The RISKS Digest
Volume 32 Issue 62

Sunday, 25th April 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


China's domestic surveillance programmes benefit foreign spies
The Economist
Two cases of two+two - 777 & ETOPS
David Lesher
AS8003 or What IPV4 shortage??
Eversource Energy data breach caused by unsecured cloud storage
Jan Wolitzky
Believe the computer, and Do Not Pass Go.
The Register
Researchers Uncover Advertising Scam Targeting Streaming-TV Apps
Apple's new Find My Network application enables third-party tracking
Apple's Ransomware Mess Is the Future of Online Extortion
Apple sued for terminating account with $25,000 worth of apps and videos
Ars Technica
Now for AI's Latest Trick: Writing Computer Code
Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life
Craig Timberg and Paul Sonne
Re: Fiery Tesla crash with no one driving
Henry Baker
Re: In bot we trust: People put more faith in computers than other humans
John Levine
Info on RISKS (comp.risks)

China's domestic surveillance programmes benefit foreign spies (The Economist)

Ross Anderson <>
Sun, 25 Apr 2021 21:30:32 +0100

An aversion to encryption makes the country's networks vulnerable
  [This item is relevant to China, but also to every other country!  PGN]

In March Elon Musk, the world's third-richest man, spoke to a conference in
Beijing by video link. The cars that Tesla sells in China do not, Mr Musk
insisted, share data with American security services. He was responding to
the news that the Chinese armed forces had banned Teslas from their
facilities over such concerns. A month later the firm took to Chinese social
media to assure customers that the numerous cameras in their vehicles were
“not activated outside North America,'' and so could not be used to snoop.

Concerns about security define the trade of technology between America and
China. Most attention is focused on the extent to which Chinese giants such
as TikTok and Huawei might be infiltrating America for nefarious
purposes. But China has had concerns of its own. After the contours of
American surveillance were laid bare in 2013 by Edward Snowden, a National
Security Agency (NSA) contractor and whistleblower, the Chinese government
began a campaign to replace all Western technology in government offices,
lest it be used to spy. The brouhaha over Tesla's cars shows how much
security concerns have grown in the decade since Mr Snowden's
revelations. As connectivity becomes part of more consumer products,
paranoia about their other uses rises.

China's suspicion contains an irony, however. Removing Western devices from
Chinese networks will not keep China secure from its adversaries, because
the Chinese government itself insists upon weakening the security of those
networks and devices for its own purposes. Though America tends to
hyperventilate about Chinese intrusion, it is China whose digital security
is more precarious.

This is because of the Chinese government's insistence on being able to
monitor and control the information that flows through the country's digital
networks. For instance, all messages sent on WeChat, China's most widely
used messaging application, must pass through central servers as plain text,
unencrypted, so that the company can filter and censor them according to the
government's requirements.  This makes those servers a ripe target for any
foreign agents who want to spy on Chinese citizens, who between them have
more than a billion WeChat accounts.

Tencent, the app's corporate owner, must build elaborate digital-security
systems to allow it to keep inspecting its users' messages while
simultaneously denying that ability to attackers. That is a difficult
task. “If I were a Western intelligence agency, those servers would be
incredibly valuable,” says Matthew Green, a cryptography expert at Johns
Hopkins University.

Weak security is the rule, not the exception, in digital services for the
Chinese public. Email and social media must all facilitate state access, as
must industrial networks used to run factories and offices, even if the
extent to which the government uses that access varies. In August it banned
the most up-to-date version of a protocol used to encrypt web traffic, known
as TLS, from the Chinese Internet, because it makes online surveillance

The government has different security standards for itself, but these are
secret. Speculation about the devices and systems that senior party members
use to communicate is common. In 2013 Peng Liyuan, the wife of President Xi
Jinping, was photographed using an iPhone, one of the few devices available
in China which does offer a measure of security through its iMessage
program. It was news around the world.  Within a year Ms Peng was seen using
a Chinese device.

Internet users in China have long objected to the low standards of data
protection. Online crime and leaked databases are rife. Last year someone
stole the account details for all 538m users of Sina Weibo, a microblog, and
posted them on the dark web for sale. The government has responded by
promoting programs for companies to improve customer-data protection, even
as it simultaneously enforces weakness in the security of all systems. But
as long as the government demands access to data on Chinese people, those
data can never be robustly protected.

