The RISKS Digest
Volume 32 Issue 61

Friday, 23rd April 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Two people killed in fiery Tesla crash with no one driving
Sundry sources
Israel appears to confirm it carried out cyberattack on Iran nuclear facility
The Guardian
Blackout in China's Xinjiang region caused almost half of the bitcoin network to go offline for 48 hours
Twitter via geoff goodfellow
U.S. Unveils 100-day Plan to Avoid “Going Dark”
Henry Baker
Data Integrity
Dan Geer
They Hacked McDonald's Ice Cream Machines —and Started a Cold War
U.S. and Japan to invest $4.5bn in next-gen 6G race with China
Nikkei Asia
Jaguar Land Rover to suspend output due to chip shortage
BBC News
Bitcoin Plunges in Biggest Intraday Drop Since February
IBM Clarifies Stance On Developers Working On Open-Source Projects In Off-Hours
Grey-hat “security research,” Linux, and U of Minnesota
Rob Slade
A growing problem of ‘deepfake geography’: How AI falsifies satellite images
In bot we trust: People put more faith in computers than other humans
The Incredible Rise of North Korea's Hacking Army
The New Yorker
$40,000 Swindle Puts Spotlight on Literary Prize Scams
Processes changing for redacting documents
Chesterfield County VA
Victory for Fair Use: The Supreme Court Reverses the Federal Circuit in Oracle v. Google
Michael Barclay)
What's Really in Your Water?
Scientific American
Water Safety That Uses Your Mussels
nowiknow via Gabe Goldberg
Stealthy Dopant-Level Hardware Trojans
IACR paper via Rob Slade
The Postal Service is running a ‘covert operations program’ that monitors Americans' social media posts
Yahoo! item via Lauren Weinstein
The Pandemic Proved That Our Toilets Are Crap
Space Junk Removal Is Not Going Smoothly
Scientific American
Re: We tested the first state's vaccine passport: Here's what to expect
John Levine
Re: Miss'taken assumptions lead to plane incident
David Lesher
Election Systems, Security, and the Future
Rebecca Mercuri
Infosec Ethics—VSS, 4 May 2021
Rob Slade
Info on RISKS (comp.risks)

Two people killed in fiery Tesla crash with no one driving (Sundry sources)

geoff goodfellow <>
Sun, 18 Apr 2021 09:19:13 -1000

Authorities said it took four hours to extinguish the fire

Authorities in Texas say two people were killed when a Tesla with no one in the driver's seat crashed into a tree and burst into flames, Houston television station KPRC 2 reported. <>

The cause of the crash, which happened at about 9PM local time in Spring, Texas (near Houston), is under investigation. According to KHOU <> in Houston, first responders had to use 30,000 gallons of water over four hours to put out the fire, as the Tesla's battery kept reigniting. Authorities tried to contact Tesla for advice on putting out the fire; it's not clear whether they received any response.

Two men dead after fiery crash in Tesla Model S.

“[Investigators] are 100-percent certain that no one was in the driver seat driving that vehicle at the time of impact,” Harris County Precinct 4 Constable Mark Herman said. “They are positive.” #KHOU11 <^tfw>> — Matt Dougherty (@MattKHOU) April 18, 2021 <^tfw>

Preliminary reports suggest the car was traveling at a high rate of speed and failed to make a turn, then drove off the road into a tree. One of the men killed was in the front passenger seat of the car, the other was in the back seat, according to KHOU. Harris County Precinct 4 Constable Mark Herman told KPRC that “no one was driving” the fully-electric 2019 Tesla at the time of the crash. It's not yet clear whether the car had its Autopilot driver assist system activated. […]

Israel appears to confirm it carried out cyberattack on Iran nuclear facility (The Guardian)

Dave Farber <>
Mon, 12 Apr 2021 09:03:50 +0900

Blackout in China's Xinjiang region caused almost half of the bitcoin network to go offline for 48 hours

geoff goodfellow <>
Sun, 18 Apr 2021 10:37:29 -1000

U.S. Unveils 100-day Plan to Avoid “Going Dark”

Henry Baker <>
Tue, 20 Apr 2021 21:48:55 -0700

Perhaps end2end encryption might help? Just a suggestion… ;-) ;-)

Michael Riley and Jamie Tarabay, Bloomberg, 20 Apr 2021 U.S. Unveils Plan to Protect Power Grid From Foreign Hackers

The White House unveiled on Tuesday a 100-day plan intended to protect the U.S. power grid from cyber-attacks, mainly by creating a stronger relationship between U.S. national security agencies and the mostly private utilities that run the electrical system.

