the social media giant violated a 30-year-old federal law designed to protect consumers from abusive telemarketing practices. …

George Slover, senior policy counsel at Consumer Reports, which joined in an amicus brief in the case, says that in winning the case, Facebook has “succeeded in punching a huge loophole in the law's core protection.”

Foreign intel services could abuse ad networks for spying

Henry Baker <>
Wed, 07 Apr 2021 11:40:20 -0700

When a bipartisan group of lawmakers suddenly develops a respect for privacy, I suddenly become suspicious. I can only assume that there was an 'Oh Sh*t' moment(*) that occurred during a classified briefing. The last time I can recall such a bipartisan interest in privacy was the hastily passed “Video Privacy Protection Act (1988)”, when a Supreme Court nominee's video rental preferences became public.

(*) A technical term describing temporary loss of bowel control in a SCIF as a result of receiving disquieting information.

Congress Says Foreign Intel Services Could Abuse Ad Networks for Spying

A group of bipartisan lawmakers asked Google, Twitter, and others about the transfer of bidstream data to foreign entities.

by Joseph Cox April 6, 2021, 1:00pm

A group of bipartisan lawmakers, including the chairman of the intelligence committee, have asked ad networks such as Google and Twitter what foreign companies they provide user data to, over concerns that foreign intelligence agencies could be leveraging them to harvest sensitive information on U.S. users, including their location.

“This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns,” a letter signed by Senators Ron Wyden, Mark Warner, Kirsten Gillibrand, Sherrod Brown, Elizabeth Warren, and Bill Cassidy, reads. The lawmakers sent the letter last week to AT&T, Verizon, Google, Twitter, and a number of other companies that maintain advertisement platforms.

The concerns center around the process of so-called real-time bidding, and the flow of “bidstream” data. Before an advertisement is displayed inside of an app or a browsing session, different companies bid to get their ad into that slot. As part of that process, participating companies obtain sensitive data on the user, even if they don't win the ad placement.

“Few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments,” the letter continued.

Venntel, a government contractor that sells location data to Immigration and Customs Enforcement (ICE) and other law enforcement agencies obtains bidstream data, Motherboard previously reported. Israeli surveillance companies Rayzone and Bsightful also source this sort of data, Forbes reported.

“This is a deeply problematic practice when Western governments are abusing the data flows, and it becomes a national security emergency when these same global advertising companies are not vetting their own partners,” Zach Edwards, a researcher who has closely followed the supply chain of various sources of data, told Motherboard in an online chat.

“It's long overdue for Congress to begin asking the largest tech companies in the world tough questions about their real-time-data-breach technology that underpins global advertising auctions and user data supply chains,” Edwards continued. “Every time a person loads a website or a mobile app, it's likely that their data is being shared with at least dozens of companies, and when that user is interacting with an app or site with banner ads, typically several thousand companies could be receiving data about that visit in order to give those companies ‘the opportunity to bid to show ads to that user.’”

The letter asked the ad companies to name the foreign-headquartered or foreign-majority owned firms that they have provided bidstream data from users in the U.S. to in the past three years. The other companies the lawmakers sent the letter to were Index Exchange, Magnite, OpenX, and PubMatic.

Mark Tallman, assistant professor at the Department of Emergency Management and Homeland Security at the Massachusetts Maritime Academy, told Motherboard in an email that “It's difficult to imagine any policy solution or technical sorcery that can fully ‘secure’ consumers' private data such that applications and platforms can collect it, and the publishing and advertising industries can access it, while guaranteeing that cybercriminals and foreign intelligence agencies will never get it. Our adversaries already know that they can buy (or steal) data from our marketplace that they could only dream of collecting on such a broad swath of Americans twenty years ago.”

In March lawyers filed a class action suit against Google for what they described as selling users' data as part of the real-time bidding process.

NJ town: Our IT vendor ate our e-mails (North Jersey)

danny burstein <>
Thu, 8 Apr 2021 12:06:21 +0000 ()

Loot boxes in video games deemed close enough to gambling to warrant regulation (

Richard Stein <>
Tue, 6 Apr 2021 10:57:10 +0800

“One of the biggest concerns about loot boxes is that they are very often used by children. The researchers suggest that not only do children sometimes spend amounts of money their parents were not expecting, but some show early signs of gambling addiction.”