Though the American government does not publicise its cyber-operations,
leaks demonstrate their extent. The documents provided to journalists by Mr
Snowden show that the NSA found its way inside Huawei's networks starting in
2007, looking for evidence they were being used as a back door by the
Chinese government (if it found any, it was never made public). There is
little question that spy agencies in America and other countries use China's
weak security to their advantage.

China's jeopardy increases as the value of data which flow through poorly
secured networks goes up, both in economic and national-security terms. The
Chinese government's plan for economic growth ensures that this is what will
happen. It plans to expand its digital economy, automating factories and
creating smart-transport infrastructure. As with WeChat, if the government
wishes to monitor these systems, it will build them to be less secure than
they could be and so vulnerable to foreign interference in a way that
equivalent networks in the West do not have to be.

“The Chinese government knows the trade-off,” says Matt Perault, a
technology-policy scholar at Duke University in North Carolina. “They are
willing to bear it, which suggests that they are willing to tolerate a
significant amount of foreign surveillance on their citizens.”

The government's calculation is unlikely to change. Its focus on
surveillance and censorship of its own people is growing. But the tension
between security against enemies within and those without will
intensify. Cyber-attacks using weaknesses that the government itself has
demanded might prove embarrassing. If the stand-off with Taiwan were to
escalate, China's weak security would be a serious disadvantage. And the
more entrenched its reliance on surveillance and censorship becomes, the
harder it will be to remove the weakness on which that control is built,
should the day ever come when it no longer believes the trade-off

This article appeared in the China section of the print edition under the
headline "Watching them watching you"

Two cases of two+two - 777 & ETOPS

David Lesher <>
Sat, 24 Apr 2021 16:23:22 -0400
Airlines have been moving from 3 & 4-engine airframes such as the DC-10 &
747 to newer twins (757, 767, 777 etc.) for many years. The reason is
compelling: lower fuel consumption. Years earlier, they shed flight
engineers/navigators as navigation got easier and aircraft got more

But they are constrained by ICAO/FAA limitations as to how far they can be
away from the nearest suitable runway; officially this is "Extended-range
Twin-engine Operations Performance Standards" or ETOPS.  Given the usual
relevant case is trans-oceanic flight, it's popularly called "Engines Turn,
or Passengers Swim.."

Airlines/aircraft must be certified for ETOPS; this involves specific rules
such as no mechanic shall work on both engines, (This because of the Eastern
855 case
and multiple other safeguards.

There are various grades of ETOPS, extending the time allowed to reach the
safe airport. The fantastic Great Circle Mapper covers the ETOPS program
<> and allows you see airspace off-limits for
each level.

Two 777's have had violent PW4077 engine failures; UAL1175 in 2018 (NTSB
DCA18IA092), and UAL328 earlier this year after departing Denver. In both
cases, large parts of engine shroud/fairings were ejected; the 328 crew
returned to Denver without major difficulties.

But UAL1175 was 120 miles out from Honolulu. It also lost many aspects of
automation; the autopilot and other important tools failed. An interview
with the captain of 1175 at <> is telling; the
crew had their hands full getting their marginally controllable aircraft to
HNL for a safe landing. And Captain Chris Behnam was emphatic about how
vital the jumpseat occupant, a third 777 pilot, had been to their successful

Two risks come to mind. Does ETOPS, conceived years ago, sufficiently cover
the issue of engine failures that shed aerodynamically important parts, and
may well hit the elevators and/or tail as they do? [In theory, the cowling
shall contain any broken parts within, but...] Large aircraft are designed
and built for the lowest drag, yep, fuel efficiency again. But when you have
a large airbrake flapping on the wing...

Will a 2-person crew have enough human-MIPS to deal with cascading failures
& their alarms? Another case of this is QF32's engine failure.
<> And will they
have enough recent experience in hand-flying/"steam gauges" to cope with
such failures? Capt. Behnam is a active general aviation pilot; I don't know
about his co-pilot and jump-seater.

