The RISKS Digest
Volume 32 Issue 61

Friday, 23rd April 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Two people killed in fiery Tesla crash with no one driving
Sundry sources
Israel appears to confirm it carried out cyberattack on Iran nuclear facility
The Guardian
Blackout in China's Xinjiang region caused almost half of the bitcoin network to go offline for 48 hours
Twitter via geoff goodfellow
U.S. Unveils 100-day Plan to Avoid "Going Dark"
Henry Baker
Data Integrity
Dan Geer
They Hacked McDonald's Ice Cream Machines —and Started a Cold War
WiReD
U.S. and Japan to invest $4.5bn in next-gen 6G race with China
Nikkei Asia
Jaguar Land Rover to suspend output due to chip shortage
BBC News
Bitcoin Plunges in Biggest Intraday Drop Since February
Bloomberg
IBM Clarifies Stance On Developers Working On Open-Source Projects In Off-Hours
Phoronix
Grey-hat "security research," Linux, and U of Minnesota
Rob Slade
A growing problem of 'deepfake geography': How AI falsifies satellite images
Techxplore.com
In bot we trust: People put more faith in computers than other humans
StudyFinds
The Incredible Rise of North Korea's Hacking Army
The New Yorker
$40,000 Swindle Puts Spotlight on Literary Prize Scams
NYTimes
Processes changing for redacting documents
Chesterfield County VA
Victory for Fair Use: The Supreme Court Reverses the Federal Circuit in Oracle v. Google
Michael Barclay)
What's Really in Your Water?
Scientific American
Water Safety That Uses Your Mussels
nowiknow via Gabe Goldberg
Stealthy Dopant-Level Hardware Trojans
IACR paper via Rob Slade
The Postal Service is running a 'covert operations program' that monitors Americans' social media posts
Yahoo! item via Lauren Weinstein
The Pandemic Proved That Our Toilets Are Crap
WiReD
Space Junk Removal Is Not Going Smoothly
Scientific American
Re: We tested the first state's vaccine passport: Here's what to expect
John Levine
Re: Miss'taken assumptions lead to plane incident
David Lesher
Election Systems, Security, and the Future
Rebecca Mercuri
Infosec Ethics—VSS, 4 May 2021
Rob Slade
Info on RISKS (comp.risks)
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
????
Info on RISKS (comp.risks)

Two people killed in fiery Tesla crash with no one driving (Sundry sources)

geoff goodfellow <geoff@iconia.com>
Sun, 18 Apr 2021 09:19:13 -1000
*Authorities said it took four hours to extinguish the fire*

Authorities in Texas say two people were killed when a Tesla with no one in
the driver's seat crashed into a tree and burst into flames, Houston
television station KPRC 2 reported.
<https://www.click2houston.com/news/local/2021/04/18/2-men-dead-after-fiery-tesla-crash-in-spring-officials-say/>

The cause of the crash, which happened at about 9PM local time in Spring,
Texas (near Houston), is under investigation. According to KHOU
<https://www.khou.com/article/news/local/tesla-spring-crash-fire/285-c28a4993-5b5f-43f4-a924-e39638390647>
in Houston, first responders had to use 30,000 gallons of water over four
hours to put out the fire, as the Tesla's battery kept reigniting.
Authorities tried to contact Tesla for advice on putting out the fire; it's
not clear whether they received any response.

Two men dead after fiery crash in Tesla Model S.

“[Investigators] are 100-percent certain that no one was in the driver seat
driving that vehicle at the time of impact,'' Harris County Precinct 4
Constable Mark Herman said. “They are positive.'' #KHOU11
<https://twitter.com/hashtag/KHOU11?src=3Dhash&ref_src=3Dtwsrc^tfw>
https://t.co/eQMwpSMLt2>
-- Matt Dougherty (@MattKHOU) April 18, 2021
<https://twitter.com/MattKHOU/status/1383821809053683721?ref_src=3Dtwsrc^tfw>

Preliminary reports suggest the car was traveling at a high rate of speed
and failed to make a turn, then drove off the road into a tree. One of the
men killed was in the front passenger seat of the car, the other was in the
back seat, according to KHOU. Harris County Precinct 4 Constable Mark
Herman told KPRC that “no one was driving'' the fully-electric 2019 Tesla at
the time of the crash. It's not yet clear whether the car had its Autopilot
driver assist system activated.  [...]
https://www.theverge.com/2021/4/18/22390612/two-people-killed-fiery-tesla-crash-no-driver

  [Also noted by Matthew Kruk.  PGN]


Israel appears to confirm it carried out cyberattack on Iran nuclear facility (The Guardian)

Dave Farber <farber@gmail.com>
Mon, 12 Apr 2021 09:03:50 +0900
https://www.theguardian.com/world/2021/apr/11/israel-appears-confirm-cyberattack-iran-nuclear-facility

https://about.rogers.com/news-ideas/a-message-from-jorge-fernandes-chief-technology-officer-at-rogers/