Risk: Adolescent gambling addiction

Similar to nicotine in cigarettes: once the dopamine starts flowing, it is difficult to stop consumption. (retrieved on 06APR2021) indicates ~0.6 to ~2.5% of population are either problem or pathological gamblers. In the US, that's ~10M people with a gambling problem.

Regulating Internet games for content seems problematic. Product terms of service often include age access restrictions, but enforcement mechanisms (corporate fines, CxO indictment, personal account lockout or exclusions) are challenging to uniformly apply.

“Work From Home” being blamed for security risks

Rob Slade <>
Wed, 7 Apr 2021 12:01:21 -0700

A report from Verizon says that WFH policies are harming information security. However, there doesn't seem to be any evidence of anything harmful happening, and I strongly suspect that the report is yet another opinion survey.

If there is any increase in security threats, I'm sure the real culprits are:

He Built a $10 Billion Investment Firm. It Fell Apart in Days. (NYTimes)

Gabe Goldberg <>
Mon, 5 Apr 2021 16:53:32 -0400

Leverage and inexplicable derivatives, what could go wrong?

Marylanders could soon be fined $100 for intentionally releasing balloons (DCist)

Gabe Goldberg <>
Thu, 8 Apr 2021 20:50:18 -0400

The Balloon Council, a national balloon trade group, supports efforts to prevent balloon releases, but argues that balloon release bans are not the answer.

“It's really people's behavior that needs to change,” Lorna O'Hara, the council's executive director, told WAMU/DCist last year when the balloon bill was first introduced in the Maryland legislature. “Balloons are not the culprit.”

O'Hara said mass balloon releases are not nearly as common as they were in decades past, and she credits education efforts. She said more education is what's needed now, not a balloon release ban. “It's a slippery slope from a release ban to banning the product altogether.”

Several other states already have some sort of balloon release ban in place, including Virginia, which prohibits the release of more than 50 balloons within one hour, subject to a fine of up to $5 per balloon.

Don't pick on innocent balloons, says the Balloon Council, who should know. First they'll ban releasing balloons, then they'll register them, then the ultimate goal—confiscating them.

She called off her Wedding. The Internet will never forget (WiReD)

Gabe Goldberg <>
Wed, 7 Apr 2021 20:45:11 -0400

In 2019, she made a painful decision. But to the algorithms that drive Facebook, Pinterest, and a million other apps, she's forever getting married.

The risk? Too much remembering. Like getting LinkedIn nudges to congratulate dead people on their work anniversaries.

Scientists Create Online Games to Show Risks of AI Emotion Recognition (Nicola Davis)

ACM TechNews <>
Fri, 9 Apr 2021 11:49:55 -0400 (EDT)

Nicola Davis, The Guardian, 4 Apr 2021 via ACM TechNews 9 Apr 2021

Scientists at the U.K.'s University of Cambridge have created, a website where the public can test emotion recognition systems via online games, using their own computer cameras. One game has players make faces to fake emotions in an attempt to fool the systems; another challenges the technology to interpret facial expressions contextually. Cambridge's Alexa Hagerty cited a lack of public awareness of how widespread the technology is, adding that its potential benefits should be weighed against concerns about accuracy, racial bias, and suitability. Hagerty said although the technology's developers claim these systems can read emotions, in reality they read facial movements and combine them with existing assumptions that these movements embody emotions (as in, a smile means one is happy). The researchers said their goal is to raise awareness of the technology and to encourage dialogue about its use.

AI Comes to Car Repair, and Body Shop Owners Aren't Happy (WiReD)

Gabe Goldberg <>
Wed, 14 Apr 2021 19:39:17 -0400

During the pandemic, insurers accelerated the use of automated tools to estimate repair costs. Garage operators say the numbers can be wildly inaccurate.

The Foundations of AI Are Riddled With Errors (WiReD)

Gabe Goldberg <>
Mon, 5 Apr 2021 18:52:45 -0400

The labels attached to images used to train machine-vision systems are often wrong. That could mean bad decisions by self-driving cars and medical algorithms.

We tested the first state's vaccine passport: Here's what to expect (WashPost)

Gabe Goldberg <>
Thu, 15 Apr 2021 17:40:02 -0400

New York's Excelsior Pass has some solid privacy protections. But it's complicated to use and easy to fake.