AS8003 or What IPV4 shortage?? (kentik)

David Lesher <>
Sat, 24 Apr 2021 12:47:35 -0400
On 20 Jan 2021, a great mystery appeared in the Internet's global routing
table. An entity that hadn't been heard from in over a decade began
announcing large swaths of formerly unused IPv4 address space belonging to
the U.S. Department of Defense. Registered as GRS-DoD, AS8003 began
announcing among other large DoD IPv4 ranges.  ...  The questions
that started to surface included: Who is AS8003? Why are they announcing
huge amounts of IPv4 space belonging to the U.S.  Department of Defense? And
perhaps most interestingly, why did it come alive within the final three
minutes of the Trump administration?

By late January, AS8003 was announcing about 56 million IPv4 addresses,
making it the sixth largest AS in the IPv4 global routing table by
originated address space. By mid-April, AS8003 dramatically increased the
amount of formerly unused DoD address space that it announced to 175 million
unique addresses.

Following the increase, AS8003 became, far and away, the largest AS in the
history of the Internet as measured by originated IPv4 space. By comparison,
AS8003 now announces 61 million more IP addresses than the now-second
biggest AS in the world, China Telecom, and over 100 million more addresses
than Comcast, the largest residential Internet provider in the U.S.  [...]


Eversource Energy data breach caused by unsecured cloud storage

Jan Wolitzky <>
Sat, 24 Apr 2021 20:11:46 -0400
I received a letter the other day from Eversource, the regional gas and
electric utility company here in Eastern Massachusetts:

  "We are writing to inform you about the exposure of certain personal
  information.... The following personal information was involved in the
  incident: your name, address, phone number, social security number,
  utility account number and service address in Massachusetts and billing
  address....  On March 16, 2021, we discovered that a Company cloud storage
  site had been misconfigured so that its files could have been publicly

As required, they offered two years of credit monitoring, through a company
called Cyberscout.  I went to the website provided to sign up, but around
the point where they asked for my Social Security number, I got suspicious.
How hard would it be to send a mass mailing on utility company letterhead,
warning people of a non-existent data breach, and sending them to some
website to sign up for credit monitoring, thereby quickly collecting all the
information you'd otherwise have to wait for a careless utility company to

A Google search turned up a few reports on minor cybersecurity sites, but
nothing on the Eversource site, or the Boston Globe, e.g.  Hmmm....

Believe the computer, and Do Not Pass Go. (The Register)

David Lesher <>
Sun, 25 Apr 2021 00:51:16 -0400
In the UK, 39 Post Office employees convicted for theft have now been

A Fujitsu-provided Post Office accounting system named Horizon had shown the
employees were responsible for significant shortfalls. Some were imprisoned.
It took years for the truth to emerge, that Horizon had significant bugs.

Despite that:

  Post Office awards Fujitsu a £42.5m contract extension for the IT system
  behind wrongful subpostmaster prosecutions


Researchers Uncover Advertising Scam Targeting Streaming-TV Apps (WSJ)

ACM TechNews <>
Fri, 23 Apr 2021 12:02:24 -0400 (EDT)
Patience Haggin and Jeff Horwitz, *The Wall Street Journal*, 21 Apr 2021
via ACM TechNews, 23 Apr 2021

Nearly 1 million mobile devices were infected with malware that emulated
streaming-TV applications and collected revenue from unwitting advertisers,
according to researchers at cybersecurity firm Human Security. The
researchers said the orchestrators of this so-called "Pareto" scheme spoofed
an average of 650 million ad placement opportunities daily in online ad
exchanges, stealing money intended for apps available on streaming-TV
platforms run by Roku,, Apple, and Google. The creator of 29 apps
underpinning the fraud was identified as TopTop Media, a subsidiary of
Israel-based M51 Group. The analysts said the operation could be thwarted if
digital ad companies strictly followed industry guidance for tracking the
origins of traffic and deployed certain security measures. Human Security's
Michael McNally said, "Measurement and security companies will just play
whack-a-mole, as long as the industry hasn't upgraded to better defenses."

Apple's new Find My Network application enables third-party tracking (MacRumors)

Amos Shapir <>
Sat, 24 Apr 2021 12:14:56 +0300
Apple announced a new Find My network accessory program available on the new
release of iOS 14.  A new feature is that "... if you lose an item and
someone else with an Phone, iPad, or Mac comes close to it, it can
communicate with their device with the approximate location of the item
relayed securely and privately back to you".