The plan is among the first big steps toward fulfilling the Biden administration's promise to urgently improve the country's cyber-defenses. The nation's power system is both highly vulnerable to hacking and a target for nation-state adversaries looking to counter the U.S. advantage in conventional military and economic power.

“The United States faces a well-documented and increasing cyber-threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” Secretary of Energy Jennifer Granholm said.

Although the plan is billed as a 100-day sprint—which includes a series of consultations between utilities and the government—it will likely take years to fully implement, experts say. It will ask utilities to pay for and install technology to better detect hacks of the specialized computers that run the country's power systems, known as industrial control systems.

The Edison Electric Institute, the trade group that represents all U.S. investor-owned electric companies, praised the White House plan and the Biden administration's focus on cybersecurity. “Given the sophisticated and constantly changing threats posed by adversaries, America's electric companies remain focused on securing the industrial control systems that operate the North American energy grid,” said EEI president Tom Kuhn.

While an early draft had proposed helping small utilities and rural co-ops pay for the new monitoring, the final version is more vague about whether the money will come from the federal government or be passed to customers in the form of higher utility bills. Large utilities often have sophisticated security teams and pay for cutting edge monitoring technology, but it's unclear how enthusiastically smaller utilities will take on the cost of additional security.

The government will take suggestions from utilities within 21 days about ways to incentivize participation in the voluntary effort, according to details of the plan described by a person familiar with it.

The final plan also drops the draft's proposal for enhancing supply chain security for grid components by calling for a list of recommended equipment vendors. Now, the administration plans to ask utilities for suggestions for improvement.

Experts say initiatives to enhance the security of the U.S. electrical grid are years behind better-known efforts to shield data centers and corporate systems. At the same time, hackers from Russia, China, Iran and North Korea are launching increasingly aggressive attacks on U.S. power companies, hoping to install malware that could leave cities and towns in the dark.

Under the new plan, owners and operators of electricity networks are now expected to “enhance their detection, mitigation and forensic capabilities,” according to the Department of Energy statement. They would also need to share information with the federal government if something happens to their systems. Priority sites will need to identify and report their technology capabilities, gaps and requirements within 45 days of the launch.

CISA, the Cybersecurity and Infrastructure Security Agency, will establish a team of government and agency representatives to coordinate analysis between the government and private sector.

“The safety and security of the American people depend on the resilience of our nation's critical infrastructure,” said acting CISA director Brandon Wales, in a statement. The partnership would “prove a valuable pilot as we continue our work to secure industrial control systems across all sectors.”

— With assistance by Shaun Courtney, and Josh Saul

Data Integrity (Dan Geer)

Peter Neumann <>
Thu, 22 Apr 2021 10:41:14 PDT
“Business decision makers no longer have to deal with information along a previously believed continuum of certitude; Through a Glass Darkly, but rather can see clearly the demarcations where information is useful and not useful.
The rapid digitalization of business processes has caused a greater need for accurate data as there are no longer humans further upstream in the process to keep the low-quality data from infecting the automated business decision process. Now is the time to align the ordinal scales of jurisprudence and accounting with each other and with like-minded ordinal scales for business processes. We offer a first cut at that necessary advance; we hope that it is sufficient to purpose and self-explanatory, and will allow this advancement in technology to open new markets with innovative products.”

They Hacked McDonald's Ice Cream Machines —and Started a Cold War (WiReD)

Gabe Goldberg <>
Fri, 23 Apr 2021 00:44:50 -0400

Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines—and how the fast-food giant froze them out.

Right to repair, revisited—at McDonald's.