Blackout in China's Xinjiang region caused almost half of the bitcoin network to go offline for 48 hours

geoff goodfellow <geoff@iconia.com>
Sun, 18 Apr 2021 10:37:29 -1000
https://twitter.com/GoldTelegraph_/status/1383823066166226947


U.S. Unveils 100-day Plan to Avoid "Going Dark"

Henry Baker <hbaker1@pipeline.com>
Tue, 20 Apr 2021 21:48:55 -0700
Perhaps end2end encryption might help?
Just a suggestion...  ;-)  ;-)

Michael Riley and Jamie Tarabay, Bloomberg,  20 Apr 2021
U.S. Unveils Plan to Protect Power Grid From Foreign Hackers
https://www.bloomberg.com/news/articles/2021-04-20/u-s-unveils-plan-to-protect-power-grid-from-foreign-hackers

The White House unveiled on Tuesday a 100-day plan intended to protect the
U.S. power grid from cyber-attacks, mainly by creating a stronger
relationship between U.S. national security agencies and the mostly private
utilities that run the electrical system.

The plan is among the first big steps toward fulfilling the Biden
administration's promise to urgently improve the country's cyber-defenses.
The nation's power system is both highly vulnerable to hacking and a target
for nation-state adversaries looking to counter the U.S. advantage in
conventional military and economic power.

"The United States faces a well-documented and increasing cyber-threat from
malicious actors seeking to disrupt the electricity Americans rely on to
power our homes and businesses," Secretary of Energy Jennifer Granholm said.

Although the plan is billed as a 100-day sprint—which includes a series
of consultations between utilities and the government—it will likely take
years to fully implement, experts say. It will ask utilities to pay for and
install technology to better detect hacks of the specialized computers that
run the country's power systems, known as industrial control systems.

The Edison Electric Institute, the trade group that represents all U.S.
investor-owned electric companies, praised the White House plan and the
Biden administration's focus on cybersecurity. "Given the sophisticated and
constantly changing threats posed by adversaries, America's electric
companies remain focused on securing the industrial control systems that
operate the North American energy grid," said EEI president Tom Kuhn.

While an early draft had proposed helping small utilities and rural co-ops
pay for the new monitoring, the final version is more vague about whether
the money will come from the federal government or be passed to customers in
the form of higher utility bills. Large utilities often have sophisticated
security teams and pay for cutting edge monitoring technology, but it's
unclear how enthusiastically smaller utilities will take on the cost of
additional security.

The government will take suggestions from utilities within 21 days about
ways to incentivize participation in the voluntary effort, according to
details of the plan described by a person familiar with it.

The final plan also drops the draft's proposal for enhancing supply chain
security for grid components by calling for a list of recommended equipment
vendors. Now, the administration plans to ask utilities for suggestions for
improvement.

Experts say initiatives to enhance the security of the U.S. electrical grid
are years behind better-known efforts to shield data centers and corporate
systems. At the same time, hackers from Russia, China, Iran and North Korea
are launching increasingly aggressive attacks on U.S. power companies,
hoping to install malware that could leave cities and towns in the dark.

Under the new plan, owners and operators of electricity networks are now
expected to "enhance their detection, mitigation and forensic capabilities,"
according to the Department of Energy statement. They would also need to
share information with the federal government if something happens to their
systems. Priority sites will need to identify and report their technology
capabilities, gaps and requirements within 45 days of the launch.

CISA, the Cybersecurity and Infrastructure Security Agency, will establish a
team of government and agency representatives to coordinate analysis between
the government and private sector.

"The safety and security of the American people depend on the resilience of
our nation's critical infrastructure," said acting CISA director Brandon
Wales, in a statement. The partnership would "prove a valuable pilot as we
continue our work to secure industrial control systems across all sectors."

-- With assistance by Shaun Courtney, and Josh Saul


Data Integrity (Dan Geer)

Peter Neumann <neumann@csl.sri.com>
Thu, 22 Apr 2021 10:41:14 PDT
  "Business decision makers no longer have to deal with information along a
  previously believed continuum of certitude; *Through a Glass Darkly*, but
  rather can see clearly the demarcations where information is useful and
  not useful.

  The rapid digitalization of business processes has caused a greater need
  for accurate data as there are no longer humans further upstream in the
  process to keep the low-quality data from infecting the automated business
  decision process. Now is the time to align the ordinal scales of
  jurisprudence and accounting with each other and with like-minded ordinal
  scales for business processes. We offer a first cut at that necessary
  advance; we hope that it is sufficient to purpose and self-explanatory,
  and will allow this advancement in technology to open new markets with
  innovative products."

https://securityledger.com/2021/04/can-blockchain-solve-datas-integrity-problem/

  [Thanks to Paul F. Roberts.  PGN]


They Hacked McDonald's Ice Cream Machines —and Started a Cold War (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 23 Apr 2021 00:44:50 -0400
Secret codes. Legal threats. Betrayal. How one couple built a device to fix
McDonald’s notoriously broken soft-serve machines—and how the fast-food
giant froze them out.

https://www.wired.com/story/they-hacked-mcdonalds-ice-cream-makers-started-cold-war/?utm_source=pocket-newtab

Right to repair, revisited—at McDonald's.