Vaccine passports could leave us exposed to the “worst of both worlds,” says Cahn ” a complicated digital system that puts up new barriers to access businesses, while not actually stopping fraudsters. “Despite its invasiveness, Excelsior Pass won't advance the underlying public health goals it claims to support,” he says.

It isn't clear how wide a problem vaccine passport fraud could become, or how dangerous it would be. Passports could persuade people to let down their guard about masks and other protections. Madison Square Garden, for one, says it wasn't aware of any cases of people trying to enter the venue with an Excelsior Pass that wasn't their own.

“To be clear, Excelsior Pass is a voluntary system that creates a digital copy of a preexisting paper record ” it is not a standalone identification document,” said Kristin Devoe, a spokeswoman for Empire State Development, the umbrella organization that created Excelsior Pass. To fight fraud, New York says venues accepting Excelsior Pass are supposed to check people's photo IDs.

But instituting new ID checks at businesses that didn't used to require them creates new social barriers. One senior citizen tester was too old to have a driver's license.


Rob Slade <>
Fri, 9 Apr 2021 11:54:03 -0700

OK, I've presented on Zoom, and Teams, and Meet, and some others during this crisis. And, tomorrow, I'm doing yet another pres, and they are using GoToWebinar (I think. One of the two.) So I asked for a test run.

First off, unlike Zoom and Teams (and unnecessary on Meet) the GoToMeeting link didn't automatically download the app. (A “button,” on the weirdly formatted reminder the system sent, did, so there is obviously some additional stuff in there besides the meeting link.)

When I did get the app installed on the laptop, I got on to the test meeting, but obviously nobody could hear me. Through a variety of testing, involving switching my (one) microphone back and forth between computers, and a phone call, I finally figured out that GoToWebinar (at least) doesn't check or even allow for external microphones (even if you try and get Windows to tell it to). (Except that it would accept the external microphone on my desktop, which has no built-in microphone.) I am hypothesizing that this might be in regard to the extremely tight control that GoToWebinar seems to provide, by default, completely cutting off presenters from any form of contact with attendees.

We did, eventually figure out a kludge, where I could run the slides and set up the microphone on my desktop, and simply use the laptop for the Webcam so people could see me. However, they finally decided nobody needed to see me (which is no great loss).

Isn't videoconferencing fun? (NOT!)

Re: Antiscience Movement Is … Killing Thousands (RISKS-32.59)

José María Mateos <>
Mon, 5 Apr 2021 20:33:06 -0400

I had just finished reading “The Revolt of the Public and the Crisis of Authority in the New Millennium” by Margin Gurri (; I started reading it after Matt Taibbi brought it to my attention in this article

While I found the book to be worse than I expected (there are a few factual errors I could catch, and it can definitely be way shorter), the thesis is interesting. It can be summarized pretty closely by that quote by Henry or in the author's own words (opening of Chapter 5): “My story—I repeat — concerns the tectonic collision between a public which will not rule and institutions of authority progressively less able to do so.”

The “will not rule” is a very important part of the thesis: the public is protesting (yes, against the elites), but there's no apparent long-term plan. Echoes of January 6th, in South Park form:

1. Storm the Capitol. 2. ??? 3. Victory!

José María (Chema) Mateos ||

Re: Antiscience Movement Is … Killing Thousands (RISKS-32.59)

Amos Shapir <>
Mon, 5 Apr 2021 11:52:52 +0300

Henry Baker's reply is a serious analysis, but it seems to be more about anti-economism than antiscience.

I think that the original article was about the attitude made popular lately by interest groups, which debases science by using any scientific division or debate (which is the lifeline of science) as an excuse to claim “these so-called ‘experts’ don't know what they're talking about!”.

Such attitudes, about any subject related to science—moon landings, climate change, vaccines, 5G—are often manifested by declarations like “We don't care that these elitist scientists had spent years studying their fields, relying on data gathered by thousands of people who went to the ends of the Earth to collect it; WE have read an internet article!”

People Count: Contact-Tracing Apps and Public Health (Susan Landau, MIT Press 2021)

Peter G Neumann <>
Sat, 17 Apr 2021 13:22:58 PDT

This a rather short new book that nevertheless manages to nontrivially address diverse privacy-relevant topics including pandemics, the role of contact tracing in ending disease, how the apps work, and the policy issues of efficacy and equity.

<> Susan Landau <>

Please report problems with the web pages to the maintainer