U.S. and Japan to invest $4.5bn in next-gen 6G race with China (Nikkei Asia)

Dave Farber <>
Mon, 19 Apr 2021 13:30:16 +0900

TOKYO/WASHINGTON—U.S. President Joe Biden and Japanese Prime Minister Yoshihide Suga have agreed to jointly invest $4.5 billion for the development of next-generation communication known as 6G, or “beyond 5G.”

The two countries will invest in research, development, testing, and deployment of secure networks and advanced information and communications technology, according to a fact sheet released after the two leaders met in Washington on Friday <>.

“The United States has committed $2.5 billion to this effort, and Japan has committed $2 billion,” it said <>.

The call for “secure and open” 5G networks, including advancing Open Radio Access Networks (Open-RAN), reflects the leaders' intent of creating an alternative to a China-led communications network.

Open-RAN is an open-source platform where network operators can mix and match hardware from different vendors, without having to own entire systems of antennas and base stations.

As of now, Chinese companies such as Huawei Technologies and ZTE hold a roughly 40% share of base stations. European players Eriksson and Nokia, as well as South Korea's Samsung Electronics are the other heavyweights, together accounting for a 90% market share. American and Japanese enterprises lag behind.

In terms of 5G patents, U.S. leader Qualcomm owns roughly 10%—on par with Huawei—but Japan's top player NTT Docomo only has about 6%.

The Chinese leadership under President Xi Jinping gained confidence after catching up with advanced countries in the 5G development race. Now it is determined to repeat the success in sixth-generation technology. The new five-year plan adopted at the National People's Congress, China's parliament, in March also included the development of 6G.

Japane'se government officials lament the country's late start in the 5G race. “Even if we had better technology, we couldn't win the race to win market share,” one official said.

To avoid the same mistake, Tokyo is determined to play on the international field from the get-go in 6G. With a goal to elevate Japan's share of patents to 10%, a joint industry-government-academia organization was set up late last year.

Japan believes that global standards setting will be crucial to the development of next-gen communications, and therefore sees cooperation with the U.S. to help in this regard.

One of the goals stated in the fact sheet is to extend the U.S.-Japan cooperation on communications to “third-countries” to promote secure connectivity. Adding partners to the U.S.-Japan led initiative should help in the competition with China to set global standards.

The fact sheet also advocated cooperation on sensitive supply chains, including semiconductors. Here the response in the Japanese industry is divided.

One official at a chipmaker welcomed the announcement, saying that if the governments prepare subsidies to strengthen supply chains in like-minded countries, it could bring down the cost to establish facilities inside Japan.

But an official at a chip-manufacturing equipment maker said, “if the U.S. expands sanctions on China, it will be difficult to grow our business in China,” which is a major market for Japanese equipment makers.

Yuichi Koshiba, managing director and partner at Boston Consulting Group in Tokyo, said extensive government intervention in the chip market would have a negative effect on the industry. “Governments should not try to control global supply chains to fit their own country's interests,” he said.

Jaguar Land Rover to suspend output due to chip shortage (BBC News)

Gabe Goldberg <>
Thu, 22 Apr 2021 13:33:40 -0400

Jaguar Land Rover (JLR) is shutting its two main car factories temporarily due to a shortage of computer chips.

The difficulties at Britain's biggest carmaker echo similar problems at other manufacturers, including Ford, who have been hit by a global shortage of chips.

JLR said there would be a “limited period” of closure at its Halewood and Castle Bromwich sites from Monday.

A mixture of strong demand and Covid shutdowns at chipmakers has also hit phone, TV and video games companies.

Tata-owned JLR said in a statement: “We have adjusted production schedules for certain vehicles which means that our Castle Bromwich and Halewood manufacturing plants will be operating a limited period of non-production from Monday 26th April.”

“We are working closely with affected suppliers to resolve the issues and minimise the impact on customer orders wherever possible.” Production at a third factory, at Solihull, will continue.