U.S. and Japan to invest $4.5bn in next-gen 6G race with China (Nikkei Asia)

Dave Farber <farber@keio.jp>
Mon, 19 Apr 2021 13:30:16 +0900
TOKYO/WASHINGTON—U.S. President Joe Biden and Japanese Prime Minister
Yoshihide Suga have agreed to jointly invest $4.5 billion for the
development of next-generation communication known as 6G, or "beyond 5G."

The two countries will invest in research, development, testing, and
deployment of secure networks and advanced information and communications
technology, according to a fact sheet released after the two leaders met in
Washington on Friday
<https://asia.nikkei.com/Politics/International-relations/Biden-and-Suga-refer-to-peace-and-stability-of-Taiwan-Strait-in-statement>.

"The United States has committed $2.5 billion to this effort, and Japan has
committed $2 billion," it said
<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/16/fact-sheet-u-s-japan-competitiveness-and-resilience-core-partnership/>.

The call for "secure and open" 5G networks, including advancing Open Radio
Access Networks (Open-RAN), reflects the leaders' intent of creating an
alternative to a China-led communications network.

Open-RAN is an open-source platform where network operators can mix and
match hardware from different vendors, without having to own entire systems
of antennas and base stations.

As of now, Chinese companies such as Huawei Technologies and ZTE hold a
roughly 40% share of base stations. European players Eriksson and Nokia, as
well as South Korea's Samsung Electronics are the other heavyweights,
together accounting for a 90% market share. American and Japanese
enterprises lag behind.

In terms of 5G patents, U.S. leader Qualcomm owns roughly 10%—on par with
Huawei—but Japan's top player NTT Docomo only has about 6%.

The Chinese leadership under President Xi Jinping gained confidence after
catching up with advanced countries in the 5G development race. Now it is
determined to repeat the success in sixth-generation technology. The new
five-year plan adopted at the National People's Congress, China's
parliament, in March also included the development of 6G.

Japane`se government officials lament the country's late start in the 5G
race. "Even if we had better technology, we couldn't win the race to win
market share," one official said.

To avoid the same mistake, Tokyo is determined to play on the international
field from the get-go in 6G. With a goal to elevate Japan's share of patents
to 10%, a joint industry-government-academia organization was set up late
last year.

Japan believes that global standards setting will be crucial to the
development of next-gen communications, and therefore sees cooperation with
the U.S. to help in this regard.

One of the goals stated in the fact sheet is to extend the U.S.-Japan
cooperation on communications to "third-countries" to promote secure
connectivity. Adding partners to the U.S.-Japan led initiative should help
in the competition with China to set global standards.

The fact sheet also advocated cooperation on sensitive supply chains,
including semiconductors. Here the response in the Japanese industry is
divided.

One official at a chipmaker welcomed the announcement, saying that if the
governments prepare subsidies to strengthen supply chains in like-minded
countries, it could bring down the cost to establish facilities inside
Japan.

But an official at a chip-manufacturing equipment maker said, "if the
U.S. expands sanctions on China, it will be difficult to grow our business
in China," which is a major market for Japanese equipment makers.

Yuichi Koshiba, managing director and partner at Boston Consulting Group in
Tokyo, said extensive government intervention in the chip market would have
a negative effect on the industry. "Governments should not try to control
global supply chains to fit their own country's interests," he said.


Jaguar Land Rover to suspend output due to chip shortage (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Thu, 22 Apr 2021 13:33:40 -0400
Jaguar Land Rover (JLR) is shutting its two main car factories temporarily
due to a shortage of computer chips.

The difficulties at Britain's biggest carmaker echo similar problems at
other manufacturers, including Ford, who have been hit by a global shortage
of chips.

JLR said there would be a "limited period" of closure at its Halewood and
Castle Bromwich sites from Monday.

A mixture of strong demand and Covid shutdowns at chipmakers has also hit
phone, TV and video games companies.

Tata-owned JLR said in a statement: "We have adjusted production schedules
for certain vehicles which means that our Castle Bromwich and Halewood
manufacturing plants will be operating a limited period of non-production
from Monday 26th April.