Of course, Apple assures us that this network of little snitchers will only
track your devices when *you* tell them to, and report their location only
to *you*, "securely and privately".

Apple's Ransomware Mess Is the Future of Online Extortion (WiReD)

Gabe Goldberg <>
Sat, 24 Apr 2021 01:01:25 -0400
This week, hackers stole confidential schematics from a third-party supplier
and demanded $50 million not to release them.

Apple sued for terminating account with $25,000 worth of apps and videos (Ars Technica)

Monty Solomon <>
Fri, 23 Apr 2021 17:19:52 -0400
Lawsuits claim people don't truly own content they purchase on digital
platforms.  Apple is facing two class-action lawsuits over the meaning of
the words *rent* and *buy*.

In the first suit, lead plaintiff David Andino argues that Apple's
definition of the two words is deceptive since the company can terminate
people's Apple IDs and, along with them, access to content they purchased
using the *buy* button. Thus, Andino is arguing that Apple allows consumers
to rent content rather than purchase it outright. If he had known that his
access could be cut off at any time, he says he would have not spent as much
on iTunes content.  [...]

Now for AI's Latest Trick: Writing Computer Code (WiReD)

Gabe Goldberg <>
Sat, 24 Apr 2021 01:09:55 -0400
Programs such as GPT-3 can compose convincing text. Some people are using
the tool to automate software development and hunt for bugs.

Brendan Dolan-Gavitt, an assistant professor in the Computer Science and
Engineering Department at NYU, says language models such as GPT-3 will most
likely be used to help human programmers. Other products will use the models
to “identify likely bugs in your code as you write it, by looking for
things that are *surprising* to the language model,'' he says.  [...]

Dolan-Gavitt, the NYU professor, says the nature of the language models
being used to generate coding tools also poses problems. “I think using
language models directly would probably end up producing buggy and even
insecure code,” he says. “After all, they're trained on human-written code,
which is very often buggy and insecure.''

What fun—being second-guessed in real time by software that doesn't
understand my code, and software written to emulate that of a million
monkeys (programmers).

Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life (Craig Timberg and Paul Sonne)

Dewayne Hendricks <>
April 25, 2021 1:09:28 JST
After decades of not using a huge chunk of the Internet, the Pentagon has
given control of millions of computer addresses to a previously unknown
company in an effort to identify possible cyber vulnerabilities and threats

Craig Timberg and Paul Sonne, *The Washington Post*, 24 Apr 2021

While the world was distracted with President Donald Trump leaving office on
Jan. 20, an obscure Florida company discreetly announced to the world's
computer networks a startling development: It now was managing a huge unused
swath of the Internet that, for several decades, had been owned by the
U.S. military.

What happened next was stranger still.

The company, Global Resource Systems LLC, kept adding to its zone of
control. Soon it had claimed 56 million IP addresses owned by the
Pentagon. Three months later, the total was nearly 175 million. That's
almost 6 percent of a coveted traditional section of Internet real estate --
called IPv4—where such large chunks are worth billions of dollars on the
open market.

The entities controlling the largest swaths of the Internet generally are
telecommunications giants whose names are familiar: AT&T, China Telecom,
Verizon. But now at the top of the list was Global Resource Systems—a
company founded only in September that has no publicly reported federal
contracts and no obvious public-facing website.

As listed in records, the company's address in Plantation, Fla., outside
Fort Lauderdale, is a shared workspace in an office building that doesn't
show Global Resource Systems on its lobby directory. A receptionist at the
shared workspace said Friday that she could provide no information about the
company and asked a reporter to leave. The company did not respond to
requests for comment.

The only announcement of Global Resources Systems' management of Pentagon
addresses happened in the obscure world of Border Gateway Protocol (BGP) --
the messaging system that tells Internet companies how to route traffic
across the world. There, messages began to arrive telling network
administrators that IP addresses assigned to the Pentagon but long dormant
could now accept traffic—but it should be routed to Global Resource

Network administrators began speculating about perhaps the most dramatic
shift in IP address space allotment since BGP was introduced in the 1980s.