Bitcoin Plunges in Biggest Intraday Drop Since February (Bloomberg)

David Farber <>
Sun, 18 Apr 2021 17:39:32 +0900

Shamim Adam and Emily Barrett, Bloomberg, 18 Apr 2021 Bitcoin sinks as much as 15% days after hitting record

Bitcoin Plunges in Biggest Intraday Drop Since February

IBM Clarifies Stance On Developers Working On Open-Source Projects In Off-Hours (Phoronix)

Gabe Goldberg <>
Fri, 23 Apr 2021 15:48:57 -0400

Earlier this week was a surprising Linux kernel networking commit that removed an IBM engineer as one of the driver maintainers for the IBM Power SR-IOV Virtual NIC driver. Seemingly at issue with this VNIC driver work was the developer using his personal email address in working on the driver in his off-hours. IBM has now clarified their stance on such work.

The VNIC maintainer updating patch yielded much attention for carrying the following quoted message, “As an IBM employee, you are not allowed to use your gmail account to work in any way on VNIC. You are not allowed to use your personal email account as a “hobby”. You are an IBM employee 100% of the time. Please remove yourself completely from the maintainers file. I grant you a 1 time exception on contributions to VNIC to make this change.”

IBM has now reached out to Phoronix to provide further comment. They shared that contrary to the Git commit, “IBM promotes and encourages engagement in the Linux open source community regardless whether an IBM email ID or a personal email ID is used.”

When asked about this specific situation that portrays the direct opposite of their communication, Todd Moore, VP Open Technology at IBM explained: “We respect our developer's need to be individuals, and their open source code contributed under a personal ID represents them and their resume. This was a one off disagreement that should not have gone public as there are internal guidelines to resolve it. Often our contributors will have a personal GitHub ID and an IBM GitHub ID. We use tooling to track contributions under both IDs to ensure everyone gets credit towards our recognition program. We value and encourage contribution whether it be code, code reviews, documentation, issue triage, or advocacy as part of their careers or their own time.”

Someone speculated: “Interesting … I believe that there is more to this than meets the eye as the IBM employee changed his eMail from IBM to Gmail just three days before receiving this reprimand. Very likely some kind of disagreement between his employee and his idiot manager. This appears to be an open source project that is owned/sponsored by IBM (all contributors have an IBM eMail address) and working on this project (IBM Power network driver) was a part of his job.”

Idiot managers are always a risk.

Grey-hat “security research,” Linux, and U of Minnesota

Rob Slade <>
Thu, 22 Apr 2021 11:51:51 -0700

This is a big and messy fight, with a lot of points to make about how we should, and shouldn't, conduct security.

A particular program in the University of Minnesota Department of Computer Science and Engineering is run by professor Kangjie Lu. At least two students from this program, apparently with the knowledge of the professor, have been submitting what they refer to as “hypocrite commits” to the core Linux repository. (In other words, some form of malware, at least in terms of the code not being what it purports to be.)

This type of thing is not exactly new. We know of, and use, red team attacks, and pen tests of various types. No less a luminary than Fred Cohen initially thought that teaching students to write viruses could be beneficial (although he later change his mind when he found that the students weren't learning all that much about security from the exercise). The University of Calgary had a virus writing program at one time (with somewhat less control).

But this attempt, while addressing a slightly different aspect of the concept behind “Reflections on Trusting Trust” and supply chains, seems to have both fewer controls, and potentially much greater consequences (as well as a pretty massive disregard for the work of the Linux volunteers and users all over the world). The students involved seem to have offered some half-hearted apologies over the issue.

For more details:

The next VanTUG Security Series meeting (details of series: , meeting link for 4 May 2021, 7 pm [PDT] meeting: ) is on the topic of “Infosec Ethics,” so this issue is a bit of a gift, and will be used as one of the main “case studies” for discussion.

A growing problem of ‘deepfake geography’: How AI falsifies satellite images (

Richard Stein <>
Thu, 22 Apr 2021 11:45:40 +0800

“But with the prevalence of geographic information systems, Google Earth and other satellite imaging systems, location spoofing involves far greater sophistication, researchers say, and carries with it more risks. In 2019, the director of the National Geospatial Intelligence Agency, the organization charged with supplying maps and analyzing satellite images for the U.S. Department of Defense, implied that AI-manipulated satellite images can be a severe national security threat.”

Risk: Map source corroboration and authentication.