"We are working closely with affected suppliers to resolve the issues and
minimise the impact on customer orders wherever possible."  Production at a
third factory, at Solihull, will continue.

https://www.bbc.com/news/business-56841946


Bitcoin Plunges in Biggest Intraday Drop Since February (Bloomberg)

David Farber <farber@keio.jp>
Sun, 18 Apr 2021 17:39:32 +0900
Shamim Adam  and Emily Barrett, Bloomberg, 18 Apr 2021
Bitcoin sinks as much as 15% days after hitting record

Bitcoin Plunges in Biggest Intraday Drop Since February
https://www.bloomberg.com/news/articles/2021-04-18/bitcoin-falls-as-much-as-15-biggest-intraday-drop-since-feb


IBM Clarifies Stance On Developers Working On Open-Source Projects In Off-Hours (Phoronix)

Gabe Goldberg <gabe@gabegold.com>
Fri, 23 Apr 2021 15:48:57 -0400
Earlier this week was a surprising Linux kernel networking commit that
removed an IBM engineer as one of the driver maintainers for the IBM Power
SR-IOV Virtual NIC driver. Seemingly at issue with this VNIC driver work was
the developer using his personal email address in working on the driver in
his off-hours. IBM has now clarified their stance on such work.

The VNIC maintainer updating patch yielded much attention for carrying the
following quoted message, "As an IBM employee, you are not allowed to use
your gmail account to work in any way on VNIC. You are not allowed to use
your personal email account as a "hobby". You are an IBM employee 100% of
the time. Please remove yourself completely from the maintainers file. I
grant you a 1 time exception on contributions to VNIC to make this change."

IBM has now reached out to Phoronix to provide further comment. They shared
that contrary to the Git commit, "IBM promotes and encourages engagement in
the Linux open source community regardless whether an IBM email ID or a
personal email ID is used."

When asked about this specific situation that portrays the direct opposite
of their communication, Todd Moore, VP Open Technology at IBM explained: "We
respect our developer's need to be individuals, and their open source code
contributed under a personal ID represents them and their resume. This was a
one off disagreement that should not have gone public as there are internal
guidelines to resolve it. Often our contributors will have a personal GitHub
ID and an IBM GitHub ID. We use tooling to track contributions under both
IDs to ensure everyone gets credit towards our recognition program. We value
and encourage contribution whether it be code, code reviews, documentation,
issue triage, or advocacy as part of their careers or their own time."

https://www.phoronix.com/scan.php?page=news_item&px=IBM-Open-Source-Leisure-Work

Someone speculated: “Interesting ... I believe that there is more to this
than meets the eye as the IBM employee changed his eMail from IBM to Gmail
just three days before receiving this reprimand. Very likely some kind of
disagreement between his employee and his idiot manager. This appears to be
an open source project that is owned/sponsored by IBM (all contributors have
an IBM eMail address) and working on this project (IBM Power network driver)
was a part of his job.''

Idiot managers are always a risk.


Grey-hat "security research," Linux, and U of Minnesota

Rob Slade <rslade@gmail.com>
Thu, 22 Apr 2021 11:51:51 -0700
This is a big and messy fight, with a lot of points to make about how we
should, and shouldn't, conduct security.

A particular program in the University of Minnesota Department of Computer
Science and Engineering is run by professor Kangjie Lu.  At least two
students from this program, apparently with the knowledge of the professor,
have been submitting what they refer to as "hypocrite commits" to the core
Linux repository.  (In other words, some form of malware, at least in terms
of the code not being what it purports to be.)

This type of thing is not exactly new.  We know of, and use, red team
attacks, and pen tests of various types.  No less a luminary than Fred Cohen
initially thought that teaching students to write viruses could be
beneficial (although he later change his mind when he found that the
students weren't learning all that much about security from the exercise).
The University of Calgary had a virus writing program at one time (with
somewhat less control).

But this attempt, while addressing a slightly different aspect of the
concept behind "Reflections on Trusting Trust" and supply chains, seems to
have both fewer controls, and potentially much greater consequences (as well
as a pretty massive disregard for the work of the Linux volunteers *and*
users all over the world).  The students involved seem to have offered some
half-hearted apologies over the issue.

For more details:
https://nakedsecurity.sophos.com/2021/04/22/linux-team-in-public-bust-up-over-fake-patches-to-introduce-bugs/
https://lore.kernel.org/linux-nfs/YH/fM/TsbmcZzwnX@kroah.com/

The next VanTUG Security Series meeting (details of series:
https://community.isc2.org/t5/C/V/m-p/42919 , meeting link for 4 May 2021, 7
pm [PDT] meeting: https://is.gd/dA1c3O ) is on the topic of "Infosec
Ethics," so this issue is a bit of a gift, and will be used as one of the
main "case studies" for discussion.