“They are now announcing more address space than anything ever in the
history of the Internet,'' said Doug Madory, director of Internet analysis
for Kentik, a network monitoring company, who was among those trying to
figure out what was happening. He published a blog post on the mystery
Saturday morning.

The theories were many. Did someone at the Defense Department sell off part
of the military's vast collection of sought-after IP addresses as Trump left
office? Had the Pentagon finally acted on demands to unload the billions of
dollars worth of IP address space the military has been sitting on, largely
unused, for decades?

An answer, of sorts, came Friday.

The change is the handiwork of an elite Pentagon unit known as the Defense
Digital Service, which reports directly to the secretary of defense. The DDS
bills itself as a “SWAT team of nerds'' tasked with solving emergency
problems for the department and conducting experimental work to make big
technological leaps for the military.

Created in 2015, the DDS operates a Silicon Valley-like office within the
Pentagon. It has carried out a range of special projects in recent years,
from developing a biometric app to help service members identify friendly
and enemy forces on the battlefield to ensuring the encryption of emails
Pentagon staff were exchanging about coronavirus vaccines with external

Brett Goldstein, the DDS's director, said in a statement that his unit had
authorized a “pilot effort'' publicizing the IP space owned by the

“This pilot will assess, evaluate and prevent unauthorized use of DoD IP
address space,'' Goldstein said. “Additionally, this pilot may identify
potential vulnerabilities.''

Goldstein described the project as one of the Defense Department's “many
efforts focused on continually improving our cyber posture and defense in
response to advanced persistent threats. We are partnering throughout DoD to
ensure potential vulnerabilities are mitigated.''

The specifics of what the effort is trying to achieve remain unclear. The
Defense Department declined to answer a number of questions about the
project, and Pentagon officials declined to say why Goldstein's unit had
used a little-known Florida company to carry out the pilot effort rather
than have the Defense Department itself “announce'' the addresses through
BGP messages—a far more routine approach.

What is clear, however, is the Global Resource Systems announcements
directed a fire hose of Internet traffic toward the Defense Department
addresses. Madory said his monitoring showed the broad movements of Internet
traffic began immediately after the IP addresses were announced Jan. 20.

Madory said such large amounts of data could provide several benefits for
those in a position to collect and analyze it for threat intelligence and
other purposes.

The data may provide information about how malicious actors operate online
and could reveal exploitable weaknesses in computer systems. In addition,
several Chinese companies use network numbering systems that resemble the
U.S. military's IP addresses in their internal systems, Madory said. By
announcing the address space through Global Resource Systems, that could
cause some of that information to be routed to systems controlled by the
U.S. military.

The data could also include accidental misconfigurations that could be
exploited or fixed, Madory said.

“If you have a very large amount of traffic, and someone knows how to go
through it, you'll find stuff,'' Madory added.

Re: Fiery Tesla crash with no one driving (RISKS-32.61)

Henry Baker <>
Sat, 24 Apr 2021 10:16:11 -0700
  Re: first responders had to use 30,000 gallons of water over four hours to
  put out the fire

Let's see; my high school chemistry is a bit rusty, but here goes: a Tesla
might have 85Kwh battery; typical fireplace fire is 1500 watts, so a fully
charged Tesla could replace a fireplace burning for 2.4 *DAYS*.

Lithium metal floats on water.

Good cooks know that you can't extinguish a grease fire with water, because
(duh!) grease floats on water!

Lithium reacts with water, generating a lot of heat, but not quite fast
enough to melt the lithium. You can try to cool the lithium, but even cold
lithium will continue to react with water.

Worse, lithium steals the oxygen from water, leaving hydrogen gas, which
burns w/o giving off visible light.  So, pouring water onto lithium is like
pouring gasoline onto a really hot fire you can't see.

Only 4 hours and only 30,000 gals of water? They're lucky.

When you've dug yourself into a hole, first order of business is to stop

Re: In bot we trust: People put more faith in computers than other humans (StudyFinds)

"John Levine" <>
24 Apr 2021 10:34:49 -0400
Life imitates art.  Isaac Asimov wrote "The Feeling of Power" in 1957:

Please report problems with the web pages to the maintainer