In bot we trust: People put more faith in computers than other humans (StudyFinds)

geoff goodfellow <>
Sat, 17 Apr 2021 08:07:14 -1000

Do you find yourself reaching for the calculator, even for the really simple math problems? There's a lot of concern these days that technology, like artificial intelligence, is too smart for its own good. Despite fear over how intrusive these algorithms are becoming, a new study finds people are actually more willing to trust a computer than their fellow man.

Researchers at the University of Georgia say this is especially true when people find tasks too challenging to handle alone. However, it's not just the “heavy lifting” humans are running to computers for help with. From choosing the next song in the playlist to finding better fitting pants, algorithms are making more and more of the daily decisions in people's lives—whether they realize it or not. <>

“Algorithms are able to do a huge number of tasks, and the number of tasks that they are able to do is expanding practically every day,” says Eric Bogert, a Ph.D. student in the Terry College of Business Department of Management Information Systems, in a university release <>. “It seems like there's a bias towards leaning more heavily on algorithms as a task gets harder and that effect is stronger than the bias towards relying on advice from other people.” Letting the computer do the work

Researchers evaluated the responses of 1,500 individuals tasked with counting the people in a series of photographs. The team also supplied participants with suggestions on how to do this, generated either by other people or computer algorithms. […]

The Incredible Rise of North Korea's Hacking Army (The New Yorker)

Peter Neumann <>
Tue, 20 Apr 2021 10:41:00 PDT

The country's cyberforces have raked in billions of dollars for the regime by pulling off schemes ranging from ATM heists to cryptocurrency thefts. Can they be stopped?

$40,000 Swindle Puts Spotlight on Literary Prize Scams (NYTimes)

Gabe Goldberg <>
Sun, 18 Apr 2021 13:56:50 -0400

The organizers of at least five British awards received emails asking them to transfer prize money to a PayPal account. One of them paid out.

Processes changing for redacting documents (Chesterfield County VA)

Joe Finnegan <>
Tue, 20 Apr 2021 11:52:47 -0400

Yesterday's note from the Superintendent of Chesterfield County, Virginia, Public Schools.

Redaction, again.

Begin forwarded message:

- - - - - - - - - - -

> From: Chesterfield County Public Schools <>
> Subject: Processes changing for redacting documents
> Date: April 19, 2021 at 12:05:22 EDT
> CCPS UPDATE: Dear Team Chesterfield families,

We recently learned of a defect in a redacted document that allowed one citizen to access what was thought to be blacked-out student and staff names. We share concerns that approximately 575 students and 400 staff names were made accessible as a result of an inadvertent software application error that allowed a citizen to see the student names that were underneath the redaction.

After being made aware that the names of COVID-positive students and staff members listed in a contact-tracing spreadsheet required by the Virginia Department of Health could be accessed, we immediately began to investigate the concern. The citizen who received the defective document said they immediately destroyed it after recognizing the defect and notified the school division.

Other redacted public records provided in compliance with Virginia Freedom of Information Act, the state’s open records law, are being reviewed. We are in the process of reaching out to the U.S. Department of Education's Student Privacy Policy Office for additional guidance. We will be in contact with affected families as appropriate.

We are sorry that this technical error occurred, and already have taken appropriate steps to change our practice on how information is redacted moving forward.

Superintendent, Chesterfield County Public Schools

Victory for Fair Use: The Supreme Court Reverses the Federal Circuit in Oracle v. Google (Michael Barclay))

Dewayne Hendricks <>
April 11, 2021 19:50:50 JST

[via Dave Farber]

Michael Barclay, EFF, 5 Apr 2021

In a win for innovation, the U.S. Supreme Court has held that Google's use of certain Java Application Programming Interfaces (APIs) is a lawful fair use. In doing so, the Court reversed the previous rulings by the Federal Circuit and recognized that copyright only promotes innovation and creativity when it provides breathing room for those who are building on what has come before.

This decision gives more legal certainty to software developers' common practice of using, re-using, and re-implementing software interfaces written by others, a custom that underlies most of the Internet and personal computing technologies we use every day.

To briefly summarize over ten years of litigation: Oracle claims a copyright on the Java APIs—essentially names and formats for calling computer functions—and claims that Google infringed that copyright by using (reimplementing) certain Java APIs in the Android OS. When it created Android, Google wrote its own set of basic functions similar to Java (its own implementing code). But in order to allow developers to write their own programs for Android, Google used certain specifications of the Java APIs (sometimes called the “declaring code”).