A growing problem of 'deepfake geography': How AI falsifies satellite images (Techxplore.com)

Richard Stein <rmstein@ieee.org>
Thu, 22 Apr 2021 11:45:40 +0800
https://techxplore.com/news/2021-04-problem-deepfake-geography-ai-falsifies.html

"But with the prevalence of geographic information systems, Google Earth and
other satellite imaging systems, location spoofing involves far greater
sophistication, researchers say, and carries with it more risks.  In 2019,
the director of the National Geospatial Intelligence Agency, the
organization charged with supplying maps and analyzing satellite images for
the U.S. Department of Defense, implied that AI-manipulated satellite images
can be a severe national security threat."

Risk: Map source corroboration and authentication.


In bot we trust: People put more faith in computers than other humans (StudyFinds)

geoff goodfellow <geoff@iconia.com>
Sat, 17 Apr 2021 08:07:14 -1000
Do you find yourself reaching for the calculator, even for the *really*
simple math problems? There's a lot of concern these days that technology,
like artificial intelligence, is too smart for its own good. Despite fear
over how intrusive these algorithms are becoming, a new study finds people
are actually more willing to trust a computer than their fellow man.

Researchers at the University of Georgia say this is especially true when
people find tasks too challenging to handle alone. However, it's not just
the “heavy lifting'' humans are running to computers for help with. From
choosing the next song in the playlist to finding better fitting pants,
algorithms are making more and more of the *daily decisions in people's
lives*—whether they realize it or not.
<https://www.studyfinds.org/no-way-to-control-super-artificial-intelligence-ai/>

“Algorithms are able to do a huge number of tasks, and the number of tasks
that they are able to do is expanding practically every day,'' says Eric
Bogert, a Ph.D. student in the Terry College of Business Department of
Management Information Systems, in a *university release*
<https://news.uga.edu/people-may-trust-computers-more-than-humans/>. “It
seems like there's a bias towards leaning more heavily on algorithms as a
task gets harder and that effect is stronger than the bias towards relying
on advice from other people.''
Letting the computer do the work

Researchers evaluated the responses of 1,500 individuals tasked with
counting the people in a series of photographs. The team also supplied
participants with suggestions on how to do this, generated either by other
people or computer algorithms.  [...]
https://www.studyfinds.org/people-trust-computers-over-humans/


The Incredible Rise of North Korea's Hacking Army (The New Yorker)

Peter Neumann <neumann@csl.sri.com>
Tue, 20 Apr 2021 10:41:00 PDT
https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army?currentPage=3Dall

The country's cyberforces have raked in billions of dollars for the regime
by pulling off schemes ranging from ATM heists to cryptocurrency thefts.
Can they be stopped?


$40,000 Swindle Puts Spotlight on Literary Prize Scams (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sun, 18 Apr 2021 13:56:50 -0400
The organizers of at least five British awards received emails asking them
to transfer prize money to a PayPal account. One of them paid out.

https://www.nytimes.com/2021/04/16/books/phishing-book-prizes.html


Processes changing for redacting documents (Chesterfield County VA)

Joe Finnegan <joe@finneganfunnyfarm.net>
Tue, 20 Apr 2021 11:52:47 -0400
Yesterday's note from the Superintendent of Chesterfield County, Virginia,
Public Schools.

Redaction, again.

Begin forwarded message:

- - - - - - - - - - -

> From: Chesterfield County Public Schools <ccpsinfo@ccpsnet.net>
> Subject: Processes changing for redacting documents
> Date: April 19, 2021 at 12:05:22 EDT

> CCPS UPDATE: Dear Team Chesterfield families,

We recently learned of a defect in a redacted document that allowed one
citizen to access what was thought to be blacked-out student and staff
names. We share concerns that approximately 575 students and 400 staff names
were made accessible as a result of an inadvertent software application
error that allowed a citizen to see the student names that were underneath
the redaction.

After being made aware that the names of COVID-positive students and staff
members listed in a contact-tracing spreadsheet required by the Virginia
Department of Health could be accessed, we immediately began to investigate
the concern.  The citizen who received the defective document said they
immediately destroyed it after recognizing the defect and notified the
school division.

Other redacted public records provided in compliance with Virginia Freedom
of Information Act, the state’s open records law, are being reviewed. We are
in the process of reaching out to the U.S. Department of Education's Student
Privacy Policy Office for additional guidance. We will be in contact with
affected families as appropriate.

We are sorry that this technical error occurred, and already have taken
appropriate steps to change our practice on how information is redacted
moving forward.

Superintendent, Chesterfield County Public Schools

  [Redact Redux?  But not a Red Act?  PGN]


Victory for Fair Use: The Supreme Court Reverses the Federal Circuit in Oracle v. Google (Michael Barclay))

Dewayne Hendricks <dewayne@warpspeed.com>
April 11, 2021 19:50:50 JST
  [via Dave Farber]

Michael Barclay, EFF, 5 Apr 2021
https://www.eff.org/deeplinks/2021/04/victory-fair-use-supreme-court-reverses-federal-circuit-oracle-v-google

In a win for innovation, the U.S. Supreme Court has held that Google's use
of certain Java Application Programming Interfaces (APIs) is a lawful fair
use. In doing so, the Court reversed the previous rulings by the Federal
Circuit and recognized that copyright only promotes innovation and
creativity when it provides breathing room for those who are building on
what has come before.

This decision gives more legal certainty to software developers' common
practice of using, re-using, and re-implementing software interfaces written
by others, a custom that underlies most of the Internet and personal
computing technologies we use every day.

To briefly summarize over ten years of litigation: Oracle claims a copyright
on the Java APIs—essentially names and formats for calling computer
functions—and claims that Google infringed that copyright by using
(reimplementing) certain Java APIs in the Android OS. When it created
Android, Google wrote its own set of basic functions similar to Java (its
own implementing code). But in order to allow developers to write their own
programs for Android, Google used certain specifications of the Java APIs
(sometimes called the “declaring code'').

APIs provide a common language that lets programs talk to each other. They
also let programmers operate with a familiar interface, even on a
competitive platform. It would strike at the heart of innovation and
collaboration to declare them copyrightable.

EFF filed numerous amicus briefs in this case explaining why the APIs should
not be copyrightable and why, in any event, it is not infringement to use
them in the way Google did. As we've explained before, the two Federal
Circuit opinions are a disaster for innovation in computer software. Its
first decision—that APIs are entitled to copyright protection—ran
contrary to the views of most other courts and the long-held expectations of
computer scientists. Indeed, excluding APIs from copyright protection was
essential to the development of modern computers and the Internet.

Then the second decision made things worse. The Federal Circuit's first
opinion had at least held that a jury should decide whether Google's use of
the Java APIs was fair, and in fact a jury did just that. But Oracle
appealed again, and in 2018 the same three Federal Circuit judges reversed
the jury's verdict and held that Google had not engaged in fair use as a
matter of law.

Fortunately, the Supreme Court agreed to review the case. In a 6-2 decision,
Justice Breyer explained why Google's use of the Java APIs was a fair use as
a matter of law. First, the Court discussed some basic principles of the
fair use doctrine, writing that fair use “permits courts to avoid rigid
application of the copyright statute when, on occasion, it would stifle the
very creativity which that law is designed to foster.''

Furthermore, the court stated:

Fair use “can play an important role in determining the lawful scope of a
computer program copyright . . . It can help to distinguish among
technologies. It can distinguish between expressive and functional features
of computer code where those features are mixed. It can focus on the
legitimate need to provide incentives to produce copyrighted material while
examining the extent to which yet further protection creates unrelated or
illegitimate harms in other markets or to the development of other
products.''

In doing so, the decision underlined the real purpose of copyright: to
incentivize innovation and creativity. When copyright does the opposite,
fair use provides an important safety valve.

Justice Breyer then turned to the specific fair use statutory
factors. Appropriately for a functional software copyright case, he first
discussed the nature of the copyrighted work. The Java APIs are a “user
interface'' that allow users (here the developers of Android applications)
to “manipulate and control'' task-performing computer programs. The Court
observed that the declaring code of the Java APIs differs from other kinds
of copyrightable computer code—it's “inextricably bound together'' with
uncopyrightable features, such as a system of computer tasks and their
organization and the use of specific programming commands (the Java “method
calls''). As the Court noted:

Unlike many other programs, its value in significant part derives from the
value that those who do not hold copyrights, namely, computer programmers,
invest of their own time and effort to learn the API's system. And unlike
many other programs, its value lies in its efforts to encourage programmers
to learn and to use that system so that they will use (and continue to use)
Sun-related implementing programs that Google did not copy.

Thus, since the declaring code is “further than are most computer programs
(such as the implementing code) from the core of copyright,'' this factor
favored fair use.

Justice Breyer then discussed the purpose and character of the use. Here,
the opinion shed some important light on when a use is “transformative'' in
the context of functional aspects of computer software, creating something
new rather than simply taking the place of the original. Although Google
copied parts of the Java API “precisely,'' Google did so to create products
fulfilling new purposes and to offer programmers “a highly creative and
innovative tool'' for smartphone development. Such use “was consistent with
that creative `progress' that is the basic constitutional objective of
copyright itself.''

The Court discussed “the numerous ways in which reimplementing an interface
can further the development of computer programs,'' such as allowing
different programs to speak to each other and letting programmers continue
to use their acquired skills. The jury also heard that reuse of APIs is
common industry practice. Thus, the opinion concluded that the “purpose and
character'' of Google's copying was transformative, so the first factor
favored fair use.

Next, the Court considered the third fair use factor, the amount and
substantiality of the portion used. As a factual matter in this case, the
11,500 lines of declaring code that Google used were less than one percent
of the total Java SE program. And even the declaring code that Google used
was to permit programmers to utilize their knowledge and experience working
with the Java APIs to write new programs for Android smartphones. Since the
amount of copying was “tethered'' to a valid and transformative purpose,
the “substantiality'' factor favored fair use.