APIs provide a common language that lets programs talk to each other. They also let programmers operate with a familiar interface, even on a competitive platform. It would strike at the heart of innovation and collaboration to declare them copyrightable.

EFF filed numerous amicus briefs in this case explaining why the APIs should not be copyrightable and why, in any event, it is not infringement to use them in the way Google did. As we've explained before, the two Federal Circuit opinions are a disaster for innovation in computer software. Its first decision—that APIs are entitled to copyright protection—ran contrary to the views of most other courts and the long-held expectations of computer scientists. Indeed, excluding APIs from copyright protection was essential to the development of modern computers and the Internet.

Then the second decision made things worse. The Federal Circuit's first opinion had at least held that a jury should decide whether Google's use of the Java APIs was fair, and in fact a jury did just that. But Oracle appealed again, and in 2018 the same three Federal Circuit judges reversed the jury's verdict and held that Google had not engaged in fair use as a matter of law.

Fortunately, the Supreme Court agreed to review the case. In a 6-2 decision, Justice Breyer explained why Google's use of the Java APIs was a fair use as a matter of law. First, the Court discussed some basic principles of the fair use doctrine, writing that fair use “permits courts to avoid rigid application of the copyright statute when, on occasion, it would stifle the very creativity which that law is designed to foster.”

Furthermore, the court stated:

Fair use “can play an important role in determining the lawful scope of a computer program copyright . . . It can help to distinguish among technologies. It can distinguish between expressive and functional features of computer code where those features are mixed. It can focus on the legitimate need to provide incentives to produce copyrighted material while examining the extent to which yet further protection creates unrelated or illegitimate harms in other markets or to the development of other products.”

In doing so, the decision underlined the real purpose of copyright: to incentivize innovation and creativity. When copyright does the opposite, fair use provides an important safety valve.

Justice Breyer then turned to the specific fair use statutory factors. Appropriately for a functional software copyright case, he first discussed the nature of the copyrighted work. The Java APIs are a “user interface” that allow users (here the developers of Android applications) to “manipulate and control” task-performing computer programs. The Court observed that the declaring code of the Java APIs differs from other kinds of copyrightable computer code—it's “inextricably bound together” with uncopyrightable features, such as a system of computer tasks and their organization and the use of specific programming commands (the Java “method calls”). As the Court noted:

Unlike many other programs, its value in significant part derives from the value that those who do not hold copyrights, namely, computer programmers, invest of their own time and effort to learn the API's system. And unlike many other programs, its value lies in its efforts to encourage programmers to learn and to use that system so that they will use (and continue to use) Sun-related implementing programs that Google did not copy.

Thus, since the declaring code is “further than are most computer programs (such as the implementing code) from the core of copyright,” this factor favored fair use.

Justice Breyer then discussed the purpose and character of the use. Here, the opinion shed some important light on when a use is “transformative” in the context of functional aspects of computer software, creating something new rather than simply taking the place of the original. Although Google copied parts of the Java API “precisely,” Google did so to create products fulfilling new purposes and to offer programmers “a highly creative and innovative tool” for smartphone development. Such use “was consistent with that creative ‘progress’ that is the basic constitutional objective of copyright itself.”

The Court discussed “the numerous ways in which reimplementing an interface can further the development of computer programs,” such as allowing different programs to speak to each other and letting programmers continue to use their acquired skills. The jury also heard that reuse of APIs is common industry practice. Thus, the opinion concluded that the “purpose and character” of Google's copying was transformative, so the first factor favored fair use.

Next, the Court considered the third fair use factor, the amount and substantiality of the portion used. As a factual matter in this case, the 11,500 lines of declaring code that Google used were less than one percent of the total Java SE program. And even the declaring code that Google used was to permit programmers to utilize their knowledge and experience working with the Java APIs to write new programs for Android smartphones. Since the amount of copying was “tethered” to a valid and transformative purpose, the “substantiality” factor favored fair use.