Finally, several reasons led Justice Breyer to conclude that the fourth
factor, market effects, favored Google. Independent of Android's
introduction in the marketplace, Sun didn't have the ability to build a
viable smartphone. And any sources of Sun's lost revenue were a result of
the investment by third parties (programmers) in learning and using
Java. Thus, “given programmers' investment in learning the Sun Java API, to
allow enforcement of Oracle's copyright here would risk harm to the
public. Given the costs and difficulties of producing alternative APIs with
similar appeal to programmers, allowing enforcement here would make of the
Sun Java API's declaring code a lock limiting the future creativity of new
programs.'' This “lock'' would interfere with copyright's basic objectives.


What's Really in Your Water? (Scientific American)

Richard Stein <rmstein@ieee.org>
Mon, 19 Apr 2021 11:11:51 +0800
https://www.scientificamerican.com/article/whats-really-in-your-water/

"The intention is to implement this new water test into a format that
nonscientists can easily use; one that is affordable and gives results
within an hour for those who need them most. The technology is far from
ready to sell; there is still much work to do to ensure that the lead tests
are maximally user friendly.

"These tests are different because they harness the power of naturally
occurring sensors from biology. Using tools from the nascent field of
synthetic biology, the sensors can be programmed to change color when a
target chemical is present in water."

Imbibing in a clean sip of water is a human right (see "The Human Right to
Water and Sanitation," from drought, conflict, corruption, etc., but it is
jeopardized by many factors: pollution,
https://www.un.org/waterforlifedecade/pdf/human_right_to_water_and_sanitation_media_brief.pdf

Testing for chemicals, metals, and organics in municipal water is, or used
to be, an exclusive role of governments and their infrastructures.  If one
cannot trust a government to proactively protect citizen health and safety,
why are they elected and empowered?

Enter the consumer to arouse community protests with independent "trust but
verify" evaluation to demand neglected mitigation.

Risk: False positive/negative water test pollutant indicators


Water Safety That Uses Your Mussels ()

Gabe Goldberg <gabe@gabegold.com>
Mon, 19 Apr 2021 15:00:50 -0400
With just over half a million people, the Polish city of Poznań is the fifth
largest in the nation. Situated on the Warta River, Poznań dates back more
than a century, originally built as a fortress to guard access to the
waterway. Today, the Warta is still an important part of Poznań and the
surrounding areas; it is a major source of drinking water for the nearly 1.5
million people in Poznań's greater metropolitan area.

Which is why these guys are so important.

Yes, those are mussels. And they keep the people of Poznań safe.
http://nowiknow.com/water-safety-that-uses-your-mussels/
Risk? Water pollution? Solution? Quick-reaction mollusks.


Stealthy Dopant-Level Hardware Trojans

Rob Slade <rslade@gmail.com>
Mon, 19 Apr 2021 11:06:00 -0700
Interesting new paper:
https://iacr.org/archive/ches2013/80860203/80860203.pdf

Very early on, in malware research, we looked at hardware trojans and the
limits of the "trusted computing base."  (When I say "early on," I'm talking
about 1988, so I don't know why these guys thought the study didn't start
until 2008.  Kids.  :-)

I also did formal study in gate level circuit design, and worked with
companies that were involved with board and chip manufacturing, so I
understand some of those parts of the paper.

It's an interesting attack, and, yes, it demonstrates that, when dealing
with supply chain and "Reflections on Trusting Trust" issues you have to
perform multiple types of checks, and keep on developing new tests as new
attacks are created.  So, yes, it's a valid attack in the current climate.

It's a pretty specific attack, and would only work on specific types of
hardware.  Fortunately for the authors of the paper, while the attack is
quite specialized, and only works on some applications, those are pretty
important applications, since they deal with high-level crypto, most likely
for military or intelligence purposes.  The attack could be used to create
something that would pass basic tests, but would weaken crypto
implementations (it's always implementation, isn't it?), and possibly also
make the circuitry more susceptible to side channel, covert channel, or
related TEMPEST type attacks.

Once known, of course, the attack could be detectable by extending the
testing of the results produced by the affected circuitry.  But, as I say,
it does show that attacks and defence are constantly moving targets, and
that the concept of the trusted computing base (and, particularly, supply
chain) always needs refining in the real world.


The Postal Service is running a 'covert operations program' that monitors Americans' social media posts (Yahoo!)