Finally, several reasons led Justice Breyer to conclude that the fourth factor, market effects, favored Google. Independent of Android's introduction in the marketplace, Sun didn't have the ability to build a viable smartphone. And any sources of Sun's lost revenue were a result of the investment by third parties (programmers) in learning and using Java. Thus, “given programmers' investment in learning the Sun Java API, to allow enforcement of Oracle's copyright here would risk harm to the public. Given the costs and difficulties of producing alternative APIs with similar appeal to programmers, allowing enforcement here would make of the Sun Java API's declaring code a lock limiting the future creativity of new programs.” This “lock” would interfere with copyright's basic objectives.

What's Really in Your Water? (Scientific American)

Richard Stein <>
Mon, 19 Apr 2021 11:11:51 +0800

“The intention is to implement this new water test into a format that nonscientists can easily use; one that is affordable and gives results within an hour for those who need them most. The technology is far from ready to sell; there is still much work to do to ensure that the lead tests are maximally user friendly.”

“These tests are different because they harness the power of naturally occurring sensors from biology. Using tools from the nascent field of synthetic biology, the sensors can be programmed to change color when a target chemical is present in water.”

Imbibing in a clean sip of water is a human right (see “The Human Right to Water and Sanitation,” from drought, conflict, corruption, etc., but it is jeopardized by many factors: pollution,

Testing for chemicals, metals, and organics in municipal water is, or used to be, an exclusive role of governments and their infrastructures. If one cannot trust a government to proactively protect citizen health and safety, why are they elected and empowered?

Enter the consumer to arouse community protests with independent “trust but verify” evaluation to demand neglected mitigation.

Risk: False positive/negative water test pollutant indicators

Water Safety That Uses Your Mussels ()

Gabe Goldberg <>
Mon, 19 Apr 2021 15:00:50 -0400

With just over half a million people, the Polish city of Poznań is the fifth largest in the nation. Situated on the Warta River, Poznań dates back more than a century, originally built as a fortress to guard access to the waterway. Today, the Warta is still an important part of Poznań and the surrounding areas; it is a major source of drinking water for the nearly 1.5 million people in Poznań's greater metropolitan area.

Which is why these guys are so important.

Yes, those are mussels. And they keep the people of Poznań safe. Risk? Water pollution? Solution? Quick-reaction mollusks.

Stealthy Dopant-Level Hardware Trojans

Rob Slade <>
Mon, 19 Apr 2021 11:06:00 -0700

Interesting new paper:

Very early on, in malware research, we looked at hardware trojans and the limits of the “trusted computing base.” (When I say “early on,” I'm talking about 1988, so I don't know why these guys thought the study didn't start until 2008. Kids. :-)

I also did formal study in gate level circuit design, and worked with companies that were involved with board and chip manufacturing, so I understand some of those parts of the paper.

It's an interesting attack, and, yes, it demonstrates that, when dealing with supply chain and “Reflections on Trusting Trust” issues you have to perform multiple types of checks, and keep on developing new tests as new attacks are created. So, yes, it's a valid attack in the current climate.

It's a pretty specific attack, and would only work on specific types of hardware. Fortunately for the authors of the paper, while the attack is quite specialized, and only works on some applications, those are pretty important applications, since they deal with high-level crypto, most likely for military or intelligence purposes. The attack could be used to create something that would pass basic tests, but would weaken crypto implementations (it's always implementation, isn't it?), and possibly also make the circuitry more susceptible to side channel, covert channel, or related TEMPEST type attacks.

Once known, of course, the attack could be detectable by extending the testing of the results produced by the affected circuitry. But, as I say, it does show that attacks and defence are constantly moving targets, and that the concept of the trusted computing base (and, particularly, supply chain) always needs refining in the real world.

The Postal Service is running a ‘covert operations program’ that monitors Americans' social media posts (Yahoo!)

Lauren Weinstein <>
Wed, 21 Apr 2021 11:03:08 -0700

So while DeJoy is decimating mail delivery, putting millions of Americans at risk from late deliveries—including vital medication prescriptions—the USPS is instead turning into a social media spy agency. Yes, public social media posts are public. But where did USPS obtain this authority? Who controls it? Who oversees it? What happens to the data that they collect? WHY ARE THEY DOING THIS WHILE OUR MAIL DELIVERY IS GOING TO HELL? -L

The Pandemic Proved That Our Toilets Are Crap (WiReD)

Gabe Goldberg <>
Sun, 18 Apr 2021 22:45:43 -0400

The core technologies for sewage systems were developed over a hundred years ago. It's time to get better, healthier updates in the pipeline.

Space Junk Removal Is Not Going Smoothly (Scientific American)

Richard Stein <>
Mon, 19 Apr 2021 18:31:07 +0800

“Despite promising technology demonstrations, there is no one-size-fits-all solution for the growing problem of taking out the orbital trash.”

Good discussion of the orbital junk/trash problem and mitigations. Includes interview quotations from Donald Kessler, the originator of the eponymously named “Kessler Syndrome.”

Would ET start a conflict with Earth over anthropenic space pollution? They have a right to claim NIMBY too!

Re: We tested the first state's vaccine passport: Here's what to expect (WashPast, RISKS-32.60)

“John Levine” <>
17 Apr 2021 22:37:34 -0400
> New York's Excelsior Pass has some solid privacy protections. But it's
> complicated to use and easy to fake.

I read the article and the [WashPost) author apparently doesn't understand how this thing works.

The pass is a QR code that represents a signed blob of JSON. To get the code, you visit the state's web site and enter a person's name, birthdate, zip code, and the date, location, and type of vaccine. As the article says, you can load it into their app, save it as a picture, or print it out.

The verifier app scans the barcode, checks the signature, and if valid displays a check, the name and DOB, and says “Verify name and date of birth by checking their photo ID.”

The author seems to think since you can load any pass onto any phone that is a fake pass. Well, yeah. While it would be hard for a random stranger to guess my info, I know enough to get my wife's pass and I'd think that roommates or housemates would know enough to get each other's passes, too. Hence the clear instructions to check ID. I doubt that many places will actually check, more likely check that the name and age are plausible for the person.

I don't know how he thinks they would fix this “problem”. I suppose they could try to embed a photo into the barcode, but the code is already so big that it's pushing the limit of what a phone's camera can scan reliably, and I have no idea where the picture would come from unless he wants a far more intrusive system where the vaccination record is tied to your driver's license or something similar. Ugh.

People have odd mental security models, but that shouldn't come as a surprise to any of us.

Re: Miss'taken assumptions lead to plane incident (RISKS-32.60)

David Lesher <>
Sun, 18 Apr 2021 16:36:48 -0400

[Overseas software/cultural differences lead to loading issues…]

It occurs to me there is another cultural difference that might well alter weight & balance predictions.

What is the “standard weight” of a male AMCIT vs. say a Japanese man the same age, or someone from sub-Saharan African?

We already know that the normal assumptions go out the door on a NFL charter; what about WNBA flights, etc?

Election Systems, Security, and the Future

DrM <>
Sun, 18 Apr 2021 15:41:42 -0400

A video of the 15 Apr 2021 joint meeting of the Princeton ACM/IEEE Computer Society's panel session on Election Systems, Security, and the Future has been posted at <>.

The session's meeting description is as follows:

We have survived another contentious election, and most of our election technology seemed to work. But we still have many questions about the future. Do we need to improve the security and resilience of our election systems? Our special panel will hold a discussion of why we can't be complacent. What are some of the risks lurking in our current election technology? What are the most important technical and political issues to be resolved before our next major election? The event was moderated by Chapter Chair Dennis Mancl, with panelists Landon Noll and Rebecca Mercuri, plus a cameo appearance by Peter Neumann.

Infosec Ethics—VSS, 4 May 2021

Rob Slade <>
Wed, 21 Apr 2021 11:25:39 -0700

As part of the VanTUG Security Series (see ) I'll be doing “Infosec Ethics” on 4 May. (Yes, yes, “May the Fourth be with you” and all that.)

I'd like to invite anyone who can to attend, and participate. Because this one in particular is probably going to need some input and discussion. I've got a list of ethics “case studies” as some discussion starters.

Meeting time, May 4, 7 PM (Pacific). Meeting link:

Please report problems with the web pages to the maintainer