Lauren Weinstein <lauren@vortex.com>
Wed, 21 Apr 2021 11:03:08 -0700
So while DeJoy is decimating mail delivery, putting millions of Americans at
risk from late deliveries—including vital medication prescriptions—the
USPS is instead turning into a social media spy agency. Yes, public social
media posts are public. But where did USPS obtain this authority? Who
controls it? Who oversees it? What happens to the data that they collect?
WHY ARE THEY DOING THIS WHILE OUR MAIL DELIVERY IS GOING TO HELL? -L

https://news.yahoo.com/the-postal-service-is-running-a-running-a-covert-operations-program-that-monitors-americans-social-media-posts-160022919.html


The Pandemic Proved That Our Toilets Are Crap (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 18 Apr 2021 22:45:43 -0400
The core technologies for sewage systems were developed over a hundred years
ago. It's time to get better, healthier updates in the pipeline.

https://www.wired.com/story/pandemic-proved-our-toilets-are-crap/


Space Junk Removal Is Not Going Smoothly (Scientific American)

Richard Stein <rmstein@ieee.org>
Mon, 19 Apr 2021 18:31:07 +0800
https://www.scientificamerican.com/article/space-junk-removal-is-not-going-smoothly/

"Despite promising technology demonstrations, there is no one-size-fits-all
solution for the growing problem of taking out the orbital trash."

Good discussion of the orbital junk/trash problem and mitigations.  Includes
interview quotations from Donald Kessler, the originator of the eponymously
named "Kessler Syndrome."

Would ET start a conflict with Earth over anthropenic space pollution?  They
have a right to claim NIMBY too!


Re: We tested the first state's vaccine passport: Here's what to expect (WashPast, RISKS-32.60)

"John Levine" <johnl@iecc.com>
17 Apr 2021 22:37:34 -0400
> New York's Excelsior Pass has some solid privacy protections. But it's
> complicated to use and easy to fake.

I read the article and the [WashPost) author apparently doesn't understand
how this thing works.

The pass is a QR code that represents a signed blob of JSON. To get the
code, you visit the state's web site and enter a person's name, birthdate,
zip code, and the date, location, and type of vaccine. As the article says,
you can load it into their app, save it as a picture, or print it out.

The verifier app scans the barcode, checks the signature, and if valid
displays a check, the name and DOB, and says "Verify name and date of birth
by checking their photo ID."

The author seems to think since you can load any pass onto any phone that is
a fake pass. Well, yeah. While it would be hard for a random stranger to
guess my info, I know enough to get my wife's pass and I'd think that
roommates or housemates would know enough to get each other's passes,
too. Hence the clear instructions to check ID. I doubt that many places will
actually check, more likely check that the name and age are plausible for
the person.

I don't know how he thinks they would fix this "problem".  I suppose they
could try to embed a photo into the barcode, but the code is already so big
that it's pushing the limit of what a phone's camera can scan reliably, and
I have no idea where the picture would come from unless he wants a far more
intrusive system where the vaccination record is tied to your driver's
license or something similar.  Ugh.

People have odd mental security models, but that shouldn't come as a
surprise to any of us.


Re: Miss'taken assumptions lead to plane incident (RISKS-32.60)

David Lesher <wb8foz@panix.com>
Sun, 18 Apr 2021 16:36:48 -0400
[Overseas software/cultural differences lead to loading issues...]

It occurs to me there is another cultural difference that might well alter
weight & balance predictions.

What is the "standard weight" of an male AMCIT vs. say a Japanese man the
same age, or someone from sub-Saharan African?

We already know that the normal assumptions go out the door on a NFL
charter; what about WNBA flights, etc?


Election Systems, Security, and the Future

DrM <notable@mindspring.com>
Sun, 18 Apr 2021 15:41:42 -0400
A video of the 15 Apr 2021 joint meeting of the Princeton ACM/IEEE Computer
Society's panel session on Election Systems, Security, and the Future has
been posted at <https://www.youtube.com/watch?v=YjRVTpRrJNc>.

The session's meeting description is as follows:

We have survived another contentious election, and most of our election
technology seemed to work. But we still have many questions about the
future. Do we need to improve the security and resilience of our election
systems? Our special panel will hold a discussion of why we can't be
complacent. What are some of the risks lurking in our current election
technology? What are the most important technical and political issues to be
resolved before our next major election? The event was moderated by Chapter
Chair Dennis Mancl, with panelists Landon Noll and Rebecca Mercuri, plus a
cameo appearance by Peter Neumann.


Infosec Ethics—VSS, 4 May 2021

Rob Slade <rslade@gmail.com>
Wed, 21 Apr 2021 11:25:39 -0700
As part of the VanTUG Security Series (see
https://community.isc2.org/t5/C/V/m-p/42919 ) I'll be doing "Infosec Ethics"
on 4 May.  (Yes, yes, "May the Fourth be with you" and all that.)

I'd like to invite anyone who can to attend, and participate.  Because this
one in particular is probably going to need some input and discussion.  I've
got a list of ethics "case studies" as some discussion starters.

Meeting time, May 4, 7 PM (Pacific).  Meeting link: https://is.gd/dA1c3O

Please report problems with the web pages to the maintainer

x